1

I am having some trouble with a couple of my files' SELinux context with my openstack-swift setup

Setup details:

A daemon is running swift-object-replicator with following SELinux context

system_u:system_r:swift_t:s0 swift ... /usr/bin/python /usr/bin/swift-object-replicator /etc/swift/object-server.conf

This daemon calls a script periodically. The file created by that script has the following SELinux context

system_u:object_r:swift_var_cache_t:s0 /var/cache/swift/object.recon

Which is correct !!

The issue

If I run the same script(which that daemon is calling internally) from a terminal as 'root', the object.recon file SELinux context is modified as below -rw-------. swift swift unconfined_u:object_r:var_t:s0 /var/cache/swift/object.recon

And then I start seeing error messages in that daemon's log files

Any idea why the context changes and how to preserve it even if I wish to trigger the script from a terminal

mittal
  • 915
  • 10
  • 29
  • 1
    You can't prevent it. SElinux is meant to do that. On the other hand, try creating a target policy for it. – alvits May 18 '16 at 17:54
  • @alvits Yes, that's what I was thinking. What kind of policy would that be ? Can you please give me the details – mittal May 18 '16 at 17:57
  • 1
    Here's [something to get you started](http://www.billauer.co.il/selinux-policy-module-howto.html). – alvits May 18 '16 at 18:14
  • We have a policy rule of the type `/var/cache/swift(/.*)? regular file system_u:object_r:swift_var_cache_t:s0` but how to enforce it. Restorecon fixes things but only temporarily till someone again hits the command from terminal :( – mittal May 18 '16 at 18:15
  • Is SElinux enforcing or permissive? – alvits May 18 '16 at 18:18
  • The mode is Enforcing – mittal May 18 '16 at 18:22
  • Can you run this command `sesearch --allow --source swift_t --target swift_var_cache_t --class file` and update your post with the result? – alvits May 18 '16 at 18:33
  • It says `allow swift_t swift_var_cache_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;` – mittal May 19 '16 at 02:08
  • I had some luck with runcon command `runcon -t swift_t -r system_r -u system_u swift-object-replicator /etc/swift/object-server.conf -ov` This preserves the contexts – mittal May 19 '16 at 19:25
  • @alvits I am exploring type_transition rules now – mittal May 19 '16 at 19:25
  • This seems to have helped `module junk1 1.0; require { type unconfined_t; type swift_exec_t; type swift_t; role unconfined_r; class process transition; } #============= TRANSITIONS ======== type_transition unconfined_t swift_exec_t:process swift_t; #============= ROLES ============== role unconfined_r types swift_t;` – mittal May 19 '16 at 19:26

1 Answers1

1

I figured out 2 ways to retain the contexts:

  • Use runcon to run the command with correct context

    runcon -t swift_t -r system_r swift-object-replicator /etc/swift/object-server.conf -ov

  • Or, define a SELinux type_transition rule so that user with unconfined_t domain while executing the script transitions to the correct domain

    require {
 type unconfined_t;
 type swift_exec_t;
 type swift_t;
 role unconfined_r;
 class process transition;
}

role unconfined_r types swift_t;

type_transition unconfined_t swift_exec_t:process swift_t;
mittal
  • 915
  • 10
  • 29