Think before you just blindly audit2allow -M mydomain
Don't Allow Domains to write Base SELinux Types
A few years ago I wrote a blog and paper on the four causes of SELinux errors.
The first two most common causes were labeling issues and SELinux needs to know.
Easiest way to explain this is a daemon wants to write to a certain file and SELinux blocks
the application from writing. In SELinux terms the Process DOMAIN (httpd_t) wants to write to the file type (var_lib_t)
and it is blocked. Users have potentially three ways of fixing this.
The problem is it requires no thought and gets SELinux to just shut up.
In RHEL7 and latest Fedoras, the audit2allow tools will suggest a boolean when you run the AVC's through it. And setroubleshoot has been doing this for years. setroubleshoot even will suggest potential types that you could change the destination object to use.
The thing we really want to stop is domains writing to BASE types. If I allow a confined domain to write to a BASE type like etc_t or usr_t, then a hacked system can attack other domains, since almost all other domains need to read some etc_t or usr_t content.
BASE TYPES
One other feature we have added in RHEL7 and Fedora is a list of base types. SELinux has a mechanism for grouping types based on an attribute.
We have to new attributes base_ro_file_type and base_file_type. You can see the objects associated with these attributes using the seinfo command.
seinfo -abase_ro_file_type -x
base_ro_file_type
etc_runtime_t
etc_t
src_t
shell_exec_t
system_db_t
bin_t
boot_t
lib_t
usr_t
system_conf_t
textrel_shlib_t
$ seinfo -abase_file_type -x
base_file_type
etc_runtime_t
unlabeled_t
device_t
etc_t
src_t
shell_exec_t
home_root_t
system_db_t
var_lock_t
bin_t
boot_t
lib_t
mnt_t
root_t
tmp_t
usr_t
var_t
system_conf_t
textrel_shlib_t
lost_found_t
var_spool_t
default_t
var_lib_t
var_run_t
If you use audit2allow to add a rule to allow a domain to write to one of the base types:
Most likely you are WRONG
If you have a domain that is attempting to write to one of these base types, then you most likely need to change the type of the destination object using the semanage/restorecon commands mentioned above.
The difficult thing for the users to figure out; "What type should I change the object to?"
We have added new man pages that show you the types that you program is allowed to write
man httpd_selinux
Look for writable types?
If your domain httpd_t is attempting to write to var_lib_t then look for httpd_var_lib_t. "sepolicy gui" is a new gui tool to help you understand the types also.
Call to arms:
If an enterprising hacker wanted to write some code, it would be nice to build this knowledge into audit2allow. Masters Thesis anyone???
A few years ago I wrote a blog and paper on the four causes of SELinux errors.
The first two most common causes were labeling issues and SELinux needs to know.
Easiest way to explain this is a daemon wants to write to a certain file and SELinux blocks
the application from writing. In SELinux terms the Process DOMAIN (httpd_t) wants to write to the file type (var_lib_t)
and it is blocked. Users have potentially three ways of fixing this.
- Change the type of the file being written.
- The object might be mislabeled and restorecon of the object fixes the issue
- Change the label to httpd_var_lib_t using semanage and restorecon
- semanage fcontext -a -t httpd_var_lib_t '/var/lib/foobar(/.*)?'
- restorecon -R -v /var/lib/foobar
- There might be a boolean available to allow the Process Domain to write to the file type
- setsebool -P HTTP_BOOLEAN 1
- Modify policy using audit2allow
- grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttp
- semodule -i myhttpd.pp
The problem is it requires no thought and gets SELinux to just shut up.
In RHEL7 and latest Fedoras, the audit2allow tools will suggest a boolean when you run the AVC's through it. And setroubleshoot has been doing this for years. setroubleshoot even will suggest potential types that you could change the destination object to use.
The thing we really want to stop is domains writing to BASE types. If I allow a confined domain to write to a BASE type like etc_t or usr_t, then a hacked system can attack other domains, since almost all other domains need to read some etc_t or usr_t content.
BASE TYPES
One other feature we have added in RHEL7 and Fedora is a list of base types. SELinux has a mechanism for grouping types based on an attribute.
We have to new attributes base_ro_file_type and base_file_type. You can see the objects associated with these attributes using the seinfo command.
seinfo -abase_ro_file_type -x
base_ro_file_type
etc_runtime_t
etc_t
src_t
shell_exec_t
system_db_t
bin_t
boot_t
lib_t
usr_t
system_conf_t
textrel_shlib_t
$ seinfo -abase_file_type -x
base_file_type
etc_runtime_t
unlabeled_t
device_t
etc_t
src_t
shell_exec_t
home_root_t
system_db_t
var_lock_t
bin_t
boot_t
lib_t
mnt_t
root_t
tmp_t
usr_t
var_t
system_conf_t
textrel_shlib_t
lost_found_t
var_spool_t
default_t
var_lib_t
var_run_t
If you use audit2allow to add a rule to allow a domain to write to one of the base types:
Most likely you are WRONG
If you have a domain that is attempting to write to one of these base types, then you most likely need to change the type of the destination object using the semanage/restorecon commands mentioned above.
The difficult thing for the users to figure out; "What type should I change the object to?"
We have added new man pages that show you the types that you program is allowed to write
man httpd_selinux
Look for writable types?
If your domain httpd_t is attempting to write to var_lib_t then look for httpd_var_lib_t. "sepolicy gui" is a new gui tool to help you understand the types also.
Call to arms:
If an enterprising hacker wanted to write some code, it would be nice to build this knowledge into audit2allow. Masters Thesis anyone???
