selinux interview questions
Top selinux frequently asked interview questions
I would like to be able to spawn a linux process that would only have access to stdin, stdout, and stderr (nothing more and nothing less). Can I do this at the process level itself? I am also implicitly stating (oxymoron) that I don't want the spawned process to be able to change the "thing" that the other end of the stream points to.
Metaphorically:
- the process has a input pipe that comes from somewhere, it cannot change where the pipe starts from, so it cannot control where input comes from.
- the process has output and error pipes that go somewhere, it cannot change where the other end of the output pipes point to, so it cannot control where output goes to.
- it cannot create any new pipes.
I am also currently looking at SElinux. Would this allow me to create a process that only had access to these three streams? Thank you.
Source: (StackOverflow)
I ran through the fig python / django tutorial on Fedora 20 (docker 1.0.0) but it failed & tripped an AVC denial in SELinux when django-admin.py attempted to create the project files.
I reviewed the policy, i can see that setting the docker_var_lib_t context on my code dir would permit docker to write there (although i've just spied docker_share_t in the policy, that looks a better fit permissions wise - no chr / blk devices in that context).
Code directory locations are not predictable so setting a system wide policy (via semanage fcontext) doesn't seem the best way forward; i'd need to introduce some kind of convention.
Is there any way to automatically set this context on volumes mounted from a host?
Source: (StackOverflow)
Locally, my app runs fine on and writes to its logs.
My production server is running CentOS with an Apache server running Passenger. When trying to debug, I noticed my log files were not being written to. First thing I did was chmod 0666 them, and when I found out that didn't work I looked at my apache log. I found this: Rails Error: Unable to access log file. Please ensure that /var/www/vhosts/mysite.com/rails/exp/releases/20091124020342/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
(Note: I am deploying with capistrano)
Anyway, I Googled around and found people saying it's an SELinux issue, so I looked on passenger's docs and found this: http://www.modrails.com/documentation/Users%20guide.html#%5Fmy%5Frails%5Fapplication%5F8217%5Fs%5Flog%5Ffile%5Fis%5Fnot%5Fbeing%5Fwritten%5Fto
which basically says do this: chcon -R -h -t httpd_sys_content_t /path/to/your/rails/app
However, when I fill in the proper path I get: Operation not supported.
Pretty stumped...any ideas?
Source: (StackOverflow)
Scenario:
There is a complex piece of software that is annoying to launch by hand. What I've done is to create a python script to launch the executable and attach gdb for debugging.
The process launching script:
- ensures an environment variable is set.
- ensures a local build directory gets added to the environment's
LD_LIBRARY_PATH
variable.
- changes the current working directory to where the executable expects to be (not my design)
- launches the executable with a config file the only command line option
- pipes the output from the executable to a second logging process
- remembers PID of executable, then launches & attaches gdb to running executable.
The script works, with one caveat. ctrl-c doesn't interrupt the debugee and return control to gdb. So if I "continue" with no active breakpoints I can never stop the process again, it has to be killed/interrupted from another shell. BTW, running "kill -s SIGINT <pid>" where <pid> is the debuggee's pid does get me back to gdb's prompt... but it is really annoying to have to do things this way
At first I thought Python was grabbing the SIGINT signal, but this doesn't seem to be the case as I set up signal handlers forward the signal to the debugee and that doesn't fix the problem.
I've tried various configurations to the python script (calling os.spawn* instead of subprocess, etc.) It seems that any way I go about it, if python launched the child process, SIGINT (ctrl-c) signals DO NOT to get routed to gdb or the child process.
Current line of thinking
- This might be related to needing a
separate process group id for the debugee & gdb...any credence to this?
- Possible bug with SELinux?
Info:
- gdb 6.8
- Python 2.5.2 (problem present with Python 2.6.1 as well)
- SELinux Environment (bug delivering signals to processes?)
Alternatives I've considered:
- Setting up a .gdbinit file to do as much of what the script does, environment variables and current working directory are a problem with this approach.
- Launching executable and attaching gdb manually (yuck)
Question:
How do you automate the launching/debugging of large scale projects?
Update:
I've tried Nicholas Riley's examples below, on my Macintosh at home they all allow cntl-c to work to varrying degrees, on the production boxen (which I now to believe may be running SELinux) they don't...
Source: (StackOverflow)
The xdebug server doesn't connect to any of the clients on port 9000 ie:Netbeans IDE ,debugclient etc.xdebug is shown in phpinfo output.The above clients keep on waiting for the connection to be established.when ever I try to run a php script from the cli it gives the following warning message:
"PHP Warning: Module 'xdebug' already loaded in Unknown on line 0"
The 9000 port has been opened and shows up in the netstat --numeric-port -l command.
I have no idea what might have gone wrong.I have checked all the configuration files,everything seems ok. Any help will be appreciated.
Section of my configuration files
Linux abc.localdomain 3.1.1-2.fc16.x86_64 #1 SMP Mon Nov 14 15:46:10 UTC 2011 x86_64
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
with Xdebug v2.1.2, Copyright (c) 2002-2011, by Derick Rethans
[Zend]
zend_extension=/usr/lib64/php/modules/xdebug.so
[XDebug]
xdebug.remote_enable=On
xdebug.remote_autostart=On
xdebug.remote_handler=dbgp
xdebug.remote_host=localhost
xdebug.remote_port=9000
xdebug.remote_mode=req
xdebug.remote_log=/var/log/xdebug.log
php_api no. coincides
Xdebug Simple DBGp client (0.10.0)
Copyright 2002-2007 by Derick Rethans.
- libedit support: enabled
Waiting for debug server to connect.
Is it black magic!!
Thank You
Source: (StackOverflow)
When SELinux is installed there's a setting - httpd_can_network_connect - that often prevents PHP's fsockopen() from making outbound connections when it was instantiated by a request coming in via HTTP.
I would like to be able to see, via PHP, if a system has SELinux / httpd_can_network_connect enabled. If so I'd present the user with a warning saying that this setting could interfere with the page.
I installed SELinux on an Ubuntu machine and altho httpd_can_network_connect doesn't even appear to be an option that's available to me SELinux none-the-less does appear to be installed and I'm not seeing any indications of it installed even in the phpinfo() output..
Any ideas?
Source: (StackOverflow)
I have a Rails script that I would like to run daily. I know there are many approaches, and that a cron'd script/runner
approach is frowned upon by some, but it seems to meet my needs.
However, my script is not getting executed as scheduled.
My application lives at /data/myapp/current
, and the script is in script/myscript.rb
. I can run it manually without problem as root
with:
/data/myapp/current/script/runner -e production /data/myapp/current/script/myscript.rb
When I do that, the special log file (log/myscript.log
) gets logged to as expected:
Tue Mar 03 13:16:00 -0500 2009 Starting to execute script...
...
Tue Mar 03 13:19:08 -0500 2009 Finished executing script in 188.075028 seconds
I have it set to run with cron
every morning at 4 am. root
's crontab:
$ crontab -l
0 4 * * * /data/myapp/current/script/runner -e production /data/myapp/current/script/myscript.rb
In fact, it looks like it's tried to run as recently as this morning!
$ tail -100 /var/log/cron
...
Mar 2 04:00:01 hostname crond[8894]: (root) CMD (/data/myapp/current/script/runner -e production /data/myapp/current/script/myscript.rb)
...
Mar 3 04:00:01 hostname crond[22398]: (root) CMD (/data/myapp/current/script/runner -e production /data/myapp/current/script/myscript.rb)
...
However, there is no entry in my log file, and the data that it should update has not been getting updated. The log file permissions (as a test) were even set to globally writable:
$ ls -lh
total 19M
...
-rw-rw-rw- 1 myuser apps 7.4K Mar 3 13:19 myscript.log
...
I am running on CentOS 5.
So my questions are...
- Where else can I look for information to debug this?
- Could this be a SELinux issue? Is there a security context that I could set or change that might resolve this error?
Thank you!
Update
Thank you to Paul and Luke both. It did turn out to be an environment issue, and capturing the stderr
to a log file enabled me to find the error.
$ cat cron.log
/usr/bin/env: ruby: No such file or directory
$ head /data/myapp/current/script/runner
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/runner'
Adding the specific Ruby executable to the command did the trick:
$ crontab -l
0 4 * * * /usr/local/bin/ruby /data/myapp/current/script/runner -e production /data/myapp/current/script/myscript.rb >> /data/myapp/current/log/cron.log 2>&1
Source: (StackOverflow)
I have installed incron from the EPEL repository (before you ask; YES, I also tried downloading the source and compiling locally; same results) and am attempting to set up a process on my CentOS 6.4 (final) virtual box that I have successfully prototyped on my local Ubunto 12.04 machine:
Some information up front:
- SELinux is set PERMISSIVE
- I have added my script(s) and called executables to all with NOPASSWD using
visudo
to get around some permissions issues...
If I invoke my script from the command line with sudo /path/to/my/script.sh arguments
it works like a charm.
sudo service incrond status
verifies that incrond is running. root and myusername are added to /etc/incron.allow
, /etc/incron.deny
is empty.
My incrotab for root is:
/path/to/dropfolder/ IN_CLOSE_WRITE sudo /path/to/my/script.sh $@/$#
Events in /path/to/dropfolder/
result in exactly NOTHING happening. No logs are generated, no messages, no actions occur on the files in the folder.
So I have researched: it was suggested that cron
runs in a minimal environment and that to execute complex commands/scripts you may have to execute your .bashrc
and/or export your PATH at the beginning of the cron command.
Note: I can find no documentation supporting that incron
also runs in a minimal environment, but as my google-fu (and bing-fu!) failed to result in any helpful results related directly to incron
I figured WTH, I'll try that!
Edit: Documentation indicates that incron
run from system tables or root takes env from its host enviroment, therefore only incron
executed by non-root users should require any sort of env or PATH fiddling
So… incrontab for root:
/path/to/dropfolder IN_CLOSE_WRITE . /home/myusername/.bashrc; export PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin; sudo /path/to/my/script.sh $@/$#"
No dice… tried &&
instead of ;
= no dice. If you can think of a variation on the above I've probably tried it…
So, lets try a little restorecond -R /usr/sbin/incrond /etc/incron*
action!
Huh, no change there either.
service incrond stop
followed by service incrond start
and then service incrond restart
… nope, nope, and nope.
Drastic measures: yum remove incron
and yum install incron
, chkconfig incrond on
and then for good measure a sudo reboot
!
Nothing.
I don't even get anything from /tmp/ IN_ALL_EVENTS echo boo>>/home/myusername/boofile.txt
, hence my inability to even do an env>>envfile.txt
to check whether incron
is running in a sparse environment… (see above note)
And yet: service incrond status
yields incrond (pid xxxx) is running...
What am I missing? It has to be big and obvious and I hope someone can make me feel like an idiot in short order!
further examination of /var/log/cron
yields results like this: Aug 14 15:05:30 hostname incrond[1584]: (root) CMD (sudo /path/to/DropFolder/script/subfolder/script-Beta-1.sh /home/username/DropFolder/testfile.file)
-yes I made sure my script was executable..
so incrond is indeed attempting to do SOMETHING, but I get no output anywhere... even a simple echo > /dev/pts/0
produces nada results.
- thanks for fixing my crap formatting job
Source: (StackOverflow)
I want to set the SELinux (Security Enhanced Linux) mode to Permissive or (0) on android 4.4.4 (and above if possible). I use the following command: setenforce 0
, setenforce permissive
and setenforce Permissive
under root (my device is rooted). But the output of getenforce
is always Enforcing
. Now I am exhausted with this problem.
Can any one give me a solution? Thanks in advance.
Source: (StackOverflow)
Are there any best practices to handle Java applications with SELinux?
Is it able to configure SELinux for each Java App or can only the VM be handled because it makes the finale system calls?
Source: (StackOverflow)
I'm using Apache 2.2.15 on CentOS 6.5. I'm trying to set up a Django app using mod_wsgi.
I'm using a virtual environment, and mod_wsgi was configured with --with-python=/path/to/virtualenv/bin/python3.4
.
I've added this to my httpd.conf
:
WSGIPythonPath /srv/myproject:/path/to/virtualenv/lib/python3.4/site-packages
WSGIPythonHome /path/to/virtualenv
<VirtualHost *:80>
WSGIScriptAlias / /srv/myproject/myproject/wsgi.py
...
</VirtualHost>
In wsgi.py
, I added
sys.path.insert(1, "/path/to/virtualenv/lib/python3.4/site-packages")
The problem is that when I try to open the app in my browser, it loads indefinitely. Here's the Apache error log:
Fatal Python error: Py_Initialize: Unable to get the locale encoding
ImportError: No module named 'encodings'
[Mon Jun 30 17:37:28 2014] [notice] child pid 19370 exit signal Aborted (6)
[Mon Jun 30 17:37:28 2014] [notice] child pid 19371 exit signal Aborted (6)
...
[Mon Jun 30 17:37:28 2014] [notice] child pid 19377 exit signal Aborted (6)
Fatal Python error: Py_Initialize: Unable to get the locale encoding
ImportError: No module named 'encodings'
What's interesting is that in both the system installation of Python (2.6) and the virtual environment version (3.4), import encodings
works fine! I've tried using the example WSGI script from the mod_wsgi CheckingYourInstallation page to confirm which version of Python is being used by Apache, but I get the same ImportError.
Does anyone have a suggestion for next steps? I've scoured the docs but I don't know where to go from here.
Source: (StackOverflow)
I'm using the mySQLdb module within my django application which is linked to Apache via WSGI.
However I'm getting permission issues (shown below). This is down to SElinux and if I set it to passive everything is ok.
ImproperlyConfigured: Error loading MySQLdb module:
/opt/django/virtenv/django15/lib/python2.7/site-packages/_mysql.so:
failed to map segment from shared object: Permission denied
What is the best way to update SELinux to include this without having to turn off the whole the thing. The error is shown below:
ImproperlyConfigured: Error loading MySQLdb module:
/opt/django/virtenv/django1/lib/python2.7/site-packages/_mysql.so:
cfailed to map segment from shared object: Permission denied
Source: (StackOverflow)
I'm the developer on a root-app for Android.
Sadly now on some devices/ROMs there is SELinux in enforce-mode and prevents some actions of my app.
Because this is a root-app, the users are granting me root-access!
Now, SELinux is blocking some of my actions and I need to find a solution for this.
I tried to temporary disable SELinux by
setenforce permissive -> no failure, but getenforce still returns "Enforcing"
cat 0 > /sys/fs/selinux/enforce -> no failure, but getenforce still returns "Enforcing"
I play with the idea to edit the sepolicy-file at runtime to allow the blocked commands and trigger a reload of it, but I'm neither sure if & how this could work, nor isn't it a good idea.
Who has some more tips or resources for me?
Source: (StackOverflow)
I am having an application listening on port 8081 and Nginx running on port 8080. The proxy pass statement looks like:
/var/etc/opt/lj/output/services/abc.servicemanager.conf
location /api/abc.servicemanager/1.0 { proxy_pass http://localhost:8081;}
In nginx.conf, I include this file as:
include /etc/nginx/conf.d/services/*.conf;
The /etc/nginx/conf.d/service is a symlink:
# ll /etc/nginx/conf.d/
lrwxrwxrwx. 1 root root 39 Dec 10 00:19 services -> ../../../var/etc/opt/lj/output/services
This is a Centos 7.0 SELinux Enabled system. If I setenforce 0, and make it Permissive, I don't see any issues. So the file is in right place and no issues with paths. If SELinux is enforcing, I see the following in audit log:
type=AVC msg=audit(1418348761.372:100930): avc: denied { getattr } for pid=3936 comm="nginx" path="/var/etc/opt/lj/output/services/abc.servicemanager.conf" dev="xvda1" ino=11063393 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
I want to know how to enable Nginx to find the conf file without having to disable SELinux. Thanks for your help in advance.
-Vijay
Source: (StackOverflow)
I know that this has been asked many times before, but I believe my situation is different.
I am trying to add a pre-revprop-change hook to our SVN repository to enable changes to be made to log messages.
Before I added the pre-revprop-change
file I was getting this error:
$ svn propset -r 557 --revprop svn:log "New message!" https://myserver/repos/myrepo
svn: DAV request failed; it's possible that the repository's pre-revprop-change hook either failed or is non-existent
svn: At least one property change failed; repository is unchanged
svn: Error setting property 'log':
Repository has not been enabled to accept revision propchanges;
ask the administrator to create a pre-revprop-change hook
No problem, I thought. I'll add it:
$ cd /var/www/svn/myrepo/hooks
$ # Create the simplest hook possible
$ echo '#!/bin/sh' > pre-revprop-change
$ echo 'exit 0' >> pre-revprop-change
$ # Check that it looks correct
$ cat pre-revprop-change
#!/bin/sh
exit 0
$ # Looks good, now make it executable
$ chmod a+x pre-revprop-change
$ # Check the permissions
$ ls -al pre-revprop-change
-rwxr-xr-x 1 apache apache 17 2012-05-24 12:05 pre-revprop-change
$ # Run it, to make sure it runs, and check the error code
$ ./pre-revprop-change
$ echo $?
0
So, according to everything else I've read on SO, that should be all I need to make it work. But, when I try to edit the log message again, I still get an error (a different one this time):
$ svn propset -r 557 --revprop svn:log "New message!" https://myserver/repos/myrepo
svn: DAV request failed; it's possible that the repository's pre-revprop-change hook either failed or is non-existent
svn: At least one property change failed; repository is unchanged
svn: Error setting property 'log':
Revprop change blocked by pre-revprop-change hook (exit code 255) with no output.
There are a few points to note:
1) The repository is hosted on an SELinux server (Fedora core 10). Perhaps there is something that I need to do with regards to those permissions? Here are the SE permissions of the hook:
$ ls -alZ pre-revprop-change
-rwxr-xr-x apache apache unconfined_u:object_r:httpd_sys_content_rw_t:s0 pre-revprop-change
2) The repository is being accessed via WebDAV (note the https://
in the repository name). Is there something that I need to setup on the WebDAV side to allow pre-revprop-change changes?
Source: (StackOverflow)