Auditing the SELinux Policy with sesearch

Posted on by

We are going to audit the SELinux policy to explain the context of a mysqld process.

Installation

The sesearch command is part of the setools-console package:

# yum install -y setools-console

The package provides the following:

  1. seinfo allows the user to query the components of a SELinux policy.
  2. sesearch allows the user to search the rules in a SELinux policy.

SELinux and MySQL Daemon

Use the SELinux policy tools to predict the SELinux domain type for the mysqld daemon when systemd starts the service. 

# yum install -y mariadb-server
# systemctl start mariadb

We start with retrieving the SELinux domain type of the systemd daemon:

# ps -Z -C systemd
LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t:s0         1 ?        00:00:06 systemd

The systemd daemon starts the service by executing the mysqld_safe binary file.

Retrieve the SELinux context type of the mysqld_safe executable:

# which mysqld_safe| xargs ls -Z
-rwxr-xr-x. root root system_u:object_r:mysqld_safe_exec_t:s0 /usr/bin/mysqld_safe

We can now use the sesearch command to retrieve the SELinux domain transition rule for when a daemon of type init_t executes a program of type mysqld_safe_exec_t:

# sesearch -T -s init_t -t mysqld_safe_exec_t
Found 1 semantic te rules:
   type_transition init_t mysqld_safe_exec_t : process mysqld_safe_t;

The SELinux domain type of the resulting process is mysqld_safe_t.

SELinux and MySQL Configuration File my.cnf

Let us find the rule that allows mysqld daemon to read the configuration file /etc/my.cnf.

Retrieve the SELinux domain type of the mysqld daemon:

# ps -Z -C mysqld
LABEL                             PID TTY          TIME CMD
system_u:system_r:mysqld_t:s0    9114 ?        00:00:00 mysqld

Retrieve the SELinux domain type of the /etc/my.cnf file:

# ls -Z /etc/my.cnf
-rw-r--r--. root root system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf

Retrieve the rule that allows the mysqld_t domain type to read files with the mysqld_etc_t type:

# sesearch -A -s mysqld_t -t mysqld_etc_t -c file
Found 1 semantic av rules:
   allow mysqld_t mysqld_etc_t : file { ioctl read getattr lock open } ;

SELinux and MySQL Port 3306

Let us locate the rule that allows the mysqld daemon to bind to TCP port 3306.

Retrieve the SELinux type associated with TCP port 3306: 

# semanage port -l|grep 3306
mysqld_port_t      tcp      1186, 3306, 63132-63164

Find the allow rule and show conditional expression for conditional rules:

# sesearch -A -s mysqld_t -t mysqld_port_t -c tcp_socket -C
Found 5 semantic av rules:
   allow mysqld_t mysqld_port_t : tcp_socket { name_bind name_connect } ; 
   allow mysqld_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow mysqld_t port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]
DT allow mysqld_t port_type : tcp_socket name_connect ; [ mysql_connect_any ]
DT allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]

Leave a Reply

Your email address will not be published. Required fields are marked *