Fwd: selinux process transition not taking place
by SZIGETVÁRI János
2015-05-20 19:01 GMT+02:00 Stephen Smalley <sds(a)tycho.nsa.gov>:
> In order for a script to transition, it has to be passed directly in an
> execve() call to the kernel, and this only happens if:
>
> 1. The script has an appropriate header so the kernel can figure out
> how to find the interpreter, i.e.
> #!/bin/sh
>
> 2. The script has an executable mode, e.g.
> chmod 0755 /path/to/scriptfile
>
> 3. The script is directly invoked by the caller, not indirectly via sh,
> e.g.
> $ /path/to/scriptfile
>
> Under those three conditions, scripts can transition just fine under
> SELinux (although Linux refuses to honor setuid/setgid on them for
> security reasons; we permit domain transitions but advise only using
> them when the caller is more trusted than the new domain).
>
> But if you fail to fulfill any of those conditions, then it will instead
> devolve into the shell being exec'd and just being passed the script as
> an argument, and at that point the kernel won't ever see anything other
> than an exec of the shell and an open with read access to the script,
> neither of which will trigger the transition.
>
Interestingly enough, seemingly all the conditions you listed above seem to
be fulfilled, but for some reason, I get a "permission denied":
[root@centos-test ~]# export LANG=en_US.UTF8
[root@centos-test ~]# run_init /bin/bash
Authenticating root.
Password:
[root@centos-test /]# ps auxfZ | fgrep $$
system_u:system_r:initrc_t:s0 root 5891 0.0 0.1 108300 1896
pts/0 S 14:15 0:00 \_ /bin/bash
system_u:system_r:initrc_t:s0 root 5916 0.0 0.0 100944 692
pts/0 S+ 14:15 0:00 \_ fgrep 5891
[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
/root/aaa/syslogd_exec_t_runner.sh
[root@centos-test /]# head -n 1 /root/aaa/syslogd_exec_t_runner.sh
#!/bin/sh
[root@centos-test /]# /root/aaa/syslogd_exec_t_runner.sh
/bin/sh: /root/aaa/syslogd_exec_t_runner.sh: Permission denied
[root@centos-test /]# exit
To add to my confusion:
[root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p
execute -A
Found 3 semantic av rules:
allow initrc_t exec_type : file { ioctl read getattr lock execute
execute_no_trans open } ;
allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
...
[root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p
entrypoint -A
Found 1 semantic av rules:
allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock execute
entrypoint open } ;
7 years, 10 months
Fwd: selinux process transition not taking place
by SZIGETVÁRI János
2015-05-18 21:33 GMT+02:00 Stephen Smalley <sds(a)tycho.nsa.gov>:
> You don't need a C program; you just need to make sure the scripts are
> executable and directly invoke them rather than calling them via bash.
> Then they are passed to execve() and the kernel will set up the domain
> transition before invoking bash.
>
I nevertheless wrote a simple one, and in deed it worked, transitioned to
the correct context.
In case of the scripts, invoking them directly did not help however.
I have tried calling them via bash, a properly labeled copy of bash, tried
running them normally, as a shell scripts, with bash (on the shebang), with
properly labeled copy of bash (the shebang pointed to it), in none of the
cases did the second script (with the label of syslogd_exec_t) end up as
syslogd_t. The script was executable of course in all of the cases.
As for the customer's system/scenario, we're still waiting for their
answer. I will get back to you when they reply to our questions, or if we
manage to track down the problem on our own.
7 years, 10 months
Re: redirect stdout and stderr to different file under sandboxing in linux
by Bhuvan Gupta
Bob,
With full respect...can you please go through my previous mail in this
thread...info given by you is not relevant here
On Saturday, May 23, 2015, Bob Gustafson <bobgus(a)rcn.com> wrote:
> For compiling and testing, I usually do:
>
> ./a.out 2>&1 | tee tofile.txt
>
> The 2>&1 takes the stderr and pushes it out along with the stdout.
>
> The 'tee' provides a way to see the output on the screen as well as store
> it to disk (tofile.txt)
>
> Have fun
>
> Bob G
>
> On 05/23/2015 06:19 AM, Bhuvan Gupta wrote:
>
> MORE INFO
>
> content of Test.cpp
> *#include<stdio>*
> * int main(void) {*
> * fprintf(stderr,"error/n");*
> * return 0;*
> * }*
>
> compile it and now
> *./a.out *
> print error to console
>
> *./a.out 2> err*
> print to err file
>
> *sandbox ./a.out 2>err*
> nothing gets printed on console or in err file.
> Is sandbox is eating it up ?
>
> Thanks
> Bhuvan
>
>
>
>
> On Sat, May 23, 2015 at 4:02 PM, Bhuvan Gupta <bhuvangu(a)gmail.com
> <javascript:_e(%7B%7D,'cvml','bhuvangu(a)gmail.com');>> wrote:
>
>> EXTRA INFO:
>>
>> even if i run
>> *sandbox ./a.out*
>>
>> Even then it doesnt print floating point error on console
>>
>> On Sat, May 23, 2015 at 3:40 PM, Bhuvan Gupta <bhuvangu(a)gmail.com
>> <javascript:_e(%7B%7D,'cvml','bhuvangu(a)gmail.com');>> wrote:
>>
>>> Hello All,
>>>
>>> I have an Test.cpp which is run under sandbox(RHEL7):
>>>
>>> Test.cpp content:
>>> #include<stdio>
>>> int main(void) {
>>> int a = 1/0;
>>> return 0;
>>> }
>>>
>>> compile it using gcc(4.8) Test.cpp which produces the a.out
>>> Now running a.out prints floating pointing exception on console
>>>
>>> Now i thought that if i redirect stderr to a file, i expect the error
>>> to be printed in file.
>>> But that is not the case it still continue to print in console.
>>> Googling reveal that under such exception the program is terminated
>>> immediately and if you capture the stderr of bash then it should redirect.
>>> So i run
>>> *su -c ./a.out 2>err *
>>> Bingo error get printed in err file.
>>>
>>> Now the MAIN GAME STARTS
>>> i want to run it under sandbox
>>> so i run:
>>> *su -c 'sandbox ./a.out 1>out 2>err'*
>>> But there is nothing printed in err file or in console.
>>>
>>> How to capture stdout and stderr under such situation ?
>>>
>>>
>>> Thanks
>>> Bhuvan
>>>
>>
>>
>
>
> --
> selinux mailing listselinux(a)lists.fedoraproject.org <javascript:_e(%7B%7D,'cvml','selinux(a)lists.fedoraproject.org');>https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
7 years, 10 months
selinux process transition not taking place
by SZIGETVÁRI János
Hello Everyone,
I work for a company which develops an rsyslog alternative logging service,
and we recently have encountered an interesting problem around the SELinux
process transitions of our product.
I and most of my colleagues have little to marginal experience with
SELinux, and we have done most of the investigation we could do on our own.
The problem that one of our customers experienced is that our product (when
started by it's init script, or through the service ... utility) will be
stuck in the initrc_t context, and not transition into the syslogd_t
context. This causes the /dev/log socket not to have the proper selinux
context, which leads to even further problems.
The system they are working on is running CentOS 6.6.
To describe the problem in a bit more detail:
- we have an init script with the selinux context of
system_u:object_r:syslogd_initrc_exec_t:s0
- this init script calls the binary, which has the context of:
system_u:object_r:syslogd_exec_t:s0
- the necessary process transtition definitions are in place:
[root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_initrc_exec_t -c
process -p transition -A
Found 1 semantic te rules:
type_transition initrc_t syslogd_initrc_exec_t : process initrc_t;
[root@centos-test ~]# sesearch -T -s initrc_t -t syslogd_exec_t -c process
-p transition -A
Found 1 semantic te rules:
type_transition initrc_t syslogd_exec_t : process syslogd_t;
- the necessary execution permissions are present
[root@centos-test ~]# sesearch -s initrc_t -t syslogd_exec_t -c file -p
execute -A
Found 3 semantic av rules:
allow initrc_t exec_type : file { ioctl read getattr lock execute
execute_no_trans open } ;
allow initrc_t syslogd_exec_t : file { read getattr execute open } ;
allow files_unconfined_type file_type : file { ioctl read write create
getattr setattr lock relabelfrom relabelto append unlink link rename
execute swapon quotaon mounton execute_no_trans entrypoint open } ;
- the necessary types are defined as the domain entry points
[root@centos-test ~]# sesearch -s syslogd_t -t syslogd_exec_t -c file -p
entrypoint -A
Found 1 semantic av rules:
allow syslogd_t syslogd_exec_t : file { ioctl read getattr lock execute
entrypoint open } ;
- the target domain is allowed for the proper role:
[root@centos-test ~]# seinfo -rsystem_r -x | fgrep syslogd_t
syslogd_t
But despite all the above, the transition doesn't occur to syslogd_t, the
process remains in initrc_t.
I even have created a script to reproduce the issue (find it attached).
The script simply
- puts down two shell scripts and sets their rights and selinux contexts
(system_u:object_r:syslogd_initrc_exec_t:s0 and
system_u:object_r:syslogd_exec_t:s0) ,
- creates a copy of bash, sets it's context (to
system_u:object_r:syslogd_initrc_exec_t:s0),
- tries to run the script with the syslogd_initrc_exec_t context,
- which in turn will run the other script with context syslogd_exec_t
The resulting output shows that the script with the syslogd_exec_t context
will run as initrc_t even though it's parent was initrc_t as well, and the
type transition should have occurred.
Some sample output:
[root@centos-test ~]# bash selinux_test.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
/tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
-rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0
/tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTING
===============================================
Authenticating root.
Jelszó:
system_u:system_r:initrc_t:s0 root 3352 0.0 0.0 106056 1296
pts/0 S+ 14:50 0:00 \_
/tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_initrc_exec_t_starter.sh
======================== STARTED
===============================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= first
==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106056 1340
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106056 1336
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
============================= end ==========================================
system_u:system_r:initrc_t:s0 root 3359 0.0 0.0 106060 1360
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh
system_u:system_r:initrc_t:s0 root 3362 0.0 0.0 106060 1352
pts/0 S+ 14:50 0:00 /tmp/tmp.efz1wH7wpL/bash_initrc_exec_t
/tmp/tmp.efz1wH7wpL/syslogd_exec_t_runner.sh end
[root@centos-test ~]#
We would appreciate if we could get some guidance on what we should check,
in order to get to the end of this problem.
We have tried running setroubleshootd, disabling noaudit rules (semodule
-DB), but we saw no error messages about failed transitions, or whatsoever.
The only logs we saw related to the scripts were the authentication and
accounting messages about the run_init command.
Kind regards,
János Szigetvári
--
Janos SZIGETVARI
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice.org
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
7 years, 10 months
Book-length reccomendations?
by Robin Lee Powell
So I've gotten pretty decent with SELinux, but it's all been ad hoc
learning; I'd like to do some more comprehensive learning. Can
anyone reccomend something book-length (an actual book is fine as
long as it's an ebook) that would give me a really strong SELinux
foundation?
Thanks.
--
http://intelligence.org/ : Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
7 years, 10 months
Improper labelling on creation.
by Erinn Looney-Triggs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I have a passenger app that is installed on the system. I have the
following in file_contexts.local:
/var/www/foo/releases/.*/tmp(/.*)?
unconfined_u:object_r:httpd_sys_rw_content_t:s0
However, on creating the tmp directory:
releases $ sudo mkdir -p foo/tmp/
releases $ cd foo/
foo $ ls -lZ
drwxr-sr-x. root developers
unconfined_u:object_r:httpd_sys_content_t:s0 tmp
But matchpathcon returns the right label:
matchpathcon tmp/
tmp unconfined_u:object_r:httpd_sys_rw_content_t:s0
And a restorecon sets it properly to rw.
So, umm, what is the deal here? There is something I am missing for
sure. This is on RHEL 7.1 with the latest and greatest everything.
Oddly I think, but am not sure, that this wasn't a problem with 7.0.
Thoughts? Thanks.
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVTU3sAAoJEFg7BmJL2iPOdSQH/jdMxAyv/TdAN7UMZ0/TwClM
tpWJJavK5lVsHdtI/XP271yHbCFReCf3d9YZ0zUcoI+Njsw5epFVzcVVQy9xDnaU
Ql6d6TZFc+d/57MmAjCq0OzGpor30qS7Np0cLTUHmhEl8mVJZ0LJ7OREgpFLEKyH
DKTJO6g01IqGPOjHvSF8naAPLTXQaHafsZHrpVZclhvcoU/RVsWdX+hNtNfwlgY1
Vd7bh5u2fR0cNtajQ12Y2/mLUZjM8nTWUvkviFExKv67IfVrtk+2Zsmb6OPaSOQc
y4dfl3F5D9CsFaUOGXKr8ZHNjRlrilJ/C0NsvgqKF/rTw3BassYoxDJQ3cHTsEg=
=qFFD
-----END PGP SIGNATURE-----
7 years, 10 months
runcon: invalid context
by Tracy Reed
I want to manually run an app within a certain context. When I try running it
like so I get the following error:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# runcon p16001_u:myapp_r:myapp_t:s0:c1 /myapp/startup.sh
runcon: invalid context: p16001_u:myapp_r:myapp_t:s0:c1: Invalid argument
unconfined should be allowed to transition to any context, right? No AVC is
generated so I don't think that's the issue. The user p16001_u exists with
category c1, with role myapp_r and myapp_t exists in the policy. I'm unclear as
to why this is an invalid context.
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user s0 s0 git_shell_r
myapp_u user s0 s0-s0:c0.c1023 myapp_r
guest_u user s0 s0 guest_r
p16000_u user s0 s0-s0:c0 myapp_r
p16001_u user s0 s0-s0:c1 myapp_r
p16002_u user s0 s0-s0:c2 myapp_r
p16003_u user s0 s0-s0:c3 myapp_r
p16004_u user s0 s0-s0:c4 myapp_r
p16005_u user s0 s0-s0:c5 myapp_r
p16006_u user s0 s0-s0:c6 myapp_r
p16007_u user s0 s0-s0:c7 myapp_r
p16008_u user s0 s0-s0:c8 myapp_r
p16009_u user s0 s0-s0:c9 myapp_r
p16010_u user s0 s0-s0:c10 myapp_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
Any tips greatly appreciated!
--
Tracy Reed
7 years, 11 months
