1 |
I'm trying to work on getting SELinux running in enforcing mode on my |
2 |
x86 stable server. Everything seems OK if I switch enforcing on until |
3 |
asterisk needs to be (re)started. Running /etc/init.d/asterisk results |
4 |
in a bad interpreter (permission denied) error if SELinux is enforcing. |
5 |
Only thing that I noticed in the logs was an invalid security context. |
6 |
So today I disabled all the dontaudit rules and ran the init script (in |
7 |
permissive mode) from the command line. The invalid context seems to be |
8 |
the root of the issue, but here are the AVC that I captured. I'm not |
9 |
sure the best way to handle the invalid context. So I'd like to get |
10 |
some thoughts/suggestions from the list before I start making changes. |
11 |
|
12 |
This is the invalid context that I think I need to address: |
13 |
|
14 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983): |
15 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
16 |
scontext=stan:sysadm_r:sysadm_t |
17 |
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process |
18 |
|
19 |
By way of context, here are all the denials as they appeared. |
20 |
|
21 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983): |
22 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
23 |
scontext=stan:sysadm_r:sysadm_t |
24 |
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process |
25 |
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823984): |
26 |
avc: denied { rlimitinh } for pid=10978 comm="asterisk" |
27 |
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t |
28 |
tclass=process |
29 |
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823985): |
30 |
avc: denied { siginh } for pid=10978 comm="asterisk" |
31 |
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t |
32 |
tclass=process |
33 |
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823986): |
34 |
avc: denied { noatsecure } for pid=10978 comm="asterisk" |
35 |
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t |
36 |
tclass=process |
37 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.500:8823987): |
38 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
39 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t |
40 |
tclass=process |
41 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.508:8823988): |
42 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
43 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t |
44 |
tclass=process |
45 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.515:8823989): |
46 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
47 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t |
48 |
tclass=process |
49 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.517:8823990): |
50 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
51 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t |
52 |
tclass=process |
53 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.530:8823991): |
54 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
55 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t |
56 |
tclass=process |
57 |
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.542:8823992): |
58 |
security_compute_sid: invalid context stan:system_r:initrc_t for |
59 |
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t |
60 |
tclass=process |
61 |
Oct 23 11:47:22 iax asterisk_wrapper: Initializing asterisk wrapper |
62 |
|
63 |
And, the current file contexts: |
64 |
|
65 |
#ls -lZ /etc/init.d/asterisk |
66 |
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_initrc_exec_t 6489 |
67 |
Oct 5 13:12 /etc/init.d/asterisk |
68 |
#ls -lZ /usr/sbin/asterisk |
69 |
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_exec_t 24247031 Oct |
70 |
5 13:01 /usr/sbin/asterisk |
71 |
|
72 |
The resulting processes show: |
73 |
|
74 |
#ps -efZ |grep asterisk |
75 |
stan:system_r:initrc_t root 11062 1 0 11:47 pts/2 |
76 |
00:00:00 /bin/sh /lib/rc/sh/runscript.sh /etc/init.d/asterisk start |
77 |
stan:system_r:initrc_t root 11063 1 0 11:47 pts/2 |
78 |
00:00:00 logger -t asterisk_wrapper |
79 |
stan:system_r:asterisk_t asterisk 11066 11062 0 11:47 pts/2 |
80 |
00:00:01 /usr/sbin/asterisk -f -g -U asterisk |
81 |
stan:system_r:asterisk_t asterisk 11067 11066 0 11:47 pts/2 |
82 |
00:00:00 astcanary |
83 |
/var/run/asterisk/alt.asterisk.canary.tweet.tweet.tweet 11066 |
84 |
|
85 |
Which is interesting that they are running under my SELinux user name |
86 |
instead of system_u like other processes I may need to (re)start in a |
87 |
similar fashion. Also the asterisk script does not seem to call/use |
88 |
runscript_selinux.so like the others do as I am not prompted for root's |
89 |
password. |
90 |
|
91 |
And lastly, my shell that I am executing all of this from: |
92 |
|
93 |
#id |
94 |
uid=0(root) gid=0(root) |
95 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),11(floppy),26(tape),27(video) |
96 |
context=stan:sysadm_r:sysadm_t |
97 |
|
98 |
-- |
99 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
100 |
PR - Cindy and Jenny - Sammamish, WA NWR |
101 |
http://www.cci.org |