Bonehead basic selinux questions

Stephen Smalley sds at tycho.nsa.gov
Mon Feb 6 13:32:24 UTC 2006 

On Fri, 2006-02-03 at 15:36 -0600, Jason L Tibbitts III wrote:
> OK, I've done a lot of reading and I've even done some policy
> hacking.  But there are some fundamental things about selinux I just
> don't understand yet.
> 
> So I do a fresh FC4 install, log in, mkdir /local and make and mount a
> couple of filesystems under it: /svn and /trac.
> 
> I do chcon -R --reference=/var/www /local/svn
> 
> and httpd can see stuff under /local/svn without issue.
> 
> So I wonder if that change is permanent or if I'll get boned if the
> system gets relabeled:
> 
> > s restorecon -n -R -v /local
> /sbin/restorecon reset /local context root:object_r:root_t->system_u:object_r:default_t
> /sbin/restorecon reset /local/trac context system_u:object_r:file_t->system_u:object_r:default_t
> /sbin/restorecon reset /local/trac/lost+found context system_u:object_r:file_t->system_u:object_r:default_t

You can make the change permanent by creating
a /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local file that
specifies the paths and desired contexts for your local customizations.
Certain types are also automatically excluded from relabeling by default
via /etc/selinux/$SELINUXTYPE/contexts/customizable_types.

> Looks OK; the context on /local/svn isn't going to change.  So I go
> ahead and drop the '-n' so I'm not surprised later, which had the
> effect of surprising me immediately.  Now httpd can't look in
> /local/svn (because it can't see under /local?):
> 
> > s ausearch -i -ui apache
> [...blah...]
> type=PATH msg=audit(02/03/06 15:22:17.034:320) : item=0 name=/local flags=none inode=65545 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(02/03/06 15:22:17.034:320) :  cwd=/
> type=AVC_PATH msg=audit(02/03/06 15:22:17.034:320) :  path=/local
> type=SYSCALL msg=audit(02/03/06 15:22:17.034:320) : arch=i386 syscall=lstat64 success=no exit=-13(Permission denied) a0=8db7f40 a1=bfbeb7bc a2=dc6ff4 a3=bfbeb7bc items=1 pid=8587 auid=tibbs uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache comm=httpd exe=/usr/sbin/httpd
> type=AVC msg=audit(02/03/06 15:22:17.034:320) : avc:  denied  { getattr } for  pid=8587 comm=httpd name=local dev=dm-0 ino=65545 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir
> 
> So changing the context from root:object_r:root_t to
> system_u:object_r:default_t locks httpd out?

Yes.  As default_t is the type applied to anything not otherwise
specified (matching the /.* regex at the top of file_contexts), we don't
want it to be accessible at all to the confined daemons.  Whereas most
daemons need to be able to search the root directory (and hence have
some basic permissions to root_t).

> I don't think it would be proper to chcon /local to the same context
> as /local/svn, because I will certainly mount non-httpd-visible things
> under /local.  So what is the proper way to fix this?
> 
> Any enlightenment would be very much appreciated,

Put a type on it that is accessible, and preserve it using
file_contexts.local.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list