LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-29-2015, 08:25 AM   #1
user5309
LQ Newbie
 
Registered: Oct 2015
Posts: 7

Rep: Reputation: Disabled
How to create an SELinux exception for individual files?


I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "check_init_service" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?

Here is a snippet of the error I was seeing in the audit logs before I disabled SELinux.

Code:
type=AVC msg=audit(1446051455.169:3313): avc:  denied  { execute }   for  pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1"  ino=2101040 scontext=system_u:system_r:nrpe_t:s0  tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e  syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680    a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997    gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=   (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash"   subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446051455.169:3314): avc:  denied  { getattr }   for  pid=15388 comm="check_init_serv" path="/usr/bin/systemctl"   dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0    tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e     syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780     a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388     auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995     sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv"     exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446051455.169:3315): avc:  denied  { getattr }     for  pid=15388 comm="check_init_serv" path="/usr/bin/systemctl"    dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0     tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e   syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760   a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388   auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995   sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv"   exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)

type=AVC msg=audit(1446053257.457:3401): avc:  denied  { read } for     pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584    scontext=system_u:system_r:nrpe_t:s0   tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
 
Old 10-29-2015, 09:18 AM   #2
Demosa
Member
 
Registered: Feb 2013
Distribution: Fedora 25, RHEL7, RHCI stack
Posts: 38

Rep: Reputation: Disabled
Have you tried using audit2allow?

So what you have is that "check_init_serv" was denied execute and getattr for a file with a "systemd_systemctl_exec_t" label


With the denial logged, start with
Code:
 audit2allow -w -a
This will not change anything yet, but it should give us something a bit more human readable on the error output

Also, if you happen to catch a denial ID in /var/log/messages, run
Code:
 sealert -l ID-number
NOTE: This is going to be a rather iterative process stepping through how to troubleshoot SELinux, so keep an eye on this thread often, and I'll do the same
 
Old 10-29-2015, 09:57 AM   #3
user5309
LQ Newbie
 
Registered: Oct 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
I see that there are multiple failures for the check_init_service when I run audit2allow. They are type:

Code:
avc:  denied  { read }
avc:  denied  { getattr }
avc:  denied  { execute }
avc:  denied  { execute_no_trans }
avc:  denied  { open }
And each one says the remediation is the same:

Code:
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
I guess my next step is figuring out how to create the module then load it. I did not see any denials being logged in /var/log/messages. Let me know if you are familiar with creating these modules.

The full context of the error is this:

Code:
type=AVC msg=audit(1446129906.503:4939): avc:  denied  { open } for  pid=22433 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Just substitute the specific deny action for each one. Everything else is the same.
 
Old 10-29-2015, 10:50 AM   #4
user5309
LQ Newbie
 
Registered: Oct 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
Ok, I just figure this out.

Run this:

Code:
audit2allow -a
This will list all the TE rules that will allow the denied access and reveal all processes that had associated denials. Once you find the one related to the AVC failure in the audit logs (for me it was nrpe_t), run this:

Code:
grep "your object_t" /var/log/audit/audit.log | audit2allow -M <module_name>
You will then get this message

Code:
To make this policy package active, execute:

semodule -i <module_name>.pp
Which you can then run:

Code:
semodule -i <module_name>.pp
Verify that its loaded:

Code:
semanage module -l | grep <module_name>
Then put the system back into enforcing state:

Code:
setenforce 1
Or just modify /etc/selinux/config and reboot.

NOTE - I did this on RHEL7 and you may or may not have the semanage or semodule tools installed. If not just run a "yum provides <command> to find out what package you need and install it.

Last edited by user5309; 10-29-2015 at 10:53 AM.
 
Old 10-29-2015, 10:51 AM   #5
Demosa
Member
 
Registered: Feb 2013
Distribution: Fedora 25, RHEL7, RHCI stack
Posts: 38

Rep: Reputation: Disabled
You beat me to it, that should do the trick.
 
Old 10-29-2015, 11:08 AM   #6
user5309
LQ Newbie
 
Registered: Oct 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
It worked like a charm for me and I hope this helps others too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Convert many files to individual .bz2 files retaining original name? touser Linux - Newbie 5 03-29-2010 12:58 AM
PROBLEM - Squid - create a exception for an IP Address to pass direct dikamba Linux - Server 2 02-09-2010 06:48 AM
SELinux - individual security exception seramal Linux - Security 4 08-09-2009 01:42 PM
How to make XSane create individual filenames royeo Linux - Newbie 1 10-28-2006 11:05 PM
Burning individual files... nutshell Linux - General 4 03-02-2002 09:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration