I have a service I want to start from systemd. The service startup goes like this:
systemd ----> prog1[label: usr_t] ----> prog2[label: antivirus_exec_t]
However, Fedora's SELinux policies prevent prog2 from starting. If I change prog2's label to bin_t or usr_t, the service starts fine.
What in Fedora's policies bans antivirus_exec_t from running?
Should I introduce a custom policy that allows that startup combination? If so, can you tell me what that rule would look like (or what document would give me the instructions). I already have a simple .te policy so I know the very basics.
Or should I just label the file with bin_t and be done with it?
BTW, this is not a sysadmin question. Rather it's a product installation question; the product should work out of the box on Fedora.
Marko
On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa marko@pacujo.net wrote:
I have a service I want to start from systemd. The service startup goes like this:
systemd ----> prog1[label: usr_t] ----> prog2[label: antivirus_exec_t]
However, Fedora's SELinux policies prevent prog2 from starting. If I change prog2's label to bin_t or usr_t, the service starts fine.
What in Fedora's policies bans antivirus_exec_t from running?
Should I introduce a custom policy that allows that startup combination? If so, can you tell me what that rule would look like (or what document would give me the instructions). I already have a simple .te policy so I know the very basics.
Or should I just label the file with bin_t and be done with it?
Hi Marko,
There is a type transition which makes a usr_t prog1 end up in unconfined_service_t domain:
# sesearch -T -s init_t -t usr_t -c process type_transition init_t usr_t:process unconfined_service_t;
but a transition from antivirus_exec_t is defined only for a bunch of domains:
# sesearch -T -t antivirus_exec_t -c process type_transition cluster_t antivirus_exec_t:process antivirus_t; type_transition condor_startd_t antivirus_exec_t:process antivirus_t; type_transition crond_t antivirus_exec_t:process antivirus_t; type_transition exim_t antivirus_exec_t:process antivirus_t; type_transition glusterd_t antivirus_exec_t:process antivirus_t; type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t; type_transition httpd_t antivirus_exec_t:process antivirus_t; type_transition init_t antivirus_exec_t:process antivirus_t; type_transition initrc_t antivirus_exec_t:process antivirus_t; type_transition kdumpctl_t antivirus_exec_t:process antivirus_t; type_transition mscan_t antivirus_exec_t:process antivirus_t; type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t; type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t; type_transition procmail_t antivirus_exec_t:process antivirus_t; type_transition system_cronjob_t antivirus_exec_t:process antivirus_t;
BTW, this is not a sysadmin question. Rather it's a product installation question; the product should work out of the box on Fedora.
The proper way how to start a service is using a service unit, in that case it works out of the box. We cannot however suggest any solution without further information about your setup.
Marko _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 6/10/19 9:48 AM, Zdenek Pytela wrote:
On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa <marko@pacujo.net mailto:marko@pacujo.net> wrote:
I have a service I want to start from systemd. The service startup goes like this: systemd ----> prog1[label: usr_t] ----> prog2[label: antivirus_exec_t] However, Fedora's SELinux policies prevent prog2 from starting. If I change prog2's label to bin_t or usr_t, the service starts fine. What in Fedora's policies bans antivirus_exec_t from running? Should I introduce a custom policy that allows that startup combination? If so, can you tell me what that rule would look like (or what document would give me the instructions). I already have a simple .te policy so I know the very basics. Or should I just label the file with bin_t and be done with it?
Hi Marko,
There is a type transition which makes a usr_t prog1 end up in unconfined_service_t domain:
# sesearch -T -s init_t -t usr_t -c process type_transition init_t usr_t:process unconfined_service_t;
but a transition from antivirus_exec_t is defined only for a bunch of domains:
# sesearch -T -t antivirus_exec_t -c process type_transition cluster_t antivirus_exec_t:process antivirus_t; type_transition condor_startd_t antivirus_exec_t:process antivirus_t; type_transition crond_t antivirus_exec_t:process antivirus_t; type_transition exim_t antivirus_exec_t:process antivirus_t; type_transition glusterd_t antivirus_exec_t:process antivirus_t; type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t; type_transition httpd_t antivirus_exec_t:process antivirus_t; type_transition init_t antivirus_exec_t:process antivirus_t; type_transition initrc_t antivirus_exec_t:process antivirus_t; type_transition kdumpctl_t antivirus_exec_t:process antivirus_t; type_transition mscan_t antivirus_exec_t:process antivirus_t; type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t; type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t; type_transition procmail_t antivirus_exec_t:process antivirus_t; type_transition system_cronjob_t antivirus_exec_t:process antivirus_t;
BTW, this is not a sysadmin question. Rather it's a product installation question; the product should work out of the box on Fedora.
The proper way how to start a service is using a service unit, in that case it works out of the box. We cannot however suggest any solution without further information about your setup.
There is several ways how to solve this.
Your scenario: systemd[label: init_t] ----> prog1[label: usr_t] ----> prog2[label:antivirus_exec_t]
What you can to is label prog1 as antivirus_exec_t like: systemd[label: init_t] ----> prog1[label: antivirus_exec_t] ----> prog2[label:antivirus_exec_t]
Because of domain transition: # sesearch -T -s init_t -t antivirus_exec_t -c process type_transition init_t antivirus_exec_t:process antivirus_t;
The first process will run as antivirus_t and then next one will also run as antivirus_t.
Or you can specify new domain transitions to have something like: systemd[label: init_t] ----> prog1[label: antivirus_starter_exec_t] ----> prog2[label:antivirus_exec_t]
But could you please share your use case? It would be helpful.
Thanks, Lukas.
Marko _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
--
Zdenek Pytela SELinux product owner and Senior software engineer, Security technologies E-mail: zpytela@redhat.com mailto:zpytela@redhat.com, IRC: zpytela
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
selinux@lists.fedoraproject.org