* [refpolicy] Error when using refpolicy with apache httpd service
@ 2011-10-12 12:08 Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Thuận Đinh @ 2011-10-12 12:08 UTC (permalink / raw)
To: refpolicy
Hi,
I'm new to SELinux general and try to research refpolicy. When I apply
refpolicy on Fedora 15 with Apache httpd service, and config the
build.config to type mcs. When I install and load to system, I touch
.autorelabel and reboot the system.
After that, I started the httpd service and
checked the command: ps-axZ | grep httpd and saw that this service is run by
type kernel_t:s0
I think it must something wrong. It must be run by httpd_t but it not. I
checked the audit log file and saw that have a log file
denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
Do you have any ideal? Please help me to fix this.
Regard,
Quang Thuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20111012/bcc08cfc/attachment.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh
@ 2011-10-12 12:20 ` Dominick Grift
2011-10-12 14:58 ` Guido Trentalancia
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
0 siblings, 2 replies; 7+ messages in thread
From: Dominick Grift @ 2011-10-12 12:20 UTC (permalink / raw)
To: refpolicy
On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote:
> Hi,
>
>
> I'm new to SELinux general and try to research refpolicy. When I apply
> refpolicy on Fedora 15 with Apache httpd service, and config the
> build.config to type mcs. When I install and load to system, I
> touch .autorelabel and reboot the system.
> After that, I started the httpd service and
> checked the command: ps-axZ | grep httpd and saw that this service is
> run by type kernel_t:s0
> I think it must something wrong. It must be run by httpd_t but it not.
> I checked the audit log file and saw that have a log file
>
>
> denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
> ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
>
>
> Do you have any ideal? Please help me to fix this.
Looks like kernel_t never transitioned to the init_t domain. I am not
sure what kind of init system you are using but its executable file
should be labelled init_exec_t i believe so that kernel_t can use that
as an entry file to the init_t domain.
might just be a labelling issue (make sure to relabel the file system)
also whats the output of sestatus -v?
>
> Regard,
> Quang Thuan
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
2011-10-12 12:20 ` Dominick Grift
@ 2011-10-12 14:58 ` Guido Trentalancia
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
1 sibling, 0 replies; 7+ messages in thread
From: Guido Trentalancia @ 2011-10-12 14:58 UTC (permalink / raw)
To: refpolicy
On Wed, 2011-10-12 at 14:20 +0200, Dominick Grift wrote:
> On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm new to SELinux general and try to research refpolicy. When I apply
> > refpolicy on Fedora 15 with Apache httpd service, and config the
> > build.config to type mcs. When I install and load to system, I
> > touch .autorelabel and reboot the system.
> > After that, I started the httpd service and
> > checked the command: ps-axZ | grep httpd and saw that this service is
> > run by type kernel_t:s0
> > I think it must something wrong. It must be run by httpd_t but it not.
> > I checked the audit log file and saw that have a log file
> >
> >
> > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
> > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
> >
> >
> > Do you have any ideal? Please help me to fix this.
>
>
> Looks like kernel_t never transitioned to the init_t domain. I am not
> sure what kind of init system you are using but its executable file
> should be labelled init_exec_t i believe so that kernel_t can use that
> as an entry file to the init_t domain.
>
> might just be a labelling issue (make sure to relabel the file system)
>
> also whats the output of sestatus -v?
He/she is probably using upstart as init and therefore needs:
setsebool -P init_upstart=on
If systemd is being used, then it might need a patch (eventually derived
from Fedora) and then:
setsebool -P init_systemd=on
Regards,
Guido
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
[not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
@ 2011-10-12 15:15 ` Dominick Grift
2011-10-12 15:39 ` Guido Trentalancia
0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2011-10-12 15:15 UTC (permalink / raw)
To: refpolicy
On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> Hi,
>
>
> I'm very strange that the /sbin/init is labeled bin_t
>
>
> The /sbin/init is point to /bin/systemd
>
>
> I check in the /system/init.fc have defiled:
>
>
> /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
>
>
> So, I changed it to:
>
>
> /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
> /sbin/init --
> gen_context(system_u:object_r:init_exec_t,s0)
>
>
> And then, I make, install, load and relabel it again.
>
>
> But after that, the /sbin/init still have labeled bin_t (instead of
> the /bin/systemd is now have init_exec_t)
>
>
> I'm very strange. So, I try to relabel it by command:
>
>
> chcon -t init_exec_t /sbin/init
The /sbin/init symbolic link can be bin_t, no problem.
/sbin/systemd though should be type init_exec_t.
The problem is that reference policy currently does not support systemd.
systemd is not stable yet.
refpolicy is waiting until systemd is stable before she will support it,
because there are too many changes happening to systemd currently.
You could probably, atleast to some extend, work around the issues by
making init a unconfined domain, but that will probably cause issues as
well. So if you are not comfortable with selinux you may want to avoid
that.
?nstead use the policy provided/supported by your distribution instead.
> but it still have labeled sbin_t too.
>
>
> I don't know why and have no ideal.
>
>
> My system is Fedora 15 and using the lasted refpolicy
> I made step by step by this introduction:
> http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
>
>
> Please help me.
>
>
>
> Regard,
> Quang Thuan
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
2011-10-12 15:15 ` Dominick Grift
@ 2011-10-12 15:39 ` Guido Trentalancia
2011-10-24 4:25 ` Justin Mattock
0 siblings, 1 reply; 7+ messages in thread
From: Guido Trentalancia @ 2011-10-12 15:39 UTC (permalink / raw)
To: refpolicy
On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote:
> On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm very strange that the /sbin/init is labeled bin_t
> >
> >
> > The /sbin/init is point to /bin/systemd
> >
> >
> > I check in the /system/init.fc have defiled:
> >
> >
> > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> > # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > So, I changed it to:
> >
> >
> > /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
> > /sbin/init --
> > gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > And then, I make, install, load and relabel it again.
> >
> >
> > But after that, the /sbin/init still have labeled bin_t (instead of
> > the /bin/systemd is now have init_exec_t)
> >
> >
> > I'm very strange. So, I try to relabel it by command:
> >
> >
> > chcon -t init_exec_t /sbin/init
>
> The /sbin/init symbolic link can be bin_t, no problem.
>
> /sbin/systemd though should be type init_exec_t.
>
> The problem is that reference policy currently does not support systemd.
>
> systemd is not stable yet.
>
> refpolicy is waiting until systemd is stable before she will support it,
> because there are too many changes happening to systemd currently.
>
> You could probably, atleast to some extend, work around the issues by
> making init a unconfined domain, but that will probably cause issues as
> well. So if you are not comfortable with selinux you may want to avoid
> that.
>
> ?nstead use the policy provided/supported by your distribution instead.
Consider Justin Mattock has recently submitted an initial patch (derived
from F15, I suppose) for better supporting systemd in the reference
policy:
18th September 2011
[RFC 1/2]selinux-contrib: add systemd support to refpolicy git
[RFC 2/2] refpolicy: add systemd support to tresys main policy
It's probably worth trying that out (along with the init_systemd
boolean), if it's using systemd...
Regards,
Guido
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
2011-10-12 15:39 ` Guido Trentalancia
@ 2011-10-24 4:25 ` Justin Mattock
2011-10-24 14:53 ` Justin Mattock
0 siblings, 1 reply; 7+ messages in thread
From: Justin Mattock @ 2011-10-24 4:25 UTC (permalink / raw)
To: refpolicy
----- Original Message -----
From: Guido Trentalancia <guido@trentalancia.com>
To: Dominick Grift <dominick.grift@gmail.com>
Cc: refpolicy <refpolicy@oss.tresys.com>
Sent: Wednesday, October 12, 2011 8:39 AM
Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service
On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote:
> On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm very strange that the /sbin/init is labeled bin_t
> >
> >
> > The /sbin/init is point to /bin/systemd
> >
> >
> > I check in the /system/init.fc have defiled:
> >
> >
> > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> > # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > So, I changed it to:
> >
> >
> > /bin/systemd? ? -- gen_context(system_u:object_r:init_exec_t,s0)
> > /sbin/init? ? ? ? --
> >? gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > And then, I make, install, load and relabel it again.
> >
> >
> > But after that, the /sbin/init still have labeled bin_t (instead of
> > the /bin/systemd is now have init_exec_t)
> >
> >
> > I'm very strange. So, I try to relabel it by command:
> >
> >
> > chcon -t init_exec_t /sbin/init
>
> The /sbin/init symbolic link can be bin_t, no problem.
>
> /sbin/systemd though should be type init_exec_t.
>
> The problem is that reference policy currently does not support systemd.
>
> systemd is not stable yet.
>
> refpolicy is waiting until systemd is stable before she will support it,
> because there are too many changes happening to systemd currently.
>
> You could probably, atleast to some extend, work around the issues by
> making init a unconfined domain, but that will probably cause issues as
> well. So if you are not comfortable with selinux you may want to avoid
> that.
>
> ?nstead use the policy provided/supported by your distribution instead.
Consider Justin Mattock has recently submitted an initial patch (derived
from F15, I suppose) for better supporting systemd in the reference
policy:
18th September 2011
[RFC 1/2]selinux-contrib: add systemd support to refpolicy git
[RFC 2/2] refpolicy: add systemd support to tresys main policy
It's probably worth trying that out (along with the init_systemd
boolean), if it's using systemd...
Regards,
Guido
yeah, anybody have the time to go through that patch set feel free..
last I remember I was hitting some sandbox error for some reason, then ran out of?
time due to external obligations. maybe if the weekend is permitting I can have another go at
it.. as for the patch I pretty much just grepped dans git tree for systemd then copied it to refpolicy,
but there is probably more to it than just grepping.
Justin P. Mattock?
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service
2011-10-24 4:25 ` Justin Mattock
@ 2011-10-24 14:53 ` Justin Mattock
0 siblings, 0 replies; 7+ messages in thread
From: Justin Mattock @ 2011-10-24 14:53 UTC (permalink / raw)
To: refpolicy
----- Original Message -----
From: Justin Mattock <justinmattock@yahoo.com>
To: Guido Trentalancia <guido@trentalancia.com>; Dominick Grift <dominick.grift@gmail.com>
Cc: refpolicy <refpolicy@oss.tresys.com>
Sent: Sunday, October 23, 2011 9:25 PM
Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service
----- Original Message -----
From: Guido Trentalancia <guido@trentalancia.com>
To: Dominick Grift <dominick.grift@gmail.com>
Cc: refpolicy <refpolicy@oss.tresys.com>
Sent: Wednesday, October 12, 2011 8:39 AM
Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service
On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote:
> On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote:
> > Hi,
> >
> >
> > I'm very strange that the /sbin/init is labeled bin_t
> >
> >
> > The /sbin/init is point to /bin/systemd
> >
> >
> > I check in the /system/init.fc have defiled:
> >
> >
> > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> > # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > So, I changed it to:
> >
> >
> > /bin/systemd? ?? -- gen_context(system_u:object_r:init_exec_t,s0)
> > /sbin/init? ? ? ? --
> >? gen_context(system_u:object_r:init_exec_t,s0)
> >
> >
> > And then, I make, install, load and relabel it again.
> >
> >
> > But after that, the /sbin/init still have labeled bin_t (instead of
> > the /bin/systemd is now have init_exec_t)
> >
> >
> > I'm very strange. So, I try to relabel it by command:
> >
> >
> > chcon -t init_exec_t /sbin/init
>
> The /sbin/init symbolic link can be bin_t, no problem.
>
> /sbin/systemd though should be type init_exec_t.
>
> The problem is that reference policy currently does not support systemd.
>
> systemd is not stable yet.
>
> refpolicy is waiting until systemd is stable before she will support it,
> because there are too many changes happening to systemd currently.
>
> You could probably, atleast to some extend, work around the issues by
> making init a unconfined domain, but that will probably cause issues as
> well. So if you are not comfortable with selinux you may want to avoid
> that.
>
> ?nstead use the policy provided/supported by your distribution instead.
Consider Justin Mattock has recently submitted an initial patch (derived
from F15, I suppose) for better supporting systemd in the reference
policy:
18th September 2011
[RFC 1/2]selinux-contrib: add systemd support to refpolicy git
[RFC 2/2] refpolicy: add systemd support to tresys main policy
It's probably worth trying that out (along with the init_systemd
boolean), if it's using systemd...
Regards,
Guido
yeah, anybody have the time to go through that patch set feel free..
last I remember I was hitting some sandbox error for some reason, then ran out of?
time due to external obligations. maybe if the weekend is permitting I can have another go at
it.. as for the patch I pretty much just grepped dans git tree for systemd then copied it to refpolicy,
but there is probably more to it than just grepping.
Justin P. Mattock?
doing a google search I am only able to find find the first revision sent for this on the 18th of september.
seems my second revision did not make it through to the list. anyway here is my backup of the two patches..:
http://fpaste.org/FLfg/
http://fpaste.org/5r5t/
I will try and plug this in again over the weekend to see if I can get it running. ?
cheers,
Justin P. Mattock
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-10-24 14:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
2011-10-12 14:58 ` Guido Trentalancia
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
[not found] ` <1318425414.1949.6.camel@x220.mydomain.internal>
[not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
2011-10-12 15:15 ` Dominick Grift
2011-10-12 15:39 ` Guido Trentalancia
2011-10-24 4:25 ` Justin Mattock
2011-10-24 14:53 ` Justin Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.