LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-03-2013, 02:27 PM   #1
bredell
LQ Newbie
 
Registered: Apr 2013
Location: Uppsala, Sweden
Distribution: CentOS
Posts: 3

Rep: Reputation: Disabled
SELinux inconsistent file context


I'm debugging a problem with rsyslogd on a CentOS 6.0 server (I'm not allowed to upgrade). While running the system in permissive mode I got the following entry in the audit log:

type=AVC msg=audit(1365002864.187:22167): avc: denied { search } for pid=27852 comm="rsyslogd" name="/" dev=md6 ino=2 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir

Ok, so the rsyslog daemon is trying to access the root directory and gets denied. So far so good. What puzzles me is the target context that is being logged as default_t. Doing an "ls -ldZ /" produces the following output:

dr-xr-xr-x. root root system_u:object_r:root_t:s0 /

This indicates that the root directory has the context root_t. Why is this different from what's getting logged? Have I completely misunderstood anything about how SELinux contexts work? Does SELinux have an in-memory cache of file contexts, and this cache has become out of sync with the filesystem?

Tomorrow I will try to relabel the root directory to see if this helps. If there is a cache inconsistency maybe changing the context will fix the problem. A reboot is probably in order as well but I want to diagnose and understand the problem before I do that.

Has anyone seen this before?
 
Old 04-04-2013, 01:42 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Good questions but a machine running stock default targeted policy should come with proper constraints for syslogd_t already. If you semanage'd any custom local policies the right way a full relabel should correct things if nothing else happened you didn't tell us about. Note restorecon has a dry run switch so you can get an idea of the extent of changes before applying them.
 
Old 04-04-2013, 05:41 PM   #3
bredell
LQ Newbie
 
Registered: Apr 2013
Location: Uppsala, Sweden
Distribution: CentOS
Posts: 3

Original Poster
Rep: Reputation: Disabled
restorecon has been run and didn't change anything. But the context of the root directory is already correct, it has the context root_t. Also, the policy for rsyslogd seems to permit the search operation for the target root_t. The problem is that SELinux logs error messages where it keeps denying access to the root directory and these log messages indicate that SELinux thinks the root directory has context default_t.

So why does SELinux in the kernel think that the root directory has context default_t, when "ls" says it has context root_t? These shouldn't differ.
 
Old 04-06-2013, 12:16 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Still I'm thinking something else happened you didn't tell us about: your syslog does run with a context of syslogd_t but as user unconfined_u while mine runs as system_u. What happens if you change Rsyslogd to run as system_u? Else :is this a CentOS stock installation? Was anything non-standard forced or did anything happen installation, policy or configuration-wise? Did this Rsyslogd get bolted on from another repo? BTW and why aren't you "allowed" to upgrade? CentOS is at 6u4 now and updates and upgrades may contain fixes.
 
Old 04-08-2013, 10:03 AM   #5
bredell
LQ Newbie
 
Registered: Apr 2013
Location: Uppsala, Sweden
Distribution: CentOS
Posts: 3

Original Poster
Rep: Reputation: Disabled
The system runs an old CentOS 6.0 which hasn't been upgraded and I'm not allowed to upgrade the system, at least not right now.

But I think you're missing my point, or perhaps I wasn't clear in my original posting. I'm not asking about why the access gets denied or what I can do to fix it. What I want to know is why it appears as if the root directory has two different context labels. The "ls" command says that the context is the following:

system_u:object_r:root_t:s0

Yet the error message logged by SELinux says that the root directory has the following context:

system_u:object_r:default_t:s0

Why aren't those two the same?

Last edited by bredell; 04-08-2013 at 10:04 AM. Reason: Removed smilies
 
Old 04-08-2013, 04:43 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Beats me. Prolly should ask on the selinux-devel mailing list.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/ parthipan Linux - Server 1 06-07-2012 01:36 PM
what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/ parthipan Linux - Server 3 06-07-2012 07:15 AM
SELinux: How can I clear the context when I copy a file? walkinmud Linux - Enterprise 3 08-09-2005 11:23 PM
SELinux: How can I clear the context when I copy a file? walkinmud Linux - Security 1 08-09-2005 12:37 AM


All times are GMT -5. The time now is 06:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration