Sensible labelling decisions and /usr/local/?
by RyanOblivion112
Greetings everyone,
I'm currently cleaning up some automation scripts of mine and would like some assurance that the SELinux aspects of my changes are being handled sensibly.
As a part of this work I've decided it would be better to store various things in appropriate locations under "/usr/local/". While trying to understand the implications of this I've determined a few SELinux related concerns that I hope someone here can provide some insight on, these are:
01. I can see that the SELinux type for "/etc/"(etc_t) differs from that of "/usr/local/etc/"(usr_t), if I intend to actually utilize that directory would the "etc_t" label be more appropriate, if not why is that?
02. Adding onto the previous question what about files under "/usr/local/etc/", should their types be "usr_t" or is "etc_t" the more sensible decision?
Essentially I'd like to know if it's unwise to simply reuse the expected labels files and directories would have outside of "/usr/local/" within "/usr/local/".
1 year, 11 months
- 2
- 2
Any booleans which can make nginx connect to an UDS?
by troels@arvin.dk
Hey,
I'm writing some code based on this example for the Axum web-framework: https://github.com/tokio-rs/axum/tree/main/examples/unix-domain-socket
The idea is to have an application running and listening on a unix domain socket (UDS) in /run/axum/foo/socket and then have it exposed via Nginx. The UDS has the following label: unconfined_u:object_r:var_run_t:s0.
I've found that I can only make it work, if I build and install the following SELinux module:
================================
require {
type unconfined_t;
type var_run_t;
type httpd_t;
class unix_stream_socket connectto;
class sock_file write;
}
allow httpd_t unconfined_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
================================
If not, then I get the following errors when trying to access the web page which Nginx is expected to proxy to the UDS.
type=AVC msg=audit(1647208194.572:390): avc: denied { connectto } for pid=1837 comm="nginx" path="/run/axum/rust-test/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1648981728.829:612): avc: denied { write } for pid=1688 comm="nginx" name="socket" dev="tmpfs" ino=1415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
Note how I specifically don't want to connect Nginx to the application with a TCP socket. This is for security reasons (with an UDS, I can better control which user accounts can access the socket), and because I don't want to use some random TCP port which might some day conflict with another applications.
Two questions:
1) Could I make use of some SELinux bool(s) to obtain the same effect? (I would prefer not to have to manage home made SELinux modules.)
2) I'm concerned about audit2allow having introduced "unconfined" in the policy; that sounds excessively intrusive. Is there a way to write the policy without involving something unconstrained?
--
Regards,
Troels
2 years
- 3
- 2
- ← Newer
- 1
- Older →