Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 4 months
Symlink or bind mount?
by Gionatan Danti
Being a regular user of selinux, I often face situations where some
common directories (es: /var/log or /var/lib) needs to be redirected to
other partitions/volumes.
I very simple approach, without impacting selinux at all, is to mount a
volume in the precise path I need to replace - ie mount
/dev/vg_test/lv_lib in /var/lib. However, this is a
one-volume-for-directory approach and I would like to avoid it.
The other possibility is to create single big volume with multiple
directories, mount it, and
1) symlink the original dir (ie: /var/log) to the new one (ie:
/mnt/volume/var/log);
2) use a bind mount to re-mount the destination dir
(/mnt/volume/var/log) on the original one (/var/log).
The symlink approach is self-explaining, as anyone listing the original
directory will immediately notice it. However, it sometime require
extensive customization of the selinux policy, a thing I try hard to
avoid.
The bind mount approach is somewhat simpler from selinux standpoint, but
it much less discoverable by a simple "ls".
What do you feel is the preferred approach? I am missing something?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
5 years, 7 months
Newbie asking about first policy file
by leam hall
Good morning!
I'm trying to learn SELinux and reduce the number of alerts that refer
to normal processes. Postfix is one of the biigies, here's what I've
gotten so far. I'd appreciate critique.
Note that the file is hand transcribed, not cut and pasted. It does
compile and install, so typographic errors are mine.
###
module postfix 0.0.1;
require {
type kernel_t;
type postfix_bounce_t;
type postfix_master_t;
type postfix_smtp_t;
}
allow postfix_bounce_t kernel_t:system module_request;
allow postfix_master_t kernel_t;system module_request;
allow postfix_smtp_t kernel_t:system module request;
###
Thanks!
Leam
5 years, 7 months
samba & autofs in rhel/centos 7.x
by lejeczek
hi guys
any boolean that would cover this:
#============= smbd_t ==============
#!!!! The file '/__.aNetStorage' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /__.aNetStorage
#!!!! This avc can be allowed using one of the these booleans:
#???????? samba_export_all_ro, samba_export_all_rw
allow smbd_t automount_tmp_t:dir getattr;
allow smbd_t self:capability2 block_suspend;
above(silent denials) happens when samba's share path is an
autofs nfs ver=4 mount.
If no boolean then it would be great to have one(or few) if
safe.
many thanks, L.
5 years, 8 months
CentOS7 SELinux doesn't seem to adhere to MCS categories
by Lukas Prediger
Hello everyone!
I am having some issues with SELinux Multi Category Security on CentOS7
and have been redirected to this mailing list by the folks at
centos.org/forums (as response to my question there [0]).
My problem is the following:
Running CentOS7 64bit with SELinux in enforcing mode in targeted policy,
I noticed that a file that is assigned to a certain SELinux MCS (Multi
Category Security) category can be read by a user who is not assigned to
that category, indicating that MCS isn't working properly.
More specifically, I have users
john | mcsuser_u | s0-s0:c122
jane | mcsuser_u | s0-s0:c123
with
mcsuser_u | MLS/MCS Level: s0 | MLS/MCS Range: s0-s0:c0.c1023 | SELinux
Roles: user_r
and a file
-rw-rw-r-- john john mcsuser_u:object_r:user_home_t:s0:c122 johntext
I would expect that user jane is unable to read the file since she is
not member of the c122 category. However, running cat johntext as jane
prints the contents of the file without problem. This indicates to me
that MCS rules are not adhered to.
I tested the same setup on CentOS 6.9, where everything behaves as I
would expect (i.e., invoking cat johntext as jane results in a permssion
denied error).
Since I was unable to find documentation on a major change in
policy/configuration regarding SELinux from version 6.9 to 7, I am
somewhat confused by this. Am I making an obvious mistake or is this a
bug? If the latter, is it CentOS related or was it some change in
SELinux policies that I did not find documentation on which are present
in the latest versions of CentOS but not in 6.9?
Any advice would be very welcome.
I also posted a more verbose version of this question already on
serverfault.com [1], in case a more detailed listing of my steps is
required.
Thank you very much in advance.
Best regards,
Lukas P.
[0]:
https://www.centos.org/forums/viewtopic.php?f=51&t=66406&sid=31bd377019d7...
[1]:
https://serverfault.com/questions/901575/centos7-selinux-doesnt-seem-to-a...
PS: I sent this mail once already last week but didn't get a reply and
it doesn't appear in the archives
[https://lists.fedoraproject.org/archives/], so I'm assuming it got lost
(maybe because I sent it before subscribing to the list..). If it's a
duplicate, please disregard (but maybe point me to / forward me the
responses..)
5 years, 8 months
Processes running unconfined in Fedora Desktop 27
by Nathan Owen
I recently moved from Ubuntu to Fedora 27, in part due to selinux being enabled by default.
When I run `ps -alZ` I notice that there are a number of processes running unconfined (full list included below).
Is it generally considered acceptable to have these processes running unconfined? It seems like a security vulnerability to me.
If this is a vulnerability, does anyone know if it is safe to disable unconfined on my Fedora desktop and what would be the best way to go about this?
Thank you,
Nathan Owen
`ps -alZ | grep unconfined` output (plus header line for clarity):
LABEL F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1444 1439 0 80 0 - 166430 SyS_po tty2 00:00:00 gnome-session-b
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1518 1444 5 80 0 - 1005208 SyS_po tty2 00:02:17 gnome-shell
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1574 1518 0 80 0 - 136312 SyS_ep tty2 00:00:17 Xwayland
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1621 1518 0 80 0 - 136717 SyS_po tty2 00:00:00 ibus-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1630 1621 0 80 0 - 96892 SyS_po tty2 00:00:00 ibus-dconf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1632 1 0 80 0 - 128345 SyS_po tty2 00:00:00 ibus-x11
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1703 1444 0 80 0 - 127621 SyS_po tty2 00:00:00 gsd-mouse
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1704 1444 0 80 0 - 172146 SyS_po tty2 00:00:00 gsd-power
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1705 1444 0 80 0 - 139106 SyS_po tty2 00:00:00 gsd-print-notif
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1706 1444 0 80 0 - 163911 SyS_po tty2 00:00:00 gsd-rfkill
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1707 1444 0 80 0 - 127008 SyS_po tty2 00:00:00 gsd-screensaver
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1708 1444 0 80 0 - 141153 SyS_po tty2 00:00:00 gsd-sharing
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1711 1444 0 80 0 - 153280 SyS_po tty2 00:00:00 gsd-smartcard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1713 1444 0 80 0 - 149563 SyS_po tty2 00:00:00 gsd-wacom
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1716 1444 0 80 0 - 165971 SyS_po tty2 00:00:00 gsd-xsettings
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1724 1444 0 80 0 - 138212 SyS_po tty2 00:00:00 gsd-sound
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1731 1444 0 80 0 - 127619 SyS_po tty2 00:00:00 gsd-a11y-settin
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1735 1444 0 80 0 - 150568 SyS_po tty2 00:00:00 gsd-a11y-keyboa
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1736 1444 0 80 0 - 136716 SyS_po tty2 00:00:00 gsd-datetime
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1738 1444 0 80 0 - 128251 SyS_po tty2 00:00:00 gsd-clipboard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1739 1444 0 80 0 - 210310 SyS_po tty2 00:00:00 gsd-color
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1742 1444 0 80 0 - 245373 SyS_po tty2 00:00:00 gsd-media-keys
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1743 1444 0 80 0 - 148237 SyS_po tty2 00:00:00 gsd-housekeepin
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1745 1444 0 80 0 - 168438 SyS_po tty2 00:00:00 gsd-keyboard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1803 1621 0 80 0 - 78439 SyS_po tty2 00:00:00 ibus-engine-sim
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1878 1444 0 80 0 - 298030 SyS_po tty2 00:00:00 evolution-alarm
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1884 1444 0 80 0 - 160994 SyS_po tty2 00:00:00 abrt-applet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1889 1444 0 99 - - 197079 SyS_po tty2 00:00:00 tracker-miner-a
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1891 1444 0 99 19 - 183615 SyS_po tty2 00:00:00 tracker-miner-f
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1895 1444 0 99 - - 414121 SyS_po tty2 00:00:00 tracker-extract
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1901 1444 0 80 0 - 352568 SyS_po tty2 00:00:10 gnome-software
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1912 1444 0 80 0 - 142411 SyS_po tty2 00:00:00 seapplet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1919 1444 0 80 0 - 69563 SyS_po tty2 00:00:00 gsd-disk-utilit
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1937 1 0 80 0 - 154397 SyS_po tty2 00:00:00 gsd-printer
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2610 1518 4 80 0 - 364264 SyS_po tty2 00:01:33 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2617 2610 0 80 0 - 28706 - tty2 00:00:00 cat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2618 2610 0 80 0 - 28706 - tty2 00:00:00 cat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2621 2610 0 80 0 - 132436 - tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2622 2621 0 80 0 - 5996 - tty2 00:00:00 nacl_helper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5 S 1000 2625 2621 0 80 0 - 132436 SyS_pp tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2707 2610 2 80 0 - 174162 SyS_po tty2 00:00:49 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2721 2707 0 80 0 - 140547 - tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2747 2625 0 80 0 - 429151 - tty2 00:00:15 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2799 2625 0 80 0 - 310051 - tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2828 2625 0 80 0 - 306781 - tty2 00:00:02 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3612 1 0 80 0 - 497232 SyS_po tty2 00:00:09 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3615 3612 0 80 0 - 115362 SyS_pp tty2 00:00:00 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3646 3612 0 80 0 - 144992 SyS_po tty2 00:00:02 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3701 3615 0 80 0 - 303569 - tty2 00:00:01 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3776 2625 2 80 0 - 393635 - tty2 00:00:38 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3798 2625 0 80 0 - 309618 - tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3908 3615 0 80 0 - 441636 - tty2 00:00:13 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 5213 2625 8 80 0 - 325779 - tty2 00:00:46 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5326 2146 0 80 0 - 38420 core_s pts/1 00:00:00 vim
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 R 1000 5586 2151 0 80 0 - 35760 - pts/2 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5587 2151 0 80 0 - 29882 - pts/2 00:00:00 grep
5 years, 8 months
Two questions about selinux
by Gionatan Danti
Hi all,
I have two questions about selinux.
1) Suppose I have a file which should be shared by two processes with
two different security context (ie: proc_a_t and proc_b_t). I am right
saying that I *must* create a policy to grant access to both processes
for both contexts? Or is it possible to assign *two* labels/contexts to
a file/directory?
2) Suppose that, by using audit2allow, I created a custom policy module.
Time passed, and I lost the original template file, leaving only the
binary policy module. If I then need to add some other customization, do
I need to create a new policy or can I modify the original, binary-only
policy?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
5 years, 8 months
semanage question/confusion
by Ed Greshko
A while back I needed virtmanager to access an ISO file which resides on an NFS
mount. So, I enabled virt_use_nfs.
Today I was doing some research to help someone else and I noticed that "semanage
boolean -l" shows.
virt_use_nfs (on , on) Allow virt to use nfs
According to the header of the output the first "on" is the state while the second is
default. Since I had to enable it I would have thought I would see
virt_use_nfs (on , off) Allow virt to use nfs
Am I missing something?
--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.
5 years, 8 months
An selinux issue
by m.roth@5-cent.us
CentUS 7.4
From sealert:
SELinux is preventing /usr/sbin/sshd from read access on the file
/etc/ssh/moduli.
***** Plugin restorecon (94.8 confidence) suggests
************************
If you want to fix the label.
/etc/ssh/moduli default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/moduli
<...>
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /etc/ssh/moduli [ file ]
Source sshd
Source Path /usr/sbin/sshd
---------
Except:
ls -laFZ /etc/ssh/moduli
-rw-r--r--. root root system:object_r:etc_t:s0 /etc/ssh/moduli
ls -laFZ /usr/sbin/sshd
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd*
And I even restarted sshd. So, what's selinux seeing that I'm not?
mark
5 years, 8 months
