danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
SELinux Types Revisited.
danwalsh
A common mistake people make with SELinux is thinking all types are the same. 

I often get bugzilla's from people who first got a bug saying that httpd_t can not read some directory, say /myapache.  The admin then does some limited research and discovers the chcon command.  The admin then assumes if he uses the chcon command with the httpd type, it will solve his problem.

# chcon -t httpd_t /myapache
chcon: failed to change context of `/myapache' to `staff_u:object_r:httpd_t:s0': Permission denied


What, wait I am unconfined_t, why won't this be allowed.

# setenforce 0
# chcon -t httpd_t /myapache
#


Works, I guess I am all set.
# setenforce 1

Apache blows up.

Now they have AVC messages that indicate they need

allow unconfined_t httpd_t:dir relabelto;
allow httpd_t fs_t:filesystem associate;


Since the admin forced the label onto the system, other parts of SELinux start to break.  Later locate runs and they get an AVC that requires

allow locate_t httpd_t:dir getattr;

What the ...

The assumption, the administrator mistakenly made, was that all types are created equally.  But SELinux groups different types and then controls what "Classes" they can be assigned to.  SELinux block you from assigning a type to unsupported objects.

For example SELinux has types for Files (file_type), Processes(domain), Ports (port_type), Ethernet Interfaces (netif_type), Node names (node_type), filesystems (filesystem_type) ...

Types are grouped together using the policy attribute notated above within the ().

SELinux only allows administrators to assign file_type to a filesystem_type object.  This access is controlled by the associate access.

# sesearch -A -s file_type -t filesystem_type -p associate  | grep file_type
   allow file_type fs_t : filesystem associate ;
...


If you want to list all file_types, execute:

seinfo -afile_type -x
   file_type
      bluetooth_conf_t
      cmirrord_exec_t
      colord_exec_t
...


I have added an setroubleshoot plugin to Fedora 17 to try to help the administrator out.

SELinux is preventing chcon from relabelto access on the directory myapache.

*****  Plugin associate (99.5 confidence) suggests  **************************

If you want to change the label of myapache to httpd_t, you are not allowed to since it is not a valid file type.
Then you must pick a valid file label.
Do
select a valid file type.  List valid file labels by executing:
# seinfo -afile_type -x


Hope this hopes, although I agree this is a difficult concept to understand.

thanks for basing a blog on one of my stupid mistakes, banging my head against the wall right now... ;-)

You are not the only one to hit this problem. Actually I have seen the apache version many times.

You are viewing danwalsh