audit2allow help to allow, but how to disallow

Bhuvan Gupta bhuvangu at gmail.com
Wed Jan 21 18:13:15 UTC 2015 

Hello,

After doing some more investigation *your explanation make perfect sense*.
But while going through my own mail i released that the two allow rule that
i mentioned:
[1]   *allow sandbox_domain default_t : file { ioctl read write getattr
lock append };*
*[2]  * *allow domain usr_t : dir { ioctl read getattr lock search open };*

If you notice that the first one has *sandbox_domain* and second one just
*domain*
I understand the domain and types are same so sandbox_domain == sandbox_t.
But what does domain in [2] signifies ?

Thanks a lot.

On Wed, Jan 21, 2015 at 7:50 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>
> On 01/21/2015 12:28 AM, Bhuvan Gupta wrote:
>
>      I am working with selinux sandbox "
> http://danwalsh.livejournal.com/28545.html".
>
>  Blog clearing mentions that the sandbox "Can not Open or Create any files
> on the system " except the the shared libraries.
>
>  But current sandbox allow to read dir stuff which i think should not be
> allowed:
>  currently i can successfully ran:
> * "sandbox ls /usr"*
>  ls -Z for my /usr is:
> *drwxr-xr-x. root root system_u:object_r:usr_t:s0       usr*
>
>    Right this is system objects.  You are allowed to read/execute most
> content under /usr, since sandbox needs to execute programs.
>
>   Now i used sesearch based policy analysis tool to find the allow rules
> and i have listed few which i can understand and think should not be there:
> [1] *allow sandbox_domain default_t : file { ioctl read write getattr
> lock append } ; *  # sandbox_t is allow to read write to file having type
> as default_t, but it doesnt allow to open it..so whats the significance of
> {read write}
>
> This is for leaking a file descriptor into the container.  cat /foo/bar |
> sandbox app > /tmp/output
>
> We want to allow a user to open a file descriptor to any object on the
> machine and then leak the file descriptor into the sandboxed app.  The
> sandboxed app is not allowed to Open any files on the system except content
> with base labels, like usr_t, etc_t, bin_t, lib_t.  And these labels it is
> not allowed to write.
>
>   [2] *allow domain usr_t : dir { ioctl read getattr lock search open } *
>
>  Added my system details and also attached the completed allowed list .
>
>  I have started with selinux about 1 week back so there might be problem
> with my thinking model.
>  *Does the above stuff make sense from logical point of view and should
> fixed ?*
>  Initially i thought that i will just disallow what i dont want...but
> know i have realised that selinux is denial by default model and we can
> only allow stuff.
>
>         Correct.  If you want to write a more confined SELinux Type, you
> can, but you have to start from scratch.  And then you allow what you
> want.  There is an effort to build
> a new language called CIL, which would allow you to take an existing type
> and create a new type based on that type and remove access. But we
> currently do not use this language
>
>        >>yum list installed | grep selinux
> libselinux.x86_64                      2.2.2-6.el7
> libselinux-python.x86_64               2.2.2-6.el7
> libselinux-utils.x86_64                2.2.2-6.el7
> selinux-policy.noarch                  3.12.1-153.el7_0.13
> selinux-policy-devel.noarch            3.12.1-153.el7_0.13
> selinux-policy-sandbox.noarch          3.12.1-153.el7_0.13
> selinux-policy-targeted.noarch         3.12.1-153.el7_0.13
>
> >> yum list installed | grep sandbox
> selinux-policy-sandbox.noarch          3.12.1-153.el7_0.13
>
>  Thanks
>  Bhuvan
>
> On Tue, Jan 20, 2015 at 2:36 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>>  What do you want to Disallow?
>>
>>
>> On 01/18/2015 06:34 AM, Bhuvan Gupta wrote:
>>
>>  Hello,
>>
>>  "Audit2allow" can add rule to allow some operation.
>> But let say we want to disallow some operation which is allowed by some
>> policy module. let say open operation on some files.
>>
>>  Is there a easy way to achieve that ?
>>
>>  Or i do have to:
>> [1] get the policy source.
>> [2] edit it accordingly
>> [3] build and reinstall the policy.
>>
>>
>>  Thanks
>> Bhuvan
>>
>>
>>
>>
>>   --
>> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150121/5e0b1359/attachment.html>

More information about the selinux mailing list