audit2allow help to allow, but how to disallow

Daniel J Walsh dwalsh at redhat.com
Mon Jan 26 23:45:13 UTC 2015 

On 01/21/2015 01:13 PM, Bhuvan Gupta wrote:
> Hello,
>
> After doing some more investigation */your explanation make perfect
> sense/*.
> But while going through my own mail i released that the two allow rule
> that i mentioned:
> [1]   /allow sandbox_domain default_t : file { ioctl read write
> getattr lock append };/
> /[2]  / /allow domain usr_t : dir { ioctl read getattr lock search
> open };/
> /
> /
> If you notice that the first one has /*sandbox_domain*/ and second one
> just /*domain*/
/*sandbox_domain is an attribute of all sandbox_t types
seinfo -asandbox_domain -x


domain is the attribute of all process types.  So the second allow rules
says every process
on the system is allowed to search through usr_t directories.

*/
> I understand the domain and types are same so sandbox_domain == sandbox_t.
> But what does domain in [2] signifies ?
>
> Thanks a lot. 
>
> On Wed, Jan 21, 2015 at 7:50 PM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
>
>     On 01/21/2015 12:28 AM, Bhuvan Gupta wrote:
>>     I am working with selinux sandbox
>>     "http://danwalsh.livejournal.com/28545.html".
>>
>>     Blog clearing mentions that the sandbox "Can not Open or Create
>>     any files on the system " except the the shared libraries.
>>
>>     But current sandbox allow to read dir stuff which i think should
>>     not be allowed:
>>     currently i can successfully ran: /
>>     "sandbox ls /usr"/
>>     ls -Z for my /usr is:
>>     /drwxr-xr-x. root root system_u:object_r:usr_t:s0       usr/
>>
>     Right this is system objects.  You are allowed to read/execute
>     most content under /usr, since sandbox needs to execute programs. 
>>     Now i used sesearch based policy analysis tool to find the allow
>>     rules and i have listed few which i can understand and think
>>     should not be there:
>>     [1] /allow sandbox_domain default_t : file { ioctl read write
>>     getattr lock append } ; /  # sandbox_t is allow to read write to
>>     file having type as default_t, but it doesnt allow to open it..so
>>     whats the significance of {read write}
>     This is for leaking a file descriptor into the container.  cat
>     /foo/bar | sandbox app > /tmp/output
>
>     We want to allow a user to open a file descriptor to any object on
>     the machine and then leak the file descriptor into the sandboxed
>     app.  The sandboxed app is not allowed to Open any files on the
>     system except content with base labels, like usr_t, etc_t, bin_t,
>     lib_t.  And these labels it is not allowed to write.
>
>>     [2] /allow domain usr_t : dir { ioctl read getattr lock search
>>     open } /
>>
>>     Added my system details and also attached the completed allowed
>>     list .
>>
>>     I have started with selinux about 1 week back so there might be
>>     problem with my thinking model.
>>     /*Does the above stuff make sense from logical point of view and
>>     should fixed ?*/
>>     Initially i thought that i will just disallow what i dont
>>     want...but know i have realised that selinux is denial by default
>>     model and we can only allow stuff.
>>
>     Correct.  If you want to write a more confined SELinux Type, you
>     can, but you have to start from scratch.  And then you allow what
>     you want.  There is an effort to build
>     a new language called CIL, which would allow you to take an
>     existing type and create a new type based on that type and remove
>     access. But we currently do not use this language
>
>>     >>yum list installed | grep selinux
>>     libselinux.x86_64                      2.2.2-6.el7             
>>     libselinux-python.x86_64               2.2.2-6.el7            
>>     libselinux-utils.x86_64                2.2.2-6.el7               
>>     selinux-policy.noarch                  3.12.1-153.el7_0.13       
>>     selinux-policy-devel.noarch            3.12.1-153.el7_0.13       
>>     selinux-policy-sandbox.noarch          3.12.1-153.el7_0.13     
>>     selinux-policy-targeted.noarch        
>>     3.12.1-153.el7_0.13               
>>
>>     >> yum list installed | grep sandbox
>>     selinux-policy-sandbox.noarch          3.12.1-153.el7_0.13
>>
>>     Thanks
>>     Bhuvan
>>
>>     On Tue, Jan 20, 2015 at 2:36 AM, Daniel J Walsh
>>     <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>
>>         What do you want to Disallow?
>>
>>
>>         On 01/18/2015 06:34 AM, Bhuvan Gupta wrote:
>>>         Hello,
>>>
>>>         "Audit2allow" can add rule to allow some operation.
>>>         But let say we want to disallow some operation which is
>>>         allowed by some policy module. let say open operation on
>>>         some files.
>>>
>>>         Is there a easy way to achieve that ?
>>>
>>>         Or i do have to:
>>>         [1] get the policy source.
>>>         [2] edit it accordingly 
>>>         [3] build and reinstall the policy.
>>>
>>>
>>>         Thanks
>>>         Bhuvan
>>>
>>>
>>>
>>>
>>>         --
>>>         selinux mailing list
>>>         selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>>>         https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150126/2e3c3cb1/attachment.html>

More information about the selinux mailing list