1 |
On 10/24/2012 08:46 AM, Sven Vermeulen wrote: |
2 |
> On Tue, Oct 23, 2012 at 12:50:22PM -0600, Stan Sander wrote: |
3 |
>> This is the invalid context that I think I need to address: |
4 |
>> |
5 |
>> Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983): |
6 |
>> security_compute_sid: invalid context stan:system_r:initrc_t for |
7 |
>> scontext=stan:sysadm_r:sysadm_t |
8 |
>> tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process |
9 |
>> |
10 |
> Meh, |
11 |
> |
12 |
> Seems my reply didn't hit the list first. |
13 |
> |
14 |
> You probably forgot to add in the system_r role to the SELinux user, see |
15 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1#serviceadmin |
16 |
> |
17 |
> Wkr, |
18 |
> Sven Vermeulen |
19 |
|
20 |
Thanks, asterisk now starts with SELinux enforcing. However, it did |
21 |
produce some new denials, two of which I believe impact the correct |
22 |
running of the daemon and associated scripts, etc. Here are all the |
23 |
denials generated at startup: |
24 |
|
25 |
Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.194:8824301): |
26 |
avc: denied { entrypoint } for pid=14590 comm="runscript.sh" |
27 |
path="/bin/rm" dev="sda3" ino=6837732 scontext=stan:system_r:initrc_t |
28 |
tcontext=system_u:object_r:bin_t tclass=file |
29 |
Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824302): |
30 |
avc: denied { read write } for pid=14592 comm="asterisk" |
31 |
path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
32 |
tcontext=stan:object_r:user_devpts_t tclass=chr_file |
33 |
Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824303): |
34 |
avc: denied { read write } for pid=14592 comm="asterisk" |
35 |
path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
36 |
tcontext=stan:object_r:user_devpts_t tclass=chr_file |
37 |
Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.462:8824304): |
38 |
avc: denied { write } for pid=14669 comm="runscript.sh" |
39 |
name="wrapper_loop.pid" dev="sda3" ino=6422541 |
40 |
scontext=stan:system_r:initrc_t |
41 |
tcontext=stan:object_r:asterisk_var_run_t tclass=file |
42 |
Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824305): |
43 |
avc: denied { read write } for pid=14670 comm="asterisk" |
44 |
path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
45 |
tcontext=stan:object_r:user_devpts_t tclass=chr_file |
46 |
Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824306): |
47 |
avc: denied { read write } for pid=14670 comm="asterisk" |
48 |
path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
49 |
tcontext=stan:object_r:user_devpts_t tclass=chr_file |
50 |
Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.469:8824307): |
51 |
avc: denied { setattr } for pid=14670 comm="asterisk" name="asterisk" |
52 |
dev="sda3" ino=6446976 scontext=stan:system_r:asterisk_t |
53 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
54 |
|
55 |
|
56 |
|
57 |
The write denial for the wrapper_loop.pid file will lead to trouble, and |
58 |
the denial for setattr on the /var/run/asterisk directory has the |
59 |
potential (IMHO) to get us off in the weeds. The others, AFAICT are |
60 |
candidates for dontaudit rules. Based on the above, it seems initrc_t |
61 |
needs to be allowed to write asterisk_var_run_t files. Since |
62 |
runscript.sh is trying to write the pid, I really don't see any |
63 |
alternatives. I believe it needs this info to properly signal the |
64 |
wrapper for a graceful daemon stoppage. The last denial (for setattr) |
65 |
is trying to ensure 770 permissions on /var/run/asterisk and likely user |
66 |
and group ownership also. |
67 |
|
68 |
I can throw a couple rules at this in a local policy module, and let |
69 |
this run for a few days to see if anything else pops out, then file what |
70 |
I find in a bug against the policy module. |
71 |
|
72 |
-- |
73 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
74 |
PR - Cindy and Jenny - Sammamish, WA NWR |
75 |
http://www.cci.org |