Configuring SELinux permissions on (SVS-V) IPC Semaphores
The basic steps to get SELinux working with the changes you need are:
- Enable permissive mode
- Capture denials
- Add a new policy module or modify an existing policy module
- Enable enforcing mode and test
Exactly how to do these steps depends on what Linux distribution you are using; here are references for CentOS, Debian, Gentoo, RedHat and Ubuntu. You can also find SELinux information from NSA. The best documentation I found is from Gentoo: step 1, step 2, step 3, step 4.
As @smassey noted, you most probably need to modify some IPC permission.
Is there a simple C or C++ API to modify selinux contexts?
#include <selinux/selinux.h>
typedef char *security_context_t;
int setfilecon(const char *path, security_context_t con);
is probably the function you are looking for. You have to link against libselinux.
unconfined_t vs unlabeled_t in SELinux
unlabeled_t
is a special type (isid type). Initial security identifiers (isid) are a special way to label entities. It is used to label entities in scenarios that could not otherwise be addressed. For example the scenario of fail-over, initialization and fixed objects.
The unlabeled_t
type is associated with both the "unlabeled" as well as the "file" isid. The unlabeled isid is used to automatically associate the type (in this case unlabeled_t
) with entities that have an invalid context, and the file isid is used to automatically associate the type associated with it (in this case unlabeled_t
) with entities that have no label at all.
These two common (fail over) scenario's can happen for various reasons:
SELinux is mutable at runtime in GNU/Linux, this means that one can add and remove contexts at runtime, and therefore validate and invalidate contexts. So if there is an entity in your system with a given context, and you decide to remove that context at runtime, then it gets invalidated and the unlabeled isid will automatically associate
unlabeled_t
with it.When you format a new partition, or when you share a partition with a system that does not use SELinux, then that filesystem has no labels by default. The file initial sid kicks in and associates
unlabeled_t
with objects that have no label.
The isid contexts are associated in memory.
SELinux enforces integrity by default. So everything always needs a valid label.
Initial security identifiers are used to address labeling challenges that can't otherwise be addressed.
If you see unlabeled_t
, then the entity either has an invalid label or no label at all. You would want to address that by associating a valid label with the entity.
unconfined_t
is a "normal" type that just has a very broad set of permissions associated with it. Entities associated with the unconfined_t
type are virtually unconfined by SELinux.
Related Topics
Go Http Server Testing Ab VS Wrk So Much Difference in Result
Is It Safe to Issue Blocking Write() Calls on the Same Tcp Socket from Multiple Threads
Bluetooth Low Energy in C - Using Bluez to Create a Gatt Server
Rename Multiple Directories Matching Pattern
How to Repeat a Dash (Hyphen) in Shell
How to Get Debugging Symbols Working in Linux Perf Tool Inside Docker Containers
Add Column to End of CSV File Using 'Awk' in Bash Script
Is Clock_Gettime() Adequate for Submicrosecond Timing
Avrdude: Ser_Open(): Can't Open Device "/Dev/Ttyacm0": Device or Resource Busy
Ssh Command Execution Hangs, Although Interactive Shell Functions Fine
How to Remove Warning About Storing Unencrypted Password After Committing File in Svn
Can't Run Uwsgi as Root, "Bind(): Permission Denied"
Determine Tsc Frequency on Linux
Differencebetween Module_Init and Init_Module in a Linux Kernel Module
How to Stop 'Uninterruptible' Process on Linux
A Way to Determine a Process'S "Real" Memory Usage, I.E. Private Dirty Rss