* [refpolicy] Error when using refpolicy with apache httpd service
@ 2011-10-12 12:08 Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Thuận Đinh @ 2011-10-12 12:08 UTC (permalink / raw)
To: refpolicy
Hi,
I'm new to SELinux general and try to research refpolicy. When I apply
refpolicy on Fedora 15 with Apache httpd service, and config the
build.config to type mcs. When I install and load to system, I touch
.autorelabel and reboot the system.
After that, I started the httpd service and
checked the command: ps-axZ | grep httpd and saw that this service is run by
type kernel_t:s0
I think it must something wrong. It must be run by httpd_t but it not. I
checked the audit log file and saw that have a log file
denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid"
ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file
Do you have any ideal? Please help me to fix this.
Regard,
Quang Thuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20111012/bcc08cfc/attachment.html
^ permalink raw reply [flat|nested] 7+ messages in thread* [refpolicy] Error when using refpolicy with apache httpd service 2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh @ 2011-10-12 12:20 ` Dominick Grift 2011-10-12 14:58 ` Guido Trentalancia [not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com> 0 siblings, 2 replies; 7+ messages in thread From: Dominick Grift @ 2011-10-12 12:20 UTC (permalink / raw) To: refpolicy On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote: > Hi, > > > I'm new to SELinux general and try to research refpolicy. When I apply > refpolicy on Fedora 15 with Apache httpd service, and config the > build.config to type mcs. When I install and load to system, I > touch .autorelabel and reboot the system. > After that, I started the httpd service and > checked the command: ps-axZ | grep httpd and saw that this service is > run by type kernel_t:s0 > I think it must something wrong. It must be run by httpd_t but it not. > I checked the audit log file and saw that have a log file > > > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid" > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file > > > Do you have any ideal? Please help me to fix this. Looks like kernel_t never transitioned to the init_t domain. I am not sure what kind of init system you are using but its executable file should be labelled init_exec_t i believe so that kernel_t can use that as an entry file to the init_t domain. might just be a labelling issue (make sure to relabel the file system) also whats the output of sestatus -v? > > Regard, > Quang Thuan > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service 2011-10-12 12:20 ` Dominick Grift @ 2011-10-12 14:58 ` Guido Trentalancia [not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com> 1 sibling, 0 replies; 7+ messages in thread From: Guido Trentalancia @ 2011-10-12 14:58 UTC (permalink / raw) To: refpolicy On Wed, 2011-10-12 at 14:20 +0200, Dominick Grift wrote: > On Wed, 2011-10-12 at 21:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm new to SELinux general and try to research refpolicy. When I apply > > refpolicy on Fedora 15 with Apache httpd service, and config the > > build.config to type mcs. When I install and load to system, I > > touch .autorelabel and reboot the system. > > After that, I started the httpd service and > > checked the command: ps-axZ | grep httpd and saw that this service is > > run by type kernel_t:s0 > > I think it must something wrong. It must be run by httpd_t but it not. > > I checked the audit log file and saw that have a log file > > > > > > denied { ioctl } for pid=28591 comm=httpd path="/run/httpd/httpd.pid" > > ino=927572 dev=tmpfs scontext=system_u:system_r:kernel_t:s0 > > tcontext=system_u:object_r:httpd_var_run_t:s0:c0.c15 tclass=file > > > > > > Do you have any ideal? Please help me to fix this. > > > Looks like kernel_t never transitioned to the init_t domain. I am not > sure what kind of init system you are using but its executable file > should be labelled init_exec_t i believe so that kernel_t can use that > as an entry file to the init_t domain. > > might just be a labelling issue (make sure to relabel the file system) > > also whats the output of sestatus -v? He/she is probably using upstart as init and therefore needs: setsebool -P init_upstart=on If systemd is being used, then it might need a patch (eventually derived from Fedora) and then: setsebool -P init_systemd=on Regards, Guido ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>]
[parent not found: <1318425414.1949.6.camel@x220.mydomain.internal>]
[parent not found: <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>]
* [refpolicy] Error when using refpolicy with apache httpd service [not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com> @ 2011-10-12 15:15 ` Dominick Grift 2011-10-12 15:39 ` Guido Trentalancia 0 siblings, 1 reply; 7+ messages in thread From: Dominick Grift @ 2011-10-12 15:15 UTC (permalink / raw) To: refpolicy On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > Hi, > > > I'm very strange that the /sbin/init is labeled bin_t > > > The /sbin/init is point to /bin/systemd > > > I check in the /system/init.fc have defiled: > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > So, I changed it to: > > > /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > /sbin/init -- > gen_context(system_u:object_r:init_exec_t,s0) > > > And then, I make, install, load and relabel it again. > > > But after that, the /sbin/init still have labeled bin_t (instead of > the /bin/systemd is now have init_exec_t) > > > I'm very strange. So, I try to relabel it by command: > > > chcon -t init_exec_t /sbin/init The /sbin/init symbolic link can be bin_t, no problem. /sbin/systemd though should be type init_exec_t. The problem is that reference policy currently does not support systemd. systemd is not stable yet. refpolicy is waiting until systemd is stable before she will support it, because there are too many changes happening to systemd currently. You could probably, atleast to some extend, work around the issues by making init a unconfined domain, but that will probably cause issues as well. So if you are not comfortable with selinux you may want to avoid that. ?nstead use the policy provided/supported by your distribution instead. > but it still have labeled sbin_t too. > > > I don't know why and have no ideal. > > > My system is Fedora 15 and using the lasted refpolicy > I made step by step by this introduction: > http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy > > > Please help me. > > > > Regard, > Quang Thuan > ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service 2011-10-12 15:15 ` Dominick Grift @ 2011-10-12 15:39 ` Guido Trentalancia 2011-10-24 4:25 ` Justin Mattock 0 siblings, 1 reply; 7+ messages in thread From: Guido Trentalancia @ 2011-10-12 15:39 UTC (permalink / raw) To: refpolicy On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote: > On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm very strange that the /sbin/init is labeled bin_t > > > > > > The /sbin/init is point to /bin/systemd > > > > > > I check in the /system/init.fc have defiled: > > > > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > > > So, I changed it to: > > > > > > /bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > > /sbin/init -- > > gen_context(system_u:object_r:init_exec_t,s0) > > > > > > And then, I make, install, load and relabel it again. > > > > > > But after that, the /sbin/init still have labeled bin_t (instead of > > the /bin/systemd is now have init_exec_t) > > > > > > I'm very strange. So, I try to relabel it by command: > > > > > > chcon -t init_exec_t /sbin/init > > The /sbin/init symbolic link can be bin_t, no problem. > > /sbin/systemd though should be type init_exec_t. > > The problem is that reference policy currently does not support systemd. > > systemd is not stable yet. > > refpolicy is waiting until systemd is stable before she will support it, > because there are too many changes happening to systemd currently. > > You could probably, atleast to some extend, work around the issues by > making init a unconfined domain, but that will probably cause issues as > well. So if you are not comfortable with selinux you may want to avoid > that. > > ?nstead use the policy provided/supported by your distribution instead. Consider Justin Mattock has recently submitted an initial patch (derived from F15, I suppose) for better supporting systemd in the reference policy: 18th September 2011 [RFC 1/2]selinux-contrib: add systemd support to refpolicy git [RFC 2/2] refpolicy: add systemd support to tresys main policy It's probably worth trying that out (along with the init_systemd boolean), if it's using systemd... Regards, Guido ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service 2011-10-12 15:39 ` Guido Trentalancia @ 2011-10-24 4:25 ` Justin Mattock 2011-10-24 14:53 ` Justin Mattock 0 siblings, 1 reply; 7+ messages in thread From: Justin Mattock @ 2011-10-24 4:25 UTC (permalink / raw) To: refpolicy ----- Original Message ----- From: Guido Trentalancia <guido@trentalancia.com> To: Dominick Grift <dominick.grift@gmail.com> Cc: refpolicy <refpolicy@oss.tresys.com> Sent: Wednesday, October 12, 2011 8:39 AM Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote: > On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm very strange that the /sbin/init is labeled bin_t > > > > > > The /sbin/init is point to /bin/systemd > > > > > > I check in the /system/init.fc have defiled: > > > > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > > > So, I changed it to: > > > > > > /bin/systemd? ? -- gen_context(system_u:object_r:init_exec_t,s0) > > /sbin/init? ? ? ? -- > >? gen_context(system_u:object_r:init_exec_t,s0) > > > > > > And then, I make, install, load and relabel it again. > > > > > > But after that, the /sbin/init still have labeled bin_t (instead of > > the /bin/systemd is now have init_exec_t) > > > > > > I'm very strange. So, I try to relabel it by command: > > > > > > chcon -t init_exec_t /sbin/init > > The /sbin/init symbolic link can be bin_t, no problem. > > /sbin/systemd though should be type init_exec_t. > > The problem is that reference policy currently does not support systemd. > > systemd is not stable yet. > > refpolicy is waiting until systemd is stable before she will support it, > because there are too many changes happening to systemd currently. > > You could probably, atleast to some extend, work around the issues by > making init a unconfined domain, but that will probably cause issues as > well. So if you are not comfortable with selinux you may want to avoid > that. > > ?nstead use the policy provided/supported by your distribution instead. Consider Justin Mattock has recently submitted an initial patch (derived from F15, I suppose) for better supporting systemd in the reference policy: 18th September 2011 [RFC 1/2]selinux-contrib: add systemd support to refpolicy git [RFC 2/2] refpolicy: add systemd support to tresys main policy It's probably worth trying that out (along with the init_systemd boolean), if it's using systemd... Regards, Guido yeah, anybody have the time to go through that patch set feel free.. last I remember I was hitting some sandbox error for some reason, then ran out of? time due to external obligations. maybe if the weekend is permitting I can have another go at it.. as for the patch I pretty much just grepped dans git tree for systemd then copied it to refpolicy, but there is probably more to it than just grepping. Justin P. Mattock? _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] Error when using refpolicy with apache httpd service 2011-10-24 4:25 ` Justin Mattock @ 2011-10-24 14:53 ` Justin Mattock 0 siblings, 0 replies; 7+ messages in thread From: Justin Mattock @ 2011-10-24 14:53 UTC (permalink / raw) To: refpolicy ----- Original Message ----- From: Justin Mattock <justinmattock@yahoo.com> To: Guido Trentalancia <guido@trentalancia.com>; Dominick Grift <dominick.grift@gmail.com> Cc: refpolicy <refpolicy@oss.tresys.com> Sent: Sunday, October 23, 2011 9:25 PM Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service ----- Original Message ----- From: Guido Trentalancia <guido@trentalancia.com> To: Dominick Grift <dominick.grift@gmail.com> Cc: refpolicy <refpolicy@oss.tresys.com> Sent: Wednesday, October 12, 2011 8:39 AM Subject: Re: [refpolicy] Error when using refpolicy with apache httpd service On Wed, 2011-10-12 at 17:15 +0200, Dominick Grift wrote: > On Thu, 2011-10-13 at 00:08 +0900, Thu?n ?inh wrote: > > Hi, > > > > > > I'm very strange that the /sbin/init is labeled bin_t > > > > > > The /sbin/init is point to /bin/systemd > > > > > > I check in the /system/init.fc have defiled: > > > > > > /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > # because nowadays, /sbin/init is often a symlink to /sbin/upstart > > /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > > > So, I changed it to: > > > > > > /bin/systemd? ?? -- gen_context(system_u:object_r:init_exec_t,s0) > > /sbin/init? ? ? ? -- > >? gen_context(system_u:object_r:init_exec_t,s0) > > > > > > And then, I make, install, load and relabel it again. > > > > > > But after that, the /sbin/init still have labeled bin_t (instead of > > the /bin/systemd is now have init_exec_t) > > > > > > I'm very strange. So, I try to relabel it by command: > > > > > > chcon -t init_exec_t /sbin/init > > The /sbin/init symbolic link can be bin_t, no problem. > > /sbin/systemd though should be type init_exec_t. > > The problem is that reference policy currently does not support systemd. > > systemd is not stable yet. > > refpolicy is waiting until systemd is stable before she will support it, > because there are too many changes happening to systemd currently. > > You could probably, atleast to some extend, work around the issues by > making init a unconfined domain, but that will probably cause issues as > well. So if you are not comfortable with selinux you may want to avoid > that. > > ?nstead use the policy provided/supported by your distribution instead. Consider Justin Mattock has recently submitted an initial patch (derived from F15, I suppose) for better supporting systemd in the reference policy: 18th September 2011 [RFC 1/2]selinux-contrib: add systemd support to refpolicy git [RFC 2/2] refpolicy: add systemd support to tresys main policy It's probably worth trying that out (along with the init_systemd boolean), if it's using systemd... Regards, Guido yeah, anybody have the time to go through that patch set feel free.. last I remember I was hitting some sandbox error for some reason, then ran out of? time due to external obligations. maybe if the weekend is permitting I can have another go at it.. as for the patch I pretty much just grepped dans git tree for systemd then copied it to refpolicy, but there is probably more to it than just grepping. Justin P. Mattock? doing a google search I am only able to find find the first revision sent for this on the 18th of september. seems my second revision did not make it through to the list. anyway here is my backup of the two patches..: http://fpaste.org/FLfg/ http://fpaste.org/5r5t/ I will try and plug this in again over the weekend to see if I can get it running. ? cheers, Justin P. Mattock _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-10-24 14:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-12 12:08 [refpolicy] Error when using refpolicy with apache httpd service Thuận Đinh
2011-10-12 12:20 ` Dominick Grift
2011-10-12 14:58 ` Guido Trentalancia
[not found] ` <CAP+-i3CDciFhdjN_uC_GeKavheskc_hCJnDnVxOV2NB4LCTk8g@mail.gmail.com>
[not found] ` <1318425414.1949.6.camel@x220.mydomain.internal>
[not found] ` <CAP+-i3Bz7NXpQc7uEGiP2n=U-g2R4itj=H38i9cfD6HrCU9Nyg@mail.gmail.com>
2011-10-12 15:15 ` Dominick Grift
2011-10-12 15:39 ` Guido Trentalancia
2011-10-24 4:25 ` Justin Mattock
2011-10-24 14:53 ` Justin Mattock
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.