Strange requirement: confine unconfined
by W. Michael Petullo
I have a requirement which seems to be most easily satisfied by confining
unconfined users. Please let me explain:
Imagine some file "foo" that must remain secret. Now imagine a dynamic
system which must allow arbitrary (possibly untrustworthy, possibly
as-root, possibly user-installed) programs to run. Nothing matters except
keeping "foo" secret.
Is it possible to construct an SELinux policy which would satisfy such
a requirement?
For example, it would be helpful to allow users to run their programs
unconfined (to allow user-installed, policyless, etc. programs) yet still
enforce the policy as it pertains to "foo". Of course, it further seems
that SELinux would also have to ensure certain other restrictions apply
to unconfined users, such as running semodule or insmod.
Alternatively, would it be possible to construct a not-quite-unconfined
user by granting all syscalls on all objects *except* those labeled
"foo_t" (and semodule, etc.)?
I have worked with custom policies before both for software I have written
and for standard software, but this seems a bit different. It may be that
I have my model wrong, so I would appreciate any guidance whether along
the implementation lines I suggested or not (but holding to the original
requirements). It is also possible that I have overlooked some existing
literature.
Thank you!
--
Mike
:wq
8 years, 8 months
RE: How do I create a directory in C that will follow selinux file context rules?
by Jayson Hurst
I resolved the problem with Dans help by adding a transition from unconfined to vasd_t
Sent from my Windows Phone
________________________________
From: Miroslav Grepl<mailto:mgrepl@redhat.com>
Sent: 3/27/2015 2:24 AM
To: Jayson Hurst<mailto:swazup@hotmail.com>; selinux(a)lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
Subject: Re: How do I create a directory in C that will follow selinux file context rules?
On 03/26/2015 08:37 PM, Jayson Hurst wrote:
> What I don't understand is why the filetrans doesn't work in the first
> place?
>
> In my policy I define:
>
> filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
>
> But when my binary that runs under the vasd_t domain as an unconfined
> user creates a directory in /var/opt/quest/vas/ called vasd it gets
> created as a vasd_var_t.
>
> The parent directory of /var/opt/quest/vas is labeled as vasd_var_t.
> Shouldn't the above filetrans_pattern label all new directories under
> /var/opt/quest/vas as vasd_var_auth_t when they are being created under
> the vasd_t domain?
It should work. Are you sure you create it under vasd_t? Also you need
to have
manage_dirs_pattern(vasd_t, vasd_var_auth_t, vasd_var_auth_t)
>
>> Date: Thu, 26 Mar 2015 18:24:01 +0100
>> From: mgrepl(a)redhat.com
>> To: swazup(a)hotmail.com; selinux(a)lists.fedoraproject.org
>> Subject: Re: How do I create a directory in C that will follow selinux
> file context rules?
>>
>> On 03/26/2015 04:17 PM, Jayson Hurst wrote:
>> > RHEL 6.5
>> >
>> > I have tried this using a filestran pattern but it doesn't seem to work.
>> >
>> >> Date: Wed, 25 Mar 2015 09:32:32 +0100
>> >> From: mgrepl(a)redhat.com
>> >> To: swazup(a)hotmail.com; selinux(a)lists.fedoraproject.org
>> >> Subject: Re: How do I create a directory in C that will follow selinux
>> > file context rules?
>> >>
>> >> On 03/24/2015 10:45 PM, Jayson Hurst wrote:
>> >> > I need to create a directory in a C binary.
>> >> >
>> >> > I am currently doing something similar to this:
>> >> >
>> >> >
>> >> >
>> >> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
> S_IXOTH);
>> >> >
>> >> >
>> >> >
>> >> > But when the directory is created it ends up with the wrong SELinux
>> > context. It inherits it's parent's context and
>> >> >
>> >> > not the one defined in file context.
>> >>
>> >> What is your OS?
>> >>
>> >> >
>> >> >
>> >> >
>> >> > Is there a C call that can be used that understands how to correctly
>> > create and label SElinux directories?
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > selinux mailing list
>> >> > selinux(a)lists.fedoraproject.org
>> >> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >> >
>> >>
>> >>
>> >> --
>> >> Miroslav Grepl
>> >> Software Engineering, SELinux Solutions
>> >> Red Hat, Inc.
>>
>> Ok, basically you can add a transition rule for "/home/cnd/mod1"
>>
>>
>> userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
>>
>> It will create a dir in /home/cnd with ABC_t labeling for unconfined_t
>> or for a domain defined by you.
>>
>> Where you are not able to use a file transition, you can use restorecond
>> on RHEL6. It uses inotify to watch files listed in
>>
>> /etc/selinux/restorecond.conf
>> /etc/selinux/restorecond_user.conf
>>
>> when they are created and it sets a context defined in the policy.
>>
>> --
>> Miroslav Grepl
>> Software Engineering, SELinux Solutions
>> Red Hat, Inc.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
8 years, 8 months
Fedora 21, unable to add new file context
by Mark Montague
Fedora 21 with selinux-policy-targeted-3.13.1-105.3
I've installed a local policy for PHP-FPM based off of
https://github.com/prometheanfire/selinux-modules which defines several
new types (to avoid conflicting with httpd_t type aliases in Fedora). I
can't include everything in the .fc file for the local policy because I
need to change the file contexts defined in other modules, so I set
local contexts using semanage. This was working fine in Fedora 20, but
here is what happens in Fedora 21:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm
# this works fine
[root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t
"/var/run/php-fpm(/.*)?" # fails
libsemanage.dbase_llist_query: could not query record value (No such
file or directory).
OSError: No such file or directory
[root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t
"/var/run/php-fpm" # but this works
[root@ice ~]#
Does anyone have any idea why the first and third commands above work,
but the second one no longer works under Fedora 21? The error message
isn't very helpful. I've searched the web and looked at the libsemanage
source code, but neither was helpful. I've also run strace on the
commands that succeed and compared the output to running strace on the
command that failed, but I don't see any system calls that shed light on
the problem (including nothing just prior to the write() calls for the
error message that returns ENOENT).
Here is some additional information. Note that I can add file context
patterns very similar to the one that is failing above without any
problems, such as "fcontext -a -f a -t selinux_config_t
'/var/lib/config(/.*)?'"
[root@ice ~]# ls -ldZ /var/run/php-fpm
drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm
[root@ice ~]# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -0 abrt_upload_watch_anon_write
boolean -m -0 auditadm_exec_content
boolean -m -0 boinc_execmem
boolean -m -0 cron_userdomain_transition
boolean -m -1 daemons_dump_core
boolean -m -0 dbadm_exec_content
boolean -m -1 deny_execmem
boolean -m -1 deny_ptrace
boolean -m -0 entropyd_use_audio
boolean -m -0 gluster_export_all_rw
boolean -m -0 gssd_read_tmp
boolean -m -0 guest_exec_content
boolean -m -0 httpd_builtin_scripting
boolean -m -1 httpd_can_network_connect
boolean -m -0 kerberos_enabled
boolean -m -0 logadm_exec_content
boolean -m -0 logging_syslogd_use_tty
boolean -m -0 nfs_export_all_ro
boolean -m -0 nfs_export_all_rw
boolean -m -0 openvpn_can_network_connect
boolean -m -0 openvpn_enable_homedirs
boolean -m -1 polyinstantiation_enabled
boolean -m -0 postfix_local_write_mail_spool
boolean -m -0 postgresql_selinux_unconfined_dbadm
boolean -m -0 postgresql_selinux_users_ddl
boolean -m -0 privoxy_connect_any
boolean -m -0 secadm_exec_content
boolean -m -0 selinuxuser_direct_dri_enabled
boolean -m -0 selinuxuser_execmod
boolean -m -0 selinuxuser_execstack
boolean -m -0 spamd_enable_home_dirs
boolean -m -0 squid_connect_any
boolean -m -0 telepathy_tcp_connect_generic_network_ports
boolean -m -0 unconfined_chrome_sandbox_transition
boolean -m -0 unconfined_login
boolean -m -0 unconfined_mozilla_plugin_transition
boolean -m -0 virt_use_usb
boolean -m -0 xend_run_blktap
boolean -m -0 xend_run_qemu
boolean -m -0 xguest_connect_network
boolean -m -0 xguest_exec_content
boolean -m -0 xguest_mount_media
boolean -m -0 xguest_use_bluetooth
login -a -s guest_u -r 's0' __default__
login -a -s staff_u -r 's0' markmont
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u
fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset'
fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown'
fcontext -a -f a -t tmp_t '/tmp/tmp-inst'
fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'
fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst'
module -d permissivedomains
module -d unconfined
module -d unlabelednet
[root@ice ~]#
--
Mark Montague
mark(a)catseye.org
8 years, 8 months
Ubuntu Selinux
by ezinne mbah
Hi All,
Please can someone assist me on this, I enabled Selinux on Ubuntu 14.04 server and it's disabling ssh remote login for all users including root.
>From the ssh terminal I get the following error:
ssh root(a)192.168.x.x
Last login: Wed Mar 25 12:39:02 2015 from 192.168.x.x
/bin/bash: Permission denied
Connection to 192.168.211.135 closed.
tail /var/log/auth.log
ubuntu sshd[1640]: Accepted password for root from 192.168.x.x port 51082 ssh2
ubuntu sshd[1642]: Accepted password for root from 192.168.x.x port 51089 ssh2
ubunt sshd[1640]: Received disconnect from 192.168.x.x: disconnected by user
audit2allow --all
sshd_t
This avc is a constraint violation. you would need to modify the attribute of either the source or target types to allow this access.
possible cause is the source user (system_u) and target user (unconfined_u) are different.
possible cause is the source role (system_r) and target role (unconfined_r) are different.
possible cause is the source level (s0) and target level (s0-s0:c0.c255) are different.
allow sshd_t unconfined_trocess transition.
Please how can I make this changes to take effect.
Thanks in advance.
8 years, 8 months
Idiomatic solution for tiny systemd "services"?
by Robin Lee Powell
Hey all. I have a tiny web service that I'm running with a ruby
script in ~/.rvm/ , and I'd like to run it out of systemd (just to
keep it running always), but init_t can't read or execute
user_home_t.
Nor can init_t run runcon.
Basically, I can't figure out any way to transition from systemd's
init_t to my user's type (staff_t).
So what's the idiomatic way to handle that sort of thing?
--
http://intelligence.org/ : Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
8 years, 9 months
boolean secure_mode under Rhel7
by Tim.Einmahl@kba.de
Hi,
can anyone please tell me the exact meaning of the booleans
secure_mode (secure_mode_insmod secure_mode_policyload)
under RHEL7? "semanage boolean -l" is not very helpful and I can't find a documentation regarding the booleans which is bit disappointing as booleans play an important role in SELinux.
Thanks in advance
Regards
Tim
8 years, 9 months
