Don't Allow Domains to write Base SELinux Types
A few years ago I wrote a blog and paper on the four causes of SELinux errors
The first two most common causes were labeling issues and SELinux needs to know.
Easiest way to explain this is a daemon wants to write to a certain file and SELinux blocks
the application from writing. In SELinux terms the Process DOMAIN (httpd_t) wants to write to the file type (var_lib_t)
and it is blocked. Users have potentially three ways of fixing this.
Sadly the third option is the least recommended and the most often used.
- Change the type of the file being written.
- The object might be mislabeled and restorecon of the object fixes the issue
- Change the label to httpd_var_lib_t using semanage and restorecon
semanage fcontext -a -t httpd_var_lib_t '/var/lib/foobar(/.*)?'
restorecon -R -v /var/lib/foobar
- There might be a boolean available to allow the Process Domain to write to the file type
setsebool -P HTTP_BOOLEAN 1
- Modify policy using audit2allow
grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttp
The problem is it requires no thought and gets SELinux to just shut up.
In RHEL7 and latest Fedoras, the audit2allow tools will suggest a boolean when you run the AVC's through it. And setroubleshoot has been doing this for years. setroubleshoot even will suggest potential types that you could change the destination object to use.
The thing we really want to stop is domains writing to BASE types. If I allow a confined domain to write to a BASE type like etc_t or usr_t, then a hacked system can attack other domains, since almost all other domains need to read some etc_t or usr_t content.BASE TYPES
One other feature we have added in RHEL7 and Fedora is a list of base types. SELinux has a mechanism for grouping types based on an attribute.
We have to new attributes base_ro_file_type and base_file_type. You can see the objects associated with these attributes using the seinfo command.
seinfo -abase_ro_file_type -x
$ seinfo -abase_file_type -x
If you use audit2allow to add a rule to allow a domain to write to one of the base types:Most likely you are WRONG
If you have a domain that is attempting to write to one of these base types, then you most likely need to change the type of the destination object using the semanage/restorecon commands mentioned above.
The difficult thing for the users to figure out; "What type should I change the object to?"
We have added new man pages that show you the types that you program is allowed to write
Look for writable types?
If your domain httpd_t is attempting to write to var_lib_t then look for httpd_var_lib_t. "sepolicy gui" is a new gui tool to help you understand the types also.Call to arms:
If an enterprising hacker wanted to write some code, it would be nice to build this knowledge into audit2allow. Masters Thesis anyone???