danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Interesting SELinux booleans.
danwalsh
SELinux by default prevents confined daemons from talking to the terminal.  This is actually considered a security feature.  You would not want a compromised daemon  to prompt you for a login/passwd.  Since our fingers have been trained to type in the username and password when every we see this prompt.

login:
password:
Oops...

SELinux policy has been traditionally coded to not allow confined daemons to talk to the TTY.  The way the SELinux kernel works is when a confined daemon is starting up the kernel looks at all of the open file descriptors (including STDIN, STDOUT, STDERR), if the policy for the daemon does not allow the application to access the open file descriptors, the kernel closes the descriptors and reopens them connected to /dev/null.  It also generates AVC messages, indicating the denial.  So most policy for confined daemons includes dontaudit rules for talking to the TTYs. Sometimes you will see these avc messages when the policy coder did not dontaudit all terminal types.  These avc's can usually be ignored.   

NOTE:
The SELinux kernel also closes leaked file descriptors when a confined application starts up.  I Unix/Linux environments when you open a file you get an open file descriptor, when the application later does a fork/exec of a new process, the new process inherits all of the open file descriptors.  This is almost always not what you want.  So the developer of the application should cal fcntl(fd, F_SETFD, F_CLOEXEC) which will close the file descriptors when the parent application calls the exec call.  Often you will see weird AVC messages like a random confined application trying to read/write the rpm database.  This is a leaked file descriptor with from with read/write access, and then RPM execs the daemon in a post install script.


Most daemon applications that are coded correctly will shortly after startup, close the open file descriptors before going into daemon mode.  As a matter of fact the daemon function call:

# man daemon
DAEMON(3)                  Linux Programmer’s Manual                 DAEMON(3)

NAME
       daemon - run in the background

SYNOPSIS
       #include <unistd.h>

       int daemon(int nochdir, int noclose);

DESCRIPTION
       The daemon() function is for programs wishing to detach themselves from
       the controlling terminal and run in the background as system daemons.

       Unless the argument nochdir is non-zero, daemon() changes  the  current
       working directory to the root ("/").

       Unless  the  argument noclose is non-zero, daemon() will redirect stan-
       dard input, standard output and standard error to /dev/null.
...

Shows that a properly coded application would do this anyways.

So in this case SELinux is a second line of defense.   

Sometimes applications will report problems in their configuration during startup and SELinux will prevent these messages from getting to the terminal.  For example, if you make a mistake in your http configuration.  httpd will attempt to report the error to the terminal.  Additionally some confined daemons can actually ask for input during startup.  httpd is also an example of this, if you run httpd with a private/public key ring that requires a password to unlock, http will prompt you for the password.

Since the messages are blocked by default to the TTY and the AVC messages are dontaudited, the admin will have no idea why his application does not start or that it reported any problems.  

So we have added booleans to handle these situations.

If you want to permanently allow http to communicate with the terminal you  can turn on the http_tty_comm boolean.

setsebool -P httpd_tty_comm=1

If you want to temporarily allow all of your confined daemons to talk to the terminal you can set the allow_daemons_use_tty boolean.

setsebool allow_daemons_use_tty on

You are viewing danwalsh