Bug 1765077
Summary: | init.d scripts not allowed to create files in /var/log/ | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Hofman <thofman> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-11 15:12:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hofman
2019-10-24 10:04:36 UTC
Related JBoss EAP issue is https://issues.jboss.org/browse/JBEAP-17752 Tomas, What is SELinux context of /etc/init.d/jboss-eap-rhel.sh ? # ls -Z /etc/init.d/jboss-eap-rhel.sh If it's not bin_t, please run: # chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh and try to restart the service. Yes, that did the trick. It was etc_t, not bin_t. The service starts after fixing this. I will suggest updating EAP docs. [root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh unconfined_u:object_r:etc_t:s0 /etc/init.d/jboss-eap-rhel.sh [root@ibm-p8-kvm-03-guest-02 ~]# chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh [root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh unconfined_u:object_r:bin_t:s0 /etc/init.d/jboss-eap-rhel.sh Thank you! Tomas, What I proposed is just temporary change. If you would like to update EAP docs, Please propose following (permanent) solution: # semanage fcontext -a -t bin_t /etc/init.d/jboss-eap-rhel.sh # restorecon -v /etc/init.d/jboss-eap-rhel.sh Thanks, Lukas. I see, it would be lost during relabeling... So I'm experimenting bit more and I noticed that after copying the init script to /etc/init.d/ it has type etc_t, but when I run restorecon on it, without setting fcontext at all, the type changes to initrc_exec_t, and with this type the script runs correctly too. [root@rama init.d]# cp /opt/jboss-eap/bin/init.d/jboss-eap-rhel.sh ./ [root@rama init.d]# ls -Z -1 system_u:object_r:bin_t:s0 functions unconfined_u:object_r:etc_t:s0 jboss-eap-rhel.sh system_u:object_r:initrc_exec_t:s0 network system_u:object_r:initrc_exec_t:s0 README [root@rama init.d]# restorecon -v jboss-eap-rhel.sh Relabeled /etc/rc.d/init.d/jboss-eap-rhel.sh from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:initrc_exec_t:s0 [root@rama init.d]# ls -Z -1 system_u:object_r:bin_t:s0 functions unconfined_u:object_r:initrc_exec_t:s0 jboss-eap-rhel.sh system_u:object_r:initrc_exec_t:s0 network system_u:object_r:initrc_exec_t:s0 README Technically, is initrc_exec_t "more correct" file type than bin_t? In that case the only command we would need to add after copying the init script is # restorecon /etc/init.d/jboss-eap-rhel.sh Is that all right, or is it better to set fcontext explicitly? Hi Tomas, Well, initrc_t somes from RHEL-6. We're trying to keep all services for which we don't have SELinux policy in unconfined_service_t. The difference is, when systemd labeled as init_t will execute binary labeled as initrc_exec_t, the newly created process (service process) has initrc_t label. Here is a record from SELinux policy: # sesearch -T -s init_t -t initrc_exec_t -c process type_transition init_t initrc_exec_t:process initrc_t; But, when you label binary as bin_t, the situation si different. When systemd labeled as init_t will execute binary labeled as bin_t, the newly created process (service process) has unconfined_service_t label. Similar record from policy: # sesearch -T -s init_t -t bin_t -c process type_transition init_t bin_t:process unconfined_service_t; I prefer to keeps it as unconfined_service_t. Thanks, Lukas. Thanks for replies Lukas! |