| 1 |
Try running it in enforcing and document the application failures you get |
| 2 |
together with their denials. And see if allowing it fixes that particular |
| 3 |
problem. If you just give a list with rules and say "this is needed" there |
| 4 |
is a realistic chance that I can't get it upstreamed. |
| 5 |
On Oct 25, 2012 12:24 AM, "Stan Sander" <stsander@×××××.net> wrote: |
| 6 |
|
| 7 |
> On 10/24/2012 08:46 AM, Sven Vermeulen wrote: |
| 8 |
> > On Tue, Oct 23, 2012 at 12:50:22PM -0600, Stan Sander wrote: |
| 9 |
> >> This is the invalid context that I think I need to address: |
| 10 |
> >> |
| 11 |
> >> Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983): |
| 12 |
> >> security_compute_sid: invalid context stan:system_r:initrc_t for |
| 13 |
> >> scontext=stan:sysadm_r:sysadm_t |
| 14 |
> >> tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process |
| 15 |
> >> |
| 16 |
> > Meh, |
| 17 |
> > |
| 18 |
> > Seems my reply didn't hit the list first. |
| 19 |
> > |
| 20 |
> > You probably forgot to add in the system_r role to the SELinux user, see |
| 21 |
> > |
| 22 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1#serviceadmin |
| 23 |
> > |
| 24 |
> > Wkr, |
| 25 |
> > Sven Vermeulen |
| 26 |
> |
| 27 |
> Thanks, asterisk now starts with SELinux enforcing. However, it did |
| 28 |
> produce some new denials, two of which I believe impact the correct |
| 29 |
> running of the daemon and associated scripts, etc. Here are all the |
| 30 |
> denials generated at startup: |
| 31 |
> |
| 32 |
> Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.194:8824301): |
| 33 |
> avc: denied { entrypoint } for pid=14590 comm="runscript.sh" |
| 34 |
> path="/bin/rm" dev="sda3" ino=6837732 scontext=stan:system_r:initrc_t |
| 35 |
> tcontext=system_u:object_r:bin_t tclass=file |
| 36 |
> Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824302): |
| 37 |
> avc: denied { read write } for pid=14592 comm="asterisk" |
| 38 |
> path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
| 39 |
> tcontext=stan:object_r:user_devpts_t tclass=chr_file |
| 40 |
> Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824303): |
| 41 |
> avc: denied { read write } for pid=14592 comm="asterisk" |
| 42 |
> path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
| 43 |
> tcontext=stan:object_r:user_devpts_t tclass=chr_file |
| 44 |
> Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.462:8824304): |
| 45 |
> avc: denied { write } for pid=14669 comm="runscript.sh" |
| 46 |
> name="wrapper_loop.pid" dev="sda3" ino=6422541 |
| 47 |
> scontext=stan:system_r:initrc_t |
| 48 |
> tcontext=stan:object_r:asterisk_var_run_t tclass=file |
| 49 |
> Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824305): |
| 50 |
> avc: denied { read write } for pid=14670 comm="asterisk" |
| 51 |
> path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
| 52 |
> tcontext=stan:object_r:user_devpts_t tclass=chr_file |
| 53 |
> Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824306): |
| 54 |
> avc: denied { read write } for pid=14670 comm="asterisk" |
| 55 |
> path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t |
| 56 |
> tcontext=stan:object_r:user_devpts_t tclass=chr_file |
| 57 |
> Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.469:8824307): |
| 58 |
> avc: denied { setattr } for pid=14670 comm="asterisk" name="asterisk" |
| 59 |
> dev="sda3" ino=6446976 scontext=stan:system_r:asterisk_t |
| 60 |
> tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
| 61 |
> |
| 62 |
> |
| 63 |
> |
| 64 |
> The write denial for the wrapper_loop.pid file will lead to trouble, and |
| 65 |
> the denial for setattr on the /var/run/asterisk directory has the |
| 66 |
> potential (IMHO) to get us off in the weeds. The others, AFAICT are |
| 67 |
> candidates for dontaudit rules. Based on the above, it seems initrc_t |
| 68 |
> needs to be allowed to write asterisk_var_run_t files. Since |
| 69 |
> runscript.sh is trying to write the pid, I really don't see any |
| 70 |
> alternatives. I believe it needs this info to properly signal the |
| 71 |
> wrapper for a graceful daemon stoppage. The last denial (for setattr) |
| 72 |
> is trying to ensure 770 permissions on /var/run/asterisk and likely user |
| 73 |
> and group ownership also. |
| 74 |
> |
| 75 |
> I can throw a couple rules at this in a local policy module, and let |
| 76 |
> this run for a few days to see if anything else pops out, then file what |
| 77 |
> I find in a bug against the policy module. |
| 78 |
> |
| 79 |
> -- |
| 80 |
> Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
| 81 |
> PR - Cindy and Jenny - Sammamish, WA NWR |
| 82 |
> http://www.cci.org |
| 83 |
> |
| 84 |
> |
| 85 |
> |
Archives