June 16th, 2009

Random Blog for SELinux confusion.

On common confusion with SELinux is running a daemon directly versus running it from an init script.

When we designed the unconfined_t user domain, We decided (I did anyways).  That the expectation of the unconfined  user domain would tend to stay unconfined.  The policy avoids too many transitions from the unconfined domain to a confined domain, because a user might be surprised when an unconfined domain suddenly got denied some access.

"I thought you told me the unconfined_t domain could do anything, but when I execute the ABC application I get an AVC denial,  you lied to me ..."

But one of the benefits of transitions from one domain to another is that we can write rules about labeling.   As an example when the squid program starts up it writes a pid file to /var/run/squid.pid.  If the squid program starts normally the system runs the squid init script in the initrc_t domain, and this transitions to the squid_t domain.  There is a rule in SELinux policy that says for processes running as squid_t creating files in  var_run_t directories (/var/run), the kernel will label them squid_var_run_t.  When the system starts the squid program normally or the admin uses the init scripts to start squid the /var/run/squid.pid gets created as squid_var_run_t label,  The squid_t domain can read/write/delete files of this type.  

However... if an developer or tester decides to run the squid program directly, there is no transition.  A user running in the unconfined_t domain executing a program labeled squid_exec_t (/usr/sbin/squid), will stay in the unconfined_t domain.  When the squid program running as unconfined_t creates the /var/run/squid.pid file in /var/run, there is no transition rule for file creation.  This means unconfined_t domains creating files in var_run_t directories will label them var_run_t.  The default domain.  So you end up with the /var/run/squid.pid file labeled as var_run_t.

Later if the developer or tester tries to start squid using the service scripts.  The squid program will properly transition to the squid_t domain, but it will not be able to read/write/delete the /var/run/squid.pid file since it is labeled var_run_t.  He will have to run restorecon to fix the label.