Ask Your Question
1

Howto: Proper SELinux context for systemd-units in /etc/systemd/system

asked 2018-10-06 05:35:17 -0500

lcts gravatar image

Hi, I'm trying to make some custom systemd units in /etc/systemd/system work with SELinux, but SELinux is preventing access to the executables called from the service files (/usr/sbin/logrotate in my specific case):

  1. the logrotate.service unit is prevented from read, open, execute, and executenotrans access to /usr/sbin/logrotate
  2. subsequently, /usr/sbin/logrotate is prevented from everything it needs to do

With a custom policy module that allows access to /usr/sbin/logrotate:

module logrotate-systemd 1.0;

<snip>

#============= init_t ==============
allow init_t logrotate_exec_t:file { execute execute_no_trans open read };
allow init_t logrotate_exec_t:process { noatsecure transition };

#============= logrotate_exec_t ==============
allow logrotate_exec_t self:file entrypoint;

logrotate can be run (fixes (1)), but is again prevented from doing anything (2). Probably this is due to it being executed in the wrong context, so I've tried setting it manually using

SELinuxContext=SELinuxContext=system_u:object_r:logrotate_exec_t:s0

But this creates a constraints violation, at which point I'm concluding that I'm doing something wrong, because running services from the directory they are supposed to be run from can't be this complicated ...

I've checked the SELinux context of my service files, it's unconfined_u:object_r:systemd_unit_file_t:s0, which is the default for files in that dir, so that seems to be OK.

I would have expected units running with the proper context from the proper dir to Just Work(TM). What am I doing wrong?

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2018-10-08 07:02:53 -0500

lcts gravatar image

@heliosstyx , Thanks for that video link, that was quite a helpful talk.

@villykruse , I changed the SELinuxContext to the correct one, that took care of the errors related to logrotate, thanks. However, my service file is being denied the transition:

audit[7448]: AVC avc:  denied  { transition } for  pid=7448 comm="(ogrotate)" path="/usr/sbin/logrotate" dev="sda1" ino=15436 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:logrotate_t:s0 tclass=process permissive=1

The problem is that two transition statements in the policy I ended up with

module logrotate-systemd 1.0;

<snip>

#============= init_t ==============
allow init_t logrotate_exec_t:file { execute execute_no_trans open read };
allow init_t logrotate_exec_t:process { noatsecure transition };
allow init_t logrotate_t:process transition;

#============= logrotate_exec_t ==============
allow logrotate_exec_t self:file entrypoint;

violate process transisioning constraints

constrain process { transition noatsecure siginh rlimitinh dyntransition } (
    (r1 == r2 -Fail-)  or
    (t1 == can_change_process_role)  and (t2 == process_user_target -Fail-)  or
    (t1 == cron_source_domain -Fail-)  and (t2 == cron_job_domain -Fail-)  or
    (t1 == can_system_change -Fail-)  and (r2 == system_r -Fail-)  or (t1 == process_uncond_exempt -Fail-) );
Constraint DENIED

All condition except for the first one fail at the target (logrotate), the first one fails probably because I'm trying to transition from systemr to objectr, i.e. r1 != r2 . However, systemr is what systemd units are supposed to run under, and other, system, units/timers like mlocate-updatedb.(service|timer) also call executables with objectr yet don't fail.

edit flag offensive delete link more

Comments

You will need to allow these.

allow init_t logrotate_t:process transition is needed for changing the process context to logrotate_t.allow init_t logrotate_exec_t:file { execute execute_no_trans open read } is needed to allow starting the process.

The relevant rules used when starting logrotate crom cron is (in "cil" syntax)

(allow crond_t logrotate_exec_t (file (ioctl read getattr map execute execute_no_trans open)))
(allow crond_t logrotate_t (process (transition)))
(typetransition crond_t logrotate_exec_t process logrotate_t)
villykruse gravatar imagevillykruse ( 2018-10-08 07:42:10 -0500 )edit
0

answered 2018-10-06 08:55:47 -0500

villykruse gravatar image

The logrotate program should run in the logrotate_t context so try add

SELinuxContext=unconfined_u:object_r:logrotate_t:s0

to the service file.

edit flag offensive delete link more
0

answered 2018-10-06 07:51:16 -0500

heliosstyx gravatar image

Look here: https://ask.fedoraproject.org/en/ques... In the last part of the video there will be presented tools, which will help you to solve your issues (relabeling etc.!). I hope it will help you. So long.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-06 05:35:17 -0500

Seen: 46 times

Last updated: Oct 08