How to create an SELinux exception for individual files?

user5309 · 10-29-2015, 08:25 AM

I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "check_init_service" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?

Here is a snippet of the error I was seeing in the audit logs before I disabled SELinux.

Code:

type=AVC msg=audit(1446051455.169:3313): avc:  denied  { execute }   for  pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1"  ino=2101040 scontext=system_u:system_r:nrpe_t:s0  tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e  syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680    a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997    gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=   (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash"   subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446051455.169:3314): avc:  denied  { getattr }   for  pid=15388 comm="check_init_serv" path="/usr/bin/systemctl"   dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0    tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e     syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780     a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388     auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995     sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv"     exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446051455.169:3315): avc:  denied  { getattr }     for  pid=15388 comm="check_init_serv" path="/usr/bin/systemctl"    dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0     tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e   syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760   a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388   auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995   sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv"   exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446053257.457:3401): avc:  denied  { read } for     pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584    scontext=system_u:system_r:nrpe_t:s0   tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir

Demosa · 10-29-2015, 09:18 AM

Have you tried using audit2allow?

So what you have is that "check_init_serv" was denied execute and getattr for a file with a "systemd_systemctl_exec_t" label

With the denial logged, start with

Code:

 audit2allow -w -a

This will not change anything yet, but it should give us something a bit more human readable on the error output

Also, if you happen to catch a denial ID in /var/log/messages, run

Code:

 sealert -l ID-number

NOTE: This is going to be a rather iterative process stepping through how to troubleshoot SELinux, so keep an eye on this thread often, and I'll do the same

user5309 · 10-29-2015, 09:57 AM

I see that there are multiple failures for the check_init_service when I run audit2allow. They are type:

Code:

avc:  denied  { read }
avc:  denied  { getattr }
avc:  denied  { execute }
avc:  denied  { execute_no_trans }
avc:  denied  { open }

And each one says the remediation is the same:

Code:

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

I guess my next step is figuring out how to create the module then load it. I did not see any denials being logged in /var/log/messages. Let me know if you are familiar with creating these modules.

The full context of the error is this:

Code:

type=AVC msg=audit(1446129906.503:4939): avc:  denied  { open } for  pid=22433 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Just substitute the specific deny action for each one. Everything else is the same.

user5309 · 10-29-2015, 10:50 AM

Ok, I just figure this out.

Run this:

Code:

audit2allow -a

This will list all the TE rules that will allow the denied access and reveal all processes that had associated denials. Once you find the one related to the AVC failure in the audit logs (for me it was nrpe_t), run this:

Code:

grep "your object_t" /var/log/audit/audit.log | audit2allow -M <module_name>

You will then get this message

Code:

To make this policy package active, execute:

semodule -i <module_name>.pp

Which you can then run:

Code:

semodule -i <module_name>.pp

Verify that its loaded:

Code:

semanage module -l | grep <module_name>

Then put the system back into enforcing state:

Code:

setenforce 1

Or just modify /etc/selinux/config and reboot.

NOTE - I did this on RHEL7 and you may or may not have the semanage or semodule tools installed. If not just run a "yum provides <command> to find out what package you need and install it.

Demosa · 10-29-2015, 10:51 AM

You beat me to it, that should do the trick.

user5309 · 10-29-2015, 11:08 AM

It worked like a charm for me and I hope this helps others too.