I am waving my self-esteem bye bye. SElinux gives me depressions.
I need to intercept log messages from Apache (used as reverse proxy and authentication gateway). In order to do this reliably, I want to use a CustomLogs configuration to run a python script. This is not too complicated. I understood that e.g. a file-context like http_unconfined_script_exec_t will get me what I want.
So the construct that works with SElinux permissive is:
CustomLogs pipes into a Python-script. The python script does some filtering and on certain situations decides to manages a memcached used for authentication, elsewhere. In order to have this human-auditable it writes two logs via rotatelogs-subprocesses. So far the theory. In permissive mode this works. With SElinux enforcing, it so fails.
The trouble with this seems to be that my script tries to use (multiple) rotatelogs as subprocess(es). Now rotatelogs has a defined transition for SElinux policy module like (httpd_t, httpd_rotatelogs_exec_t) -> httpd_rotatelogs_t. Without running in this context rotatelogs seems to have trouble accessing the log-directory.
So calling rotatelogs directly from httpd works. Calling it from my script renders it into the httpd_unconfined_script_t, wich denies certain actions as far as I understood.
I tried to read an SElinux book, but apparantly it seems to be a larger labyrinth for a quick understanding. I tried to read the related CentOS source RPMs, the reference source for a start, i.e.. I ended up in vertigo.
I do have a few (time-consuming) ideas how to get out of this. I failed to simply use httpd_t on the script, it ran, no audit logs, but it did not work anymore. This is so frustrating.
So here is the question-set: – is there a reference documentation on what targeted-policies do actually what include their transitions/relations? Somewhat like a dictionary? – is there an advisable context-type for such a script that does not render rotatelogs unusable when being called as subprocess?
My targeted last resorts for a way out are:
- keep the script as httpd_t and use audit2allow to capture the required changed. The final system will be Ansible-controlled, so this would be pretty straightforward to deploy.
- switch back to a single-ended rotatelogs and try piping the CustomLogs, does that still work? My first tests failed, but this might have been due to wrong file-contexts.
- forget about rotatelogs and do my own within the script.
Happy for any clue or even just some sympathy.
Thanks in advance.