Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 1 month
Symlink or bind mount?
by Gionatan Danti
Being a regular user of selinux, I often face situations where some
common directories (es: /var/log or /var/lib) needs to be redirected to
other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a
volume in the precise path I need to replace - ie mount
/dev/vg_test/lv_lib in /var/lib. However, this is a
one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple
directories, mount it, and
1) symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log);
2) use a bind mount to re-mount the destination dir
(/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original
directory will immediately notice it. However, it sometime require
extensive customization of the selinux policy, a thing I try hard to
avoid.
The bind mount approach is somewhat simpler from selinux standpoint, but
it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
5 years, 5 months
SELinux blocking systemctl --user ??
by Robin Lee Powell
On a host with unconfined disabled, running this as a
staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status
Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think*
this worked after the upgrade, so I don't know what's going on
there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web
Failed to restart lojban_mediawiki_web.service: Access denied
See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can
find in
https://github.com/TresysTechnology/refpolicy.git or
https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te
481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te
225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup
that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first
glance my other F27 systems seem OK.
Any idea what I broke?
5 years, 8 months
google authenticator doesnt work under staff_t confinement
by sindano sindano
Hi,
under these circumstances:
1. Install google authenticator
2. setup the pam module for sudo-: auth required pam_google_authenticator.so user=root secret=/PATH_FOLDER/${USER}
3. run google-authenticator for ${USER}
4. cp or mv .google-authenticator file to /var/lib/google-authenticator/chira
5. run restorecon -rv on /var/lib/google-authenticator/
6. reboot
GA fails (without providing any errors to terminal) to ask for verification code and sudo doesnt execute. No AVC denials are provided either.
However, i get an error message from journal:
audit: type=1100 audit(1513091006.688:912): pid=10848 uid=1000 auid=1000 ses=2 subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="chira" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
Dec 12 17:03:28 localhost.localdomain sudo(pam_google_authenticator)[10848]: Failed to read "/var/lib/google-authenticator/chira" for "chira"
...
If i switch to unconfined_u, all goes smoothly as expected.
im currently on fedora 27 workstation and selinux-policy-3.13.1-283.17.fc27.noarch.
BR,
Sindano
5 years, 9 months
Using selinux in HPC environments.
by Christopher Smith
Hi Folks
Can someone here speak knowledgeably from an implementation perspective on
running selinux on high performance compute nodes?
I would be interested in all of the following topics.
* Performance tuning / benchmarking / baselining
* Enabling MLS / MCS, and writing lots of custom policy around MLS and MCS.
* Performance impact differences between policy targeted, and MLS
* Integration with a directory server where selinux users / objects are
mapped to directory objects
* Integration with netfilter / connection tracking
* Doing things to reduce overhead / IO like disabling AVC logging and
auditing. Perhaps with well tested policies.
* Tips for keeping policies as small as possible, avoiding redundancy and
bench marking policy performance.
* Storing policies in ram based file systems.
* Other tips and tricks for optimizing performance in regard to selinux.
I don't yet know anything about the types of workloads that they intend to
run.
The request for information is coming from an external entity.
My understanding from reading through the fedora selinux project wiki is
that performance can be a difficult thing to measure and troubleshoot.
I appreciate any advice, thoughts, lessons learned.
5 years, 9 months