<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body dir="auto">
<div></div>
<div>The refpolicy has the following mcs constraints:</div>
<div><br>
</div>
<div>
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="background-color: rgba(255, 255, 255, 0);"># New filesystem object labels must be dominated by the relabeling subject<br>
# clearance, also the objects are single-level.<br>
mlsconstrain file { create relabelto }<br>
(( h1 dom h2 ) and ( l2 eq h2 ));</span></p>
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="background-color: rgba(255, 255, 255, 0);"><br>
</span></p>
<p style="margin-top: 0px; margin-bottom: 0px;"><span style="background-color: rgba(255, 255, 255, 0);"><span id="ms-rterangepaste-start"></span>mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }<br>
(( h1 dom h2 ) and ( l2 eq h2 ));</span></p>
</div>
<div><br>
</div>
<div>There's no "or ( t1 != mcs_constrained_type)" for the relabelto of files (unlike other constraints in the mcs policy), so I don't think there can be an attribute to allow a domain to override the constraint. Perhaps you could look into transitioning initrc_t
to a different domain with system_high clearance, which can then do what you need it to?</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Doug</div>
<div><br>
On 12 Nov 2015, at 9:36 AM, Tracy Reed <<a href="mailto:treed@ultraviolet.org">treed@ultraviolet.org</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div><span>dgrift suggested on IRC that I try the domain_obj_id_change_exemption attribute.</span><br>
<span></span><br>
<span>I tried that and it didn't work. For example I added the following (including</span><br>
<span>trying the extra unnecessary attributes):</span><br>
<span></span><br>
<span># Adding lines to try and overcome the constraint violation for initrc starting nodes.</span><br>
<span>domain_obj_id_change_exemption(initrc_t)</span><br>
<span>domain_subj_id_change_exemption(initrc_t)</span><br>
<span>domain_role_change_exemption(initrc_t)</span><br>
<span>domain_system_change_exemption(initrc_t)</span><br>
<span>domain_user_exemption_target(initrc_t)</span><br>
<span></span><br>
<span># Guess this really shouldn't be necessary, but just in case.</span><br>
<span>allow initrc_t myapp_exec_t:file execute;</span><br>
<span>allow initrc_t myapp_java_t:file { execute read execmod open getattr execute_no_trans };</span><br>
<span>allow initrc_t myapp_java_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_api_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_bin_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_conf_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_exec_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_lib_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_logs_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_nodes_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_release_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_scripts_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_util_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_var_t:file { relabelfrom relabelto getattr };</span><br>
<span>allow initrc_t myapp_webapps_t:file { relabelfrom relabelto getattr };</span><br>
<span></span><br>
<span>Policy loads, but on reboot when the init.d starts the web application: </span><br>
<span></span><br>
<span>type=AVC msg=audit(1447281933.532:76): avc: denied { relabelto } for pid=1429 comm="chcon" name="select2_doctype.css" dev=dm-0 ino=614732 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_webapps_t:s0:c18 tclass=file</span><br>
<span>type=AVC msg=audit(1447281933.607:77): avc: denied { relabelto } for pid=1429 comm="chcon" name="myapp-release" dev=dm-0 ino=508002 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_release_t:s0:c18 tclass=file</span><br>
<span>type=AVC msg=audit(1447281933.936:78): avc: denied { relabelto } for pid=1429 comm="chcon" name="README" dev=dm-0 ino=1296427 scontext=system_u:system_r:initrc_t:s0 tcontext=myapp_u:object_r:myapp_logs_t:s0:c18 tclass=file</span><br>
<span></span><br>
<span>Still getting the constraint messages.</span><br>
<span>#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.</span><br>
<span>#Contraint rule:</span><br>
<span>allow initrc_t myapp_logs_t:file relabelto;</span><br>
<span></span><br>
<span>Ideas?</span><br>
<span></span><br>
<span>On Tue, Nov 10, 2015 at 03:48:35PM PST, Tracy Reed spake thusly:</span><br>
<blockquote type="cite"><span>Hello all! </span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Way back in May I wrote to the list and got some, but not all, of the problems</span><br>
</blockquote>
<blockquote type="cite"><span>fixed in my policy. This project was on the back-burner mostly working for a</span><br>
</blockquote>
<blockquote type="cite"><span>while but now I need to get it perfected.</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>We use MCS and have an automated process to deploy web application instances to</span><br>
</blockquote>
<blockquote type="cite"><span>machines with a separate category per application instance to protect them from</span><br>
</blockquote>
<blockquote type="cite"><span>each other. When the application starts the init script does a chcon to set the</span><br>
</blockquote>
<blockquote type="cite"><span>category/context. initrc_t is supposedly unconstrained from what I'm reading in</span><br>
</blockquote>
<blockquote type="cite"><span>the docs so why is it being prohibited from relabeling?</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>type=AVC msg=audit(11/09/2015 04:22:43.045:3126812) : avc: denied { relabelto }</span><br>
</blockquote>
<blockquote type="cite"><span>for pid=13753 comm=chcon name=tomcat-server.xml dev=dm-0 ino=16900514</span><br>
</blockquote>
<blockquote type="cite"><span>scontext=system_u:system_r:initrc_t:s0</span><br>
</blockquote>
<blockquote type="cite"><span>tcontext=myapp_u:object_r:myapp_conf_t:s0:c50 tclass=file
</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>On Tue, May 26, 2015 at 02:04:59AM PDT, Tracy Reed spake thusly:</span><br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#Contraint rule: </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>allow initrc_t default_t:file relabelto;</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#Contraint rule: </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>allow initrc_t myapp_api_t:file relabelto;</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>The init script which starts the service relabels the files when the service</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>starts. I suspect this is a bad idea and I'm not sure why they are doing it. I</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>think they may be applying security categories here. We may have to find a</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>different way to approach that.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>But how would I allow this if I wanted to? </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>Similarly:</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#Contraint rule: </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>allow setfiles_t default_t:file relabelfrom;</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>#Contraint rule: </span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>allow setfiles_t myapp_api_t:file relabelfrom;</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>etc...</span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span></span><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><span>This is all on CentOS 6.5.</span><br>
</blockquote>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>-- </span><br>
</blockquote>
<blockquote type="cite"><span>Tracy Reed</span><br>
</blockquote>
<span></span><br>
<span></span><br>
<span></span><br>
<blockquote type="cite"><span>--</span><br>
</blockquote>
<blockquote type="cite"><span>selinux mailing list</span><br>
</blockquote>
<blockquote type="cite"><span><a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></span><br>
</blockquote>
<blockquote type="cite"><span><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></span><br>
</blockquote>
<span></span><br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>--</span><br>
<span>selinux mailing list</span><br>
<span><a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></span><br>
<span><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></span></div>
</blockquote>
</body>
</html>