<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 01/21/2015 01:13 PM, Bhuvan Gupta
wrote:<br>
</div>
<blockquote
cite="mid:CAF4ab9WEjqdc1biodXVVcjfv-Z9pOhRjgdy5w-DJ1Di=JaE2AQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>After doing some more investigation <b><i>your explanation
make perfect sense</i></b>.</div>
<div>But while going through my own mail i released that the two
allow rule that i mentioned:</div>
<div>[1] <i>allow <font color="#ff0000">sandbox_domain</font>
default_t : file { ioctl read write getattr lock append };</i></div>
<div><i>[2] </i> <i>allow <font color="#ff0000">domain</font>
usr_t : dir { ioctl read getattr lock search open };</i></div>
<div><i><br>
</i></div>
<div>If you notice that the first one has <i><b>sandbox_domain</b></i>
and second one just <i><b>domain</b></i></div>
</div>
</blockquote>
<i><b>sandbox_domain is an attribute of all sandbox_t types<br>
seinfo -asandbox_domain -x<br>
<br>
<br>
domain is the attribute of all process types. So the second
allow rules says every process<br>
on the system is allowed to search through usr_t directories.<br>
<br>
</b></i>
<blockquote
cite="mid:CAF4ab9WEjqdc1biodXVVcjfv-Z9pOhRjgdy5w-DJ1Di=JaE2AQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I understand the domain and types are same so
sandbox_domain == sandbox_t.</div>
<div>But what does domain in [2] signifies ?</div>
<div><br>
</div>
<div>Thanks a lot. </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jan 21, 2015 at 7:50 PM, Daniel
J Walsh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""> <br>
<div>On 01/21/2015 12:28 AM, Bhuvan Gupta wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>I am working with selinux
sandbox "<a moz-do-not-send="true"
href="http://danwalsh.livejournal.com/28545.html" target="_blank">http://danwalsh.livejournal.com/28545.html</a>".<br>
</div>
<br>
</div>
Blog clearing mentions that the
sandbox "Can not Open or Create any
files on the system " except the the
shared libraries.<br>
<br>
</div>
But current sandbox allow to read dir
stuff which i think should not be
allowed:<br>
</div>
currently i can successfully ran: <i><br>
"sandbox ls /usr"</i><br>
</div>
ls -Z for my /usr is:<br>
<i>drwxr-xr-x. root root
system_u:object_r:usr_t:s0 usr</i><br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</span> Right this is system objects. You are allowed to
read/execute most content under /usr, since sandbox needs
to execute programs. <br>
<span class="">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Now i used sesearch based policy analysis
tool to find the allow rules and i have listed
few which i can understand and think should
not be there:<br>
[1] <i>allow sandbox_domain default_t : file
{ ioctl read write getattr lock append } ; </i>
# sandbox_t is allow to read write to file
having type as default_t, but it doesnt allow
to open it..so whats the significance of {read
write}<br>
</div>
</div>
</div>
</div>
</blockquote>
</span> This is for leaking a file descriptor into the
container. cat /foo/bar | sandbox app > /tmp/output<br>
<br>
We want to allow a user to open a file descriptor to any
object on the machine and then leak the file descriptor
into the sandboxed app. The sandboxed app is not allowed
to Open any files on the system except content with base
labels, like usr_t, etc_t, bin_t, lib_t. And these labels
it is not allowed to write.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>[2] <i>allow domain usr_t : dir { ioctl
read getattr lock search open } </i><br>
<br>
</div>
Added my system details and also attached the
completed allowed list .<br>
<br>
</div>
I have started with selinux about 1 week back so
there might be problem with my thinking model.<br>
</div>
<div><i><b>Does the above stuff make sense from
logical point of view and should fixed ?</b></i><br>
</div>
<div>Initially i thought that i will just disallow
what i dont want...but know i have realised that
selinux is denial by default model and we can only
allow stuff.<br>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</span> Correct. If you want to write a more confined
SELinux Type, you can, but you have to start from
scratch. And then you allow what you want. There is an
effort to build<br>
a new language called CIL, which would allow you to take
an existing type and create a new type based on that type
and remove access. But we currently do not use this
language
<div>
<div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>>>yum list
installed | grep selinux<br>
libselinux.x86_64
2.2.2-6.el7
<br>
libselinux-python.x86_64
2.2.2-6.el7
<br>
libselinux-utils.x86_64
2.2.2-6.el7
<br>
selinux-policy.noarch
3.12.1-153.el7_0.13
<br>
selinux-policy-devel.noarch
3.12.1-153.el7_0.13
<br>
selinux-policy-sandbox.noarch
3.12.1-153.el7_0.13
<br>
selinux-policy-targeted.noarch
3.12.1-153.el7_0.13
<br>
<br>
>> yum list
installed | grep sandbox<br>
selinux-policy-sandbox.noarch
3.12.1-153.el7_0.13 <br>
<br>
</div>
<div>Thanks<br>
</div>
<div>Bhuvan<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jan 20, 2015 at
2:36 AM, Daniel J Walsh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com"
target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What do
you want to Disallow?
<div>
<div><br>
<br>
<div>On 01/18/2015 06:34 AM, Bhuvan
Gupta wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hello,
<div><br>
</div>
<div>"Audit2allow" can add rule to
allow some operation.</div>
<div>But let say we want to disallow
some operation which is allowed by
some policy module. let say open
operation on some files.</div>
<div><br>
</div>
<div>Is there a easy way to achieve
that ?</div>
<div><br>
</div>
<div>Or i do have to:</div>
<div>[1] get the policy source.</div>
<div>[2] edit it accordingly </div>
<div>[3] build and reinstall the
policy.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Bhuvan</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span><font color="#888888">
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>