Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 1 month
Symlink or bind mount?
by Gionatan Danti
Being a regular user of selinux, I often face situations where some
common directories (es: /var/log or /var/lib) needs to be redirected to
other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a
volume in the precise path I need to replace - ie mount
/dev/vg_test/lv_lib in /var/lib. However, this is a
one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple
directories, mount it, and
1) symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log);
2) use a bind mount to re-mount the destination dir
(/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original
directory will immediately notice it. However, it sometime require
extensive customization of the selinux policy, a thing I try hard to
avoid.
The bind mount approach is somewhat simpler from selinux standpoint, but
it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
5 years, 5 months
disabling the boolean staff_exec_content prevents future logins after
restarts
by sindano sindano
hi
was wondering if there might be some error somewhere(or if someone else has experienced this issue) as id first have to reenable the boolean in order to log in and i dont get any selinuxerror messages concerning this issue.
also if i disable it after a "normal" login i am unable to launch the troubleshooter via the gui. i can only do so via the terminal and i dont receive any error messages that might point me to the source of this issue.
Thanks and have a good week.
5 years, 10 months
selinux sandbox_web_t and pulseaudio
by sindano sindano
hi,
ive recently been trying out selinux sandbox but have issues with no audio.
i ran pulseaudio in permissive mode and was able to get audio working plus the sandbox became more responsive eg not crashing after right-clicking etc.
details;
id:uid=1000(chira) gid=1000(chira) groups=1000(chira),10(wheel) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
sealert -l 92f61b75-b707-4957-a49b-9e94bc9de471
SELinux is preventing /usr/bin/pulseaudio from 'read, write' accesses on the file 2F6D656D66643A70756C7365617564696F202864656C6574656429.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pulseaudio should be allowed read write access on the 2F6D656D66643A70756C7365617564696F202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pulseaudio' --raw | audit2allow -M my-pulseaudio
# semodule -X 300 -i my-pulseaudio.pp
Additional Information:
Source Context staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023
Target Context staff_u:object_r:sandbox_web_client_tmpfs_t:s0
Target Objects 2F6D656D66643A70756C7365617564696F202864656C657465
6429 [ file ]
Source pulseaudio
Source Path /usr/bin/pulseaudio
Port <Unknown>
Host localhost.localdomain
Source RPM Packages pulseaudio-11.1-2.fc26.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.13.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.13.9-200.fc26.x86_64
#1 SMP Mon Oct 23 13:52:45 UTC 2017 x86_64 x86_64
Alert Count 56
First Seen 2017-11-05 14:25:05 EET
Last Seen 2017-11-06 09:35:11 EET
Local ID 92f61b75-b707-4957-a49b-9e94bc9de471
Raw Audit Messages
type=AVC msg=audit(1509953711.629:998099): avc: denied { read write } for pid=2771 comm="pulseaudio" path=2F6D656D66643A70756C7365617564696F202864656C6574656429 dev="tmpfs" ino=1717208 scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1509953711.629:998099): arch=x86_64 syscall=recvmsg success=yes exit=ENOTDIR a0=2b a1=7ffc6fbf7320 a2=0 a3=0 items=0 ppid=1 pid=2771 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=6 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
Hash: pulseaudio,pulseaudio_t,sandbox_web_client_tmpfs_t,file,read,write
:::::::::::::::::::::::::::::::::::::::
question: im i approaching this issue correctly ie should i provide read-write access or are there better ways to deal with this issue.
any info would be greatly appreciated
5 years, 10 months
