On 6/10/19 9:48 AM, Zdenek Pytela wrote:
On Fri, Jun 7, 2019 at 11:31 AM Marko Rauhamaa <marko(a)pacujo.net
<mailto:marko@pacujo.net>> wrote:
I have a service I want to start from systemd. The service startup goes
like this:
systemd ----> prog1[label: usr_t] ----> prog2[label:
antivirus_exec_t]
However, Fedora's SELinux policies prevent prog2 from starting. If I
change prog2's label to bin_t or usr_t, the service starts fine.
What in Fedora's policies bans antivirus_exec_t from running?
Should I introduce a custom policy that allows that startup combination?
If so, can you tell me what that rule would look like (or what document
would give me the instructions). I already have a simple .te policy so I
know the very basics.
Or should I just label the file with bin_t and be done with it?
Hi Marko,
There is a type transition which makes a usr_t prog1 end up in
unconfined_service_t domain:
# sesearch -T -s init_t -t usr_t -c process
type_transition init_t usr_t:process unconfined_service_t;
but a transition from antivirus_exec_t is defined only for a bunch of
domains:
# sesearch -T -t antivirus_exec_t -c process
type_transition cluster_t antivirus_exec_t:process antivirus_t;
type_transition condor_startd_t antivirus_exec_t:process antivirus_t;
type_transition crond_t antivirus_exec_t:process antivirus_t;
type_transition exim_t antivirus_exec_t:process antivirus_t;
type_transition glusterd_t antivirus_exec_t:process antivirus_t;
type_transition httpd_sys_script_t antivirus_exec_t:process antivirus_t;
type_transition httpd_t antivirus_exec_t:process antivirus_t;
type_transition init_t antivirus_exec_t:process antivirus_t;
type_transition initrc_t antivirus_exec_t:process antivirus_t;
type_transition kdumpctl_t antivirus_exec_t:process antivirus_t;
type_transition mscan_t antivirus_exec_t:process antivirus_t;
type_transition openshift_initrc_t antivirus_exec_t:process antivirus_t;
type_transition piranha_pulse_t antivirus_exec_t:process antivirus_t;
type_transition procmail_t antivirus_exec_t:process antivirus_t;
type_transition system_cronjob_t antivirus_exec_t:process antivirus_t;
BTW, this is not a sysadmin question. Rather it's a product installation
question; the product should work out of the box on Fedora.
The proper way how to start a service is using a service unit, in that
case it works out of the box. We cannot however suggest any solution
without further information about your setup.
There is several ways how to solve this.
Your scenario:
systemd[label: init_t] ----> prog1[label: usr_t] ---->
prog2[label:antivirus_exec_t]
What you can to is label prog1 as antivirus_exec_t like:
systemd[label: init_t] ----> prog1[label: antivirus_exec_t] ---->
prog2[label:antivirus_exec_t]
Because of domain transition:
# sesearch -T -s init_t -t antivirus_exec_t -c process
type_transition init_t antivirus_exec_t:process antivirus_t;
The first process will run as antivirus_t and then next one will also
run as antivirus_t.
Or you can specify new domain transitions to have something like:
systemd[label: init_t] ----> prog1[label: antivirus_starter_exec_t]
----> prog2[label:antivirus_exec_t]
But could you please share your use case? It would be helpful.
Thanks,
Lukas.
Marko
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
To unsubscribe send an email to
selinux-leave(a)lists.fedoraproject.org
<mailto:selinux-leave@lists.fedoraproject.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Zdenek Pytela
SELinux product owner and Senior software engineer, Security technologies
E-mail: zpytela(a)redhat.com <mailto:zpytela@redhat.com>, IRC: zpytela
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.