Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 4 months
Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
6 years, 8 months
SELinux enabled + rsync + Permission denied (13)
by Sachin Gaikwad
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux
enabled. This process eventually executes "rsync" to do file-copy
operation. It is failing with following error:
---------------------------------*8<*
--------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13)
rsync: ERROR: cannot stat destination "/mnt/other_volume/testData":
Permission denied (13).
---------------------------------*8<*
--------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of
"source" and "target" and both have permissions for the user.
Other testing data:
1) I tested this with "SELinux" disabled and rsync succeeds.
2) I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is
something to do with "SELinux permissions" to process which do not have tty?
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but
couldn't find anything to reason it out. If you need, I can attach SELinux
configurations.
Thanks in advance,
Sachin
6 years, 8 months
pam_yubico triggering AVC
by Jeremy Young
I thought it'd be prudent to ask the list's opinion before opening a bug report. I'm not experiencing any visible issues, but can repeatedly generate this AVC, one that only seems to be generated since I've enabled pam_yubico on my laptop. I'm fine adding a dontaudit rule to my local policy but should I send a bug report for this? If so, is this an SELinux report or one to Yubico?
SELinux is preventing gdm-session-wor from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdm-session-wor should have the wake_alarm capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -X 300 -i my-gdmsessionwor.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects Unknown [ capability2 ]
Source gdm-session-wor
Source Path gdm-session-wor
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1 SMP
Tue Feb 7 11:28:07 UTC 2017 x86_64 x86_64
Alert Count 1228
First Seen 2017-02-13 07:43:45 CST
Last Seen 2017-02-14 08:36:50 CST
Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages
type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm } for pid=699 comm="gdm-session-wor" capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm
6 years, 9 months
Mount issue
by m.roth@5-cent.us
CentOS 7.3, fully updated.
Feb 6 10:03:37 donegal <server>: SELinux is preventing /usr/bin/mount
from 'read, write' accesses on the file utab.#012#012***** Plugin
catchall (100. confidence) suggests **************************#012#012If
you believe that mount should be allowed read write access on the utab
file by default.#012Then you should report this as a bug.#012You can
generate a local policy module to allow this access.#012Do#012allow this
access for now by executing:#012# ausearch -c 'mount' --raw | audit2allow
-M my-mount#012# semodule -i my-mount.pp#012
This seems more than slightly odd... am I misunderstanding something?
Googling doesn't show anything in the first page or so of results.
mark
6 years, 10 months
Allow rule to read access all types.
by Bassam Alsanie
I have an app that need to have search access to all directories on the
system.
I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make
> Compiling targeted myapp module
> here it is /usr/share/selinux/devel/include
> /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp
> myapp.te:678:ERROR '* not allowed in this type of rule' at token ';' on
> line 5114:
> allow myapp_t *:dir { { getattr search open } };
>
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> /usr/share/selinux/devel/include/Makefile:154: recipe for target
> 'tmp/myapp.mod' failed
> make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
Thank you
Bassam
6 years, 10 months
[PATCH] rawhide-base: Fix wrong type/attribute flavors in require blocks
by James Carter
In userdom_execmod_user_home_files(), user_home_type is an
attribute, not a type.
In userdom_read_inherited_user_home_content_files(), admin_home_t
is a type, not an attribute.
In userdom_dontaudit_read_inherited_admin_home_files(), admin_home_t
is a type, not an attribute.
Signed-off-by: James Carter <jwcart2(a)tycho.nsa.gov>
---
policy/modules/system/userdomain.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 269ce67..4b0a3ed 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4925,7 +4925,7 @@ interface(`userdom_users_dgram_send',`
#
interface(`userdom_execmod_user_home_files',`
gen_require(`
- type user_home_type;
+ attribute user_home_type;
')
allow $1 user_home_type:file execmod;
@@ -5321,7 +5321,7 @@ interface(`userdom_read_inherited_user_home_content_files',`
#
interface(`userdom_dontaudit_read_inherited_admin_home_files',`
gen_require(`
- attribute admin_home_t;
+ type admin_home_t;
')
dontaudit $1 admin_home_t:file read_inherited_file_perms;
@@ -5339,7 +5339,7 @@ interface(`userdom_dontaudit_read_inherited_admin_home_files',`
#
interface(`userdom_dontaudit_append_inherited_admin_home_file',`
gen_require(`
- attribute admin_home_t;
+ type admin_home_t;
')
dontaudit $1 admin_home_t:file append_inherited_file_perms;
--
2.7.4
6 years, 10 months
