danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
File Context problems.
danwalsh
If you want to move files to directories that the current policy does not know about you should use the semanage command to tell the system what to label these files.


# semanage fcontext -a -t httpd_sys_script_exec_t '/myweb/cgi(/.*)?'
# restorecon -R -v /myweb/cgi

Semanage is a good tool for this, since it sets up the machine to permanently label these directories with this context.  If the machine is later relabeled, this directory will continue to be labeled correctly.    system-config-selinux also has a graphical mechanism to do this.

Note:
  This is preferred over using chcon, since chcon  might not survive a relabel.

If you do this labeling and the policy is updated later on with the same or slightly different context, you can have problems.  I have also seen packages shipping with semanage commands in their post install to set the file context.

You can end up seeing statements like:

/etc/selinux/targeted/contexts/files/file_contexts: Multiple 
different specifications for /var/lib/awstats(/.*)?
(system_u:object_r:httpd_sys_script_rw_t:s0 and
system_u:object_r:awstats_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple
different specifications for /usr/share/awstats/wwwroot/cgi-
bin(/.*)? (system_u:object_r:httpd_sys_script_exec_t:s0 and
system_u:object_r:httpd_awstats_script_exec_t:s0).
When restorecon, rpm, matchpathcon, setfiles or any other tools that reads the systems file context sees a conflict they put out this message.

You can remove the conflict by using semange

# semanage fcontext -d '/var/lib/awstats(/.*)?'

One handy qualifier available at least in semanage on Fedora 9

# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/etc/glpi(/.*)?                                    all files          system_u:object_r:httpd_sys_script_rw_t:s0
/var/log/glpi(/.*)?                                all files          system_u:object_r:httpd_sys_script_rw_t:s0
/var/lib/glpi(/.*)?                                all files          system_u:object_r:httpd_sys_script_rw_t:s0
/dev/mapper/Volumes-OldWindowsBackup               all files          system_u:object_r:virt_image_t:s0

This command lists all the local customizations that have been made to your system.  This shows that on my system the glpi program must have setup special labeling and I labeled an virtual image in /dev/mapper.

You can see similar functionality in system-config-selinux by selecting the "File Labeling" list item and then clicking on the "Customized" button.

Re: PSAD SELinux file context

danwalsh

2008-12-22 07:24 pm (UTC)

Yes this is the wrong thing to do, and I am suprissed this would work in enforcing mode. iptables_t is a process context and you are assiging it to a file. I don't believe in enforcing mode this would work.

You really have a few choices here. You can just allow or dontaudit iptables_t writing to var_log_t. You can do this using audit2allow -M to build a policy module.

You can build a more complex policy module with a type defined psad_log_t and then allow iptabels_t to manage the type. Something like:

cat mypsad.te

gen_require(`
type iptables_t;
')

type psad_log_t;
logging_file_type(psad_log_t)

manage_files_pattern(iptables_t, psad_log_t, psad_log_t)

cat mypsad.fc
/var/log/psad(/.*)? gen_context("system_u:object_r:psad_log_t, s0)


Or

You can try to find a file_type that iptables_t can currently write to and assign the context to the directory.


# sesearch --allow -s iptables_t | grep " file.*write"
WARNING: This policy contained disabled aliases; they have been removed.
allow @ttr2145 @ttr2113 : file { ioctl read write getattr lock append } ;
allow iptables_t xdm_home_t : file { ioctl read write getattr lock append } ;
allow iptables_t initrc_tmp_t : file { ioctl read write getattr lock append } ;
allow @ttr2145 user_tmp_t : file { ioctl write getattr lock append } ;
allow iptables_t @ttr2113 : file { ioctl read write getattr lock append } ;
allow iptables_t iptables_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow iptables_t iptables_t : file { ioctl read write getattr lock append } ;
allow iptables_t iptables_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;

Say try iptables_var_run_t or iptabels_tmp_t.

semanage fcontext -a -t iptables_var_run_t "/var/log/psad(/.*)?"

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh