<div dir="ltr">Hello,<div><br></div><div>After doing some more investigation <b><i>your explanation make perfect sense</i></b>.</div><div>But while going through my own mail i released that the two allow rule that i mentioned:</div><div>[1] <i>allow <font color="#ff0000">sandbox_domain</font> default_t : file { ioctl read write getattr lock append };</i></div><div><i>[2] </i> <i>allow <font color="#ff0000">domain</font> usr_t : dir { ioctl read getattr lock search open };</i></div><div><i><br></i></div><div>If you notice that the first one has <i><b>sandbox_domain</b></i> and second one just <i><b>domain</b></i></div><div>I understand the domain and types are same so sandbox_domain == sandbox_t.</div><div>But what does domain in [2] signifies ?</div><div><br></div><div>Thanks a lot. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 21, 2015 at 7:50 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<br>
<div>On 01/21/2015 12:28 AM, Bhuvan Gupta
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>I am working with selinux sandbox "<a href="http://danwalsh.livejournal.com/28545.html" target="_blank">http://danwalsh.livejournal.com/28545.html</a>".<br>
</div>
<br>
</div>
Blog clearing mentions that the sandbox "Can not
Open or Create any files on the system " except
the the shared libraries.<br>
<br>
</div>
But current sandbox allow to read dir stuff which i
think should not be allowed:<br>
</div>
currently i can successfully ran: <i><br>
"sandbox ls /usr"</i><br>
</div>
ls -Z for my /usr is:<br>
<i>drwxr-xr-x. root root
system_u:object_r:usr_t:s0 usr</i><br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote></span>
Right this is system objects. You are allowed to read/execute most
content under /usr, since sandbox needs to execute programs. <br><span class="">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Now i used sesearch based policy analysis tool to find
the allow rules and i have listed few which i can
understand and think should not be there:<br>
[1] <i>allow sandbox_domain default_t : file { ioctl read
write getattr lock append } ; </i> # sandbox_t is allow
to read write to file having type as default_t, but it
doesnt allow to open it..so whats the significance of
{read write}<br>
</div>
</div>
</div>
</div>
</blockquote></span>
This is for leaking a file descriptor into the container. cat
/foo/bar | sandbox app > /tmp/output<br>
<br>
We want to allow a user to open a file descriptor to any object on
the machine and then leak the file descriptor into the sandboxed
app. The sandboxed app is not allowed to Open any files on the
system except content with base labels, like usr_t, etc_t, bin_t,
lib_t. And these labels it is not allowed to write.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>[2] <i>allow domain usr_t : dir { ioctl read getattr
lock search open } </i><br>
<br>
</div>
Added my system details and also attached the completed
allowed list .<br>
<br>
</div>
I have started with selinux about 1 week back so there might
be problem with my thinking model.<br>
</div>
<div><i><b>Does the above stuff make sense from logical point of
view and should fixed ?</b></i><br>
</div>
<div>Initially i thought that i will just disallow what i dont
want...but know i have realised that selinux is denial by
default model and we can only allow stuff.<br>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></span>
Correct. If you want to write a more confined SELinux Type, you
can, but you have to start from scratch. And then you allow what
you want. There is an effort to build<br>
a new language called CIL, which would allow you to take an existing
type and create a new type based on that type and remove access. But
we currently do not use this language<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>>>yum list installed | grep
selinux<br>
libselinux.x86_64
2.2.2-6.el7 <br>
libselinux-python.x86_64
2.2.2-6.el7 <br>
libselinux-utils.x86_64
2.2.2-6.el7 <br>
selinux-policy.noarch
3.12.1-153.el7_0.13 <br>
selinux-policy-devel.noarch
3.12.1-153.el7_0.13 <br>
selinux-policy-sandbox.noarch
3.12.1-153.el7_0.13 <br>
selinux-policy-targeted.noarch
3.12.1-153.el7_0.13 <br>
<br>
>> yum list installed | grep
sandbox<br>
selinux-policy-sandbox.noarch
3.12.1-153.el7_0.13 <br>
<br>
</div>
<div>Thanks<br>
</div>
<div>Bhuvan<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jan 20, 2015 at 2:36 AM, Daniel
J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What do you want to
Disallow?
<div>
<div><br>
<br>
<div>On 01/18/2015 06:34 AM, Bhuvan Gupta wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hello,
<div><br>
</div>
<div>"Audit2allow" can add rule to allow some
operation.</div>
<div>But let say we want to disallow some
operation which is allowed by some policy
module. let say open operation on some files.</div>
<div><br>
</div>
<div>Is there a easy way to achieve that ?</div>
<div><br>
</div>
<div>Or i do have to:</div>
<div>[1] get the policy source.</div>
<div>[2] edit it accordingly </div>
<div>[3] build and reinstall the policy.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Bhuvan</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span><font color="#888888">
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>