danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Mistaking a Process label type for a File label type.
danwalsh
Yesterday there was an email from an administrator complaining about semanage.

The administrator was attempting to setup a new directory with a label for cgi scripts.

# semanage fcontext -a -t httpd_sys_script_t "///cgi-bin/.*\.cgi"
ValueError: Type httpd_sys_script_t is invalid, must be a file or device type.


The tool told the administrator that he had made a mistake and attempted to assign a type to a file that was neither a file or device type.

This is a fairly common mistake with SELinux.  httpd_sys_script_t is a process label, and SELinux prevents process labels from being placed on files systems.  His valid complaint was it is not easy to know whether a particular type was a process type or a file type.

He then suggested that we should have coded something in the name of the type to indicate the type of the type. For example httpd_sys_script_p_t and httpd_sys_script_exec_f_t.  This might not be a bad idea, and should be brought up for discussion on the SELinux Policy list.

I looked at semanage code and saw that the tool was checking a list of valid file types against the type field on the command.   I saw a fairly easy enhancement would be to strip the "_t" off the type and search the list of "file types" that matched the prefix.

This change would at least help the administrator a little.

# semanage fcontext -a -t httpd_sys_script_t "///cgi-bin/.*\.cgi"
ValueError: Type httpd_sys_script_t is invalid, must be a file or device type.
Alternative: httpd_sys_script_exec_t.


Another example.

# semanage fcontext -a -t apcupsd_t /etc/dan
ValueError: Type apcupsd_t is invalid, must be a file or device type.
Alternatives: apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_log_t, apcupsd_exec_t, apcupsd_lock_t, apcupsd_unit_file_t, apcupsd_tmp_t.


One problem with this change would be Apache (httpd_t), which comes out with 146 matches.  :^(

The new semanage will show up in Rawhide and will be back ported to RHEL7 and Fedora 20.

The seinfo command from the setools-cmdline package can list all file types on a system using the file_type attribute and all process types using the domain attribute.

> seinfo -afile_type -x | wc -l  
2603
> seinfo -adomain -x | wc -l
743

File System Equivalance

The administrator could have made a better labeling decision by using file equivalence labeling.

# semanage fcontext -a -e /var/www "/<pathtowebsite>/<website>"

Which would have told SELinux to label everything under "/<pathtowebsite>/<website>" as if it was under /var/www

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh