Allowing a program to run in the enforce security policy

In the previous article we wrote an AWK program to report on logged-in users. It is still in the form of a script file that must run with the ‘awk’ program on the command line. If you want it to be executable to run directly, you need to add #!/usr/bin/awk -f to the first line of the file. We rewrite the program:

#!/usr/bin/awk -f

/^\S+.+\([0-9]{2}:[0-9]{2}\)$/ {
    if ( $1 == "reboot" )
        next
    gsub ( "[()]", "", $NF )
    split ( $NF, a, ":" )
    hours[$1] += a[1]
    minutes[$1] += a[2]
    logins[$1] ++
}

END {
    asorti ( hours, d )
    for ( i in d ) {
        user = d[i]
        hours[user] += int ( minutes[user] / 60 )
        minutes[user] %= 60
        
        printf "User %s: total login time ", user
        printf "%02d:%02d, ", hours[user], minutes[user]
        print "total logins "logins[user]"."
    }
    
}

Suppose the program file is placed in the awk subdirectory of the Documents folder in your home directory. For example, its path is:

/home/tuyen/Documents/awk/login.awk

Next, suppose you are in the program directory, ie /home/tuyen/Documents/awk, you need to change the program file’s mode bits into executable form as follows:

chmod +x login.awk

Then add the current directory to the list of command search path:

addtailpath $PWD PATH

In a normal Linux system it was enough for you to run this command:

last | login.awk

But in Omarine with SELinux in enforcing mode that command is not possible

Why?

Because Omarine’s “internal firewall” blocked it. The program file with its security context is not allowed to run. Let’s check:

ls -Z login.awk

The green and asterisks for login.awk indicate that it has executable bits. But its type xdg_documents_t is not allowed to run in the security policy.
We see that not all programs are allowed to run arbitrarily. That is the security enhancement of the system.
Now we allow the program to run by changing its type to bin_t, as the root user:

semanage fcontext -a -t bin_t /home/tuyen/Documents/awk/login.awk
restorecon /home/tuyen/Documents/awk/login.awk

The file context has changed

As a result, the program has actually been executable

If you like this post please share it with your friends instead of thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.