CentOS 7 – Domain transition

How to configure nginx for Magento 2

Now, let’s find out how a process accesses other processes.

Let’s consider that the vsftpd process is running; if it’s not started, we can start it using the following command:


systemctl start vsftpd

The vsftpd process is started by the systemd process; this is a replacement of the Sys V init process and runs within a context of init_t:


ps -eZ | grep init

The systemd process running under the init_t domain is very short lived; it invokes /usr/sbin/vsftpd, which has a type context ftpd_exec_t, and when this binary executable starts, it becomes the vsftpd service itself and runs in the ftpd_t domain.

So, here’s the systemd process running under the init_t domain executing a binary file with the ftpd_exec_t type. The binary file then starts a service within the ftpd_t domain.

Domain transition is followed by three strict rules:

  • The parent process of the source domain must have the permission to execute the application between both the domains
  • The file context for that application must be identified as an entry point for the target domain
  • The original domain must be allowed to transit to the target domain

Let’s run the sesearch command for the vsftpd service to check whether it follows these rules:

  1. First, the source domain init_t must have permission to execute the application in the ftpd_exec_t context. So we run:
    
    sesearch -s init_t -t ftpd_exec_t -c file -p execute -Ad
    

    We found the following output:

    
    allow init_t ftpd_exec_t : file { read getattr execute open } ;
    

    So, the init_t can read, get attribute, execute, and open files of the ftpd_exec_t context.

  2. Next, we check whether the binary file is the entry point for the target domain ftpd_t:
    
    sesearch -s ftpd_t -t ftpd_exec_t -c file -p entrypoint -Ad
    

    We found that it is:

    
    allow ftpd_t ftpd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
    
  3. Finally, the source domain init_t needs to have permission to transit to the target ftpd_t domain:
    
    sesearch -s init_t -t ftpd_t -c process -p transition –Ad
    

    We can see that the source domain has that permission as well:

    
    allow init_t ftpd_t : process transition ;
    

SELinux also supports processes that run under unconfined domains; for example, unconfined_t. This is the domain where logged in users run their processes by default.

Comments are closed.