CentOS 7 – Domain transition

How to configure nginx for Magento 2

Now, let’s find out how a process accesses other processes.

Let’s consider that the vsftpd process is running; if it’s not started, we can start it using the following command:

systemctl start vsftpd

The vsftpd process is started by the systemd process; this is a replacement of the Sys V init process and runs within a context of init_t:

ps -eZ | grep init

The systemd process running under the init_t domain is very short lived; it invokes /usr/sbin/vsftpd, which has a type context ftpd_exec_t, and when this binary executable starts, it becomes the vsftpd service itself and runs in the ftpd_t domain.

So, here’s the systemd process running under the init_t domain executing a binary file with the ftpd_exec_t type. The binary file then starts a service within the ftpd_t domain.

Domain transition is followed by three strict rules:

  • The parent process of the source domain must have the permission to execute the application between both the domains
  • The file context for that application must be identified as an entry point for the target domain
  • The original domain must be allowed to transit to the target domain

Let’s run the sesearch command for the vsftpd service to check whether it follows these rules:

  1. First, the source domain init_t must have permission to execute the application in the ftpd_exec_t context. So we run:
    sesearch -s init_t -t ftpd_exec_t -c file -p execute -Ad

    We found the following output:

    allow init_t ftpd_exec_t : file { read getattr execute open } ;

    So, the init_t can read, get attribute, execute, and open files of the ftpd_exec_t context.

  2. Next, we check whether the binary file is the entry point for the target domain ftpd_t:
    sesearch -s ftpd_t -t ftpd_exec_t -c file -p entrypoint -Ad

    We found that it is:

    allow ftpd_t ftpd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
  3. Finally, the source domain init_t needs to have permission to transit to the target ftpd_t domain:
    sesearch -s init_t -t ftpd_t -c process -p transition –Ad

    We can see that the source domain has that permission as well:

    allow init_t ftpd_t : process transition ;

SELinux also supports processes that run under unconfined domains; for example, unconfined_t. This is the domain where logged in users run their processes by default.

Comments are closed.