SELinux: Creating a rule to allow a transition

This is a quick howto on creating a custom SELinux rule to allow transition from one file-context to another.

In this example I will allow the init script of php5-fpm to transition from initrc_t to httpd_php_t.

This is the file context of the init script:

system_u:object_r:initrc_exec_t:SystemLow /etc/init.d/php5-fpm

The init script will execute php5-fpm, which has the following file context:

system_u:object_r:httpd_php_exec_t:SystemLow /usr/sbin/php5-fpm

Right now, if I run the init script to launch php5-fpm, the process will end up with the following context:

system_u:system_r:initrc_t:s0 23182 ? Ss 0:00 php-fpm: master process

As you can see, the process is not transitioning properly to the correct context which is httpd_php_t.

In order to allow the transition, we must create a selinux module.
Create a new file (you may use a different name, just end it with .te) /etc/selinux/httpd_php.te, then fill it with the following content:

module httpd_php_t;
require {
    type initrc_t;
    type httpd_php_exec_t;
    type httpd_php_t;
    class file entrypoint;
    class process transition;
}
type_transition initrc_t httpd_php_exec_t :process httpd_php_t;
allow httpd_php_t httpd_php_exec_t :file entrypoint;
allow initrc_t httpd_php_t :process transition;

Now, run the following commands to generate the selinux module (remember to use the correct filename if you changed it):

checkmodule -M -m /etc/selinux/httpd_php.te -o /etc/selinux/httpd_php.mod
semodule_package -o /etc/selinux/httpd_php.pp -m /etc/selinux/httpd_php.mod
semodule -i /etc/selinux/httpd_php.pp

Thats it, now you can restart php5-fpm and the process should transition properly:

system_u:system_r:httpd_php_t:s0 23182 ? Ss 0:00 php-fpm: master process

Leave a Reply