Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 7 months
Very odd: /proc/sys/net/ipv6/conf/all/disable_ipv6
by mark
CentOS 7.5, and on one system, I'm getting:
setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from
read access on the file disable_ipv6
ll -Z shows
-rw-r--r--. root root system_u:object_r:sysctl_net_t:s0
/proc/sys/net/ipv6/conf/all/disable_ipv6
I find this peculiar. Anyone have a resolution, or is this a bug?
mark
5 years, 6 months
Re: SELinux support for swtpm
by Lukas Vrabec
On 08/11/2018 02:10 AM, Stefan Berger wrote:
> On 08/10/2018 06:21 PM, Paul Moore wrote:
>> On Thu, Aug 9, 2018 at 3:00 PM Stefan Berger
>> <stefanb(a)linux.vnet.ibm.com> wrote:
>>> Hello!
>>>
>>> I am the maintainer of 'swtpm', which is a TPM 1.2 & 2 emulator for
>>> QEMU. 'swtpm' is started by libvirt as part of starting a QEMU VM with
>>> an attached TPM.
>>>
>>> The plan is to have swtpm packaged and made available as part of
>>> Fedora. I am wondering how to go about having the Fedora SELinux policy,
>>> particularly sVirt, extended for support of swtpm? I have played around
>>> with SELinux support for sVirt myself. I had to adapt it depending on
>>> the version of Fedora I was using.
>>>
>>> Here are some of the files I have used:
>>>
>>> https://github.com/stefanberger/swtpm/tree/tpm2-preview.v2/src/selinux
>>>
>>> Particularly this one here may be of interest:
>>> https://github.com/stefanberger/swtpm/blob/tpm2-preview.v2/src/selinux/sw...
>>>
>> A quick note for the mailing list archives, and to let everyone know
>> that Stefan isn't being ignored :) ... Lukas and Stefan have been in
>> touch and they are working on how to best support swtpm in Fedora; I'm
>> sure they will have it sorted out in a few weeks.
>
> Lukas is out, I will be out, so this can rest for a while.
>
Hi,
I'm back from my PTO, feel free to contact me when you'll be back.
THanks,
Lukas.
> Thanks,
> Stefan
>>
>
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
5 years, 7 months
[heads up] SELinux support for boltd service
by Lukas Vrabec
Hi,
I saw several bugs where boltd daemon runs as unconfined_service_t. I
have prepared new SELinux module for it.
I'll push it to Fedora Rawhide and also Fedora 28 soon. This module will
be in permissive mode, which means policy for boltd won't be enforced by
kernel, just AVCs will be logged even if the whole system will be in
Enforcing state.
If you'll find some AVCs related to boltd, please use this bugzilla[1]
to report them.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1607974.
Thanks,
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
5 years, 7 months