I'm trying to work on getting SELinux running in enforcing mode on my
x86 stable server. Everything seems OK if I switch enforcing on until
asterisk needs to be (re)started. Running /etc/init.d/asterisk results
in a bad interpreter (permission denied) error if SELinux is enforcing.
Only thing that I noticed in the logs was an invalid security context.
So today I disabled all the dontaudit rules and ran the init script (in
permissive mode) from the command line. The invalid context seems to be
the root of the issue, but here are the AVC that I captured. I'm not
sure the best way to handle the invalid context. So I'd like to get
some thoughts/suggestions from the list before I start making changes.
This is the invalid context that I think I need to address:
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:sysadm_r:sysadm_t
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
By way of context, here are all the denials as they appeared.
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:sysadm_r:sysadm_t
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823984):
avc: denied { rlimitinh } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823985):
avc: denied { siginh } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823986):
avc: denied { noatsecure } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.500:8823987):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.508:8823988):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.515:8823989):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.517:8823990):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.530:8823991):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.542:8823992):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:22 iax asterisk_wrapper: Initializing asterisk wrapper
And, the current file contexts:
#ls -lZ /etc/init.d/asterisk
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_initrc_exec_t 6489
Oct 5 13:12 /etc/init.d/asterisk
#ls -lZ /usr/sbin/asterisk
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_exec_t 24247031 Oct
5 13:01 /usr/sbin/asterisk
The resulting processes show:
#ps -efZ |grep asterisk
stan:system_r:initrc_t root 11062 1 0 11:47 pts/2
00:00:00 /bin/sh /lib/rc/sh/runscript.sh /etc/init.d/asterisk start
stan:system_r:initrc_t root 11063 1 0 11:47 pts/2
00:00:00 logger -t asterisk_wrapper
stan:system_r:asterisk_t asterisk 11066 11062 0 11:47 pts/2
00:00:01 /usr/sbin/asterisk -f -g -U asterisk
stan:system_r:asterisk_t asterisk 11067 11066 0 11:47 pts/2
00:00:00 astcanary
/var/run/asterisk/alt.asterisk.canary.tweet.tweet.tweet 11066
Which is interesting that they are running under my SELinux user name
instead of system_u like other processes I may need to (re)start in a
similar fashion. Also the asterisk script does not seem to call/use
runscript_selinux.so like the others do as I am not prompted for root's
password.
And lastly, my shell that I am executing all of this from:
#id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),11(floppy),26(tape),27(video)
context=stan:sysadm_r:sysadm_t
--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org
x86 stable server. Everything seems OK if I switch enforcing on until
asterisk needs to be (re)started. Running /etc/init.d/asterisk results
in a bad interpreter (permission denied) error if SELinux is enforcing.
Only thing that I noticed in the logs was an invalid security context.
So today I disabled all the dontaudit rules and ran the init script (in
permissive mode) from the command line. The invalid context seems to be
the root of the issue, but here are the AVC that I captured. I'm not
sure the best way to handle the invalid context. So I'd like to get
some thoughts/suggestions from the list before I start making changes.
This is the invalid context that I think I need to address:
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:sysadm_r:sysadm_t
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
By way of context, here are all the denials as they appeared.
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:sysadm_r:sysadm_t
tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823984):
avc: denied { rlimitinh } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823985):
avc: denied { siginh } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823986):
avc: denied { noatsecure } for pid=10978 comm="asterisk"
scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.500:8823987):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.508:8823988):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.515:8823989):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.517:8823990):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.530:8823991):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.542:8823992):
security_compute_sid: invalid context stan:system_r:initrc_t for
scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
tclass=process
Oct 23 11:47:22 iax asterisk_wrapper: Initializing asterisk wrapper
And, the current file contexts:
#ls -lZ /etc/init.d/asterisk
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_initrc_exec_t 6489
Oct 5 13:12 /etc/init.d/asterisk
#ls -lZ /usr/sbin/asterisk
-rwxr-xr-x. 1 root root system_u:object_r:asterisk_exec_t 24247031 Oct
5 13:01 /usr/sbin/asterisk
The resulting processes show:
#ps -efZ |grep asterisk
stan:system_r:initrc_t root 11062 1 0 11:47 pts/2
00:00:00 /bin/sh /lib/rc/sh/runscript.sh /etc/init.d/asterisk start
stan:system_r:initrc_t root 11063 1 0 11:47 pts/2
00:00:00 logger -t asterisk_wrapper
stan:system_r:asterisk_t asterisk 11066 11062 0 11:47 pts/2
00:00:01 /usr/sbin/asterisk -f -g -U asterisk
stan:system_r:asterisk_t asterisk 11067 11066 0 11:47 pts/2
00:00:00 astcanary
/var/run/asterisk/alt.asterisk.canary.tweet.tweet.tweet 11066
Which is interesting that they are running under my SELinux user name
instead of system_u like other processes I may need to (re)start in a
similar fashion. Also the asterisk script does not seem to call/use
runscript_selinux.so like the others do as I am not prompted for root's
password.
And lastly, my shell that I am executing all of this from:
#id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),11(floppy),26(tape),27(video)
context=stan:sysadm_r:sysadm_t
--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org