selinux strange behaviour
by Michel Gravier
Dear all
I try to forbid execution of script on user home by standard user. Here what I have done :
Change the boolean user_exec_content to off :
# setsebool user_exec_content off
So if i read policies any process with the user_t domain should not be able to exec a file with user_home_t type ?
So i create a user "toto" with the context :
$ id -Z
user_u:user_r:user_t:s0
I create a bash script "test.sh" with 2 lines :
#!/bin/bash
ps -fZ
$ ll -Z
total 3
-rwxr-xr-x. 1 toto toto user_u:object_r:user_home_t:s0 19 15 nov. 08:00 test.sh
When i try to execute de script :
$ ./test.sh
-bash: ./test.sh: Permission denied
That's what I wanted. And it's SELinux which do the work :
# tail -3 /var/log/audit/audit.log
type=AVC msg=audit(1573824552.173:265): avc: denied { execute } for pid=15138 comm="bash" name="test.sh" dev="dm-0" ino=341980 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1573824552.173:265): arch=c000003e syscall=59 success=no exit=-13 a0=55ed16979130 a1=55ed169ad730 a2=55ed169856c0 a3=8 items=0 ppid=14703 pid=15138 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=9 comm="bash" exe="/usr/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="toto" UID="toto" GID="toto" EUID="toto" SUID="toto" FSUID="toto" EGID="toto" SGID="toto" FSGID="toto"
type=PROCTITLE msg=audit(1573824552.173:265): proctitle="-bash"
But if I do this :
$ bash test.sh
LABEL UID PID PPID C STIME TTY TIME CMD
user_u:user_r:user_t:s0 toto 14703 14702 0 08:00 pts/1 00:00:00 -bash
user_u:user_r:user_t:s0 toto 15147 14703 0 08:31 pts/1 00:00:00 bash test.sh
user_u:user_r:user_t:s0 toto 15148 15147 0 08:31 pts/1 00:00:00 ps -fZ
I'm quite surprise of the result !? Why the second bash (pid 15147) is authorized to execute "test.sh" ?
Thanks for your attention.
3 years, 10 months
Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
3 years, 10 months
Can't change SELinux user home directory file owner
by arnaud gaboury
Looking at more closer at my SELinux settings (Fedora 29 Atomic), I found this:
----------
semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root system_u s0:c0.c1023 *
-------------------------------------
I can’t remember if I did the change, but following RedHat or Fedora
documentation, root should be an unconfined user, right?
So I did the change this way:
-----------------------------------------------------
# semanage login -m -s unconfined_u -rs0:c0.c1023 root
# semanage login -l
...
root unconfined_u s0:c0.c1023 *
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
----------------------------------------------------------
Fine. Now let's list the root directory:
--------------------------------------------
# pwd
/var/roothome
# ls -alZ
....
-rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 18 May
28 2018 .bash_logout
-rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 193 May
28 2018 .bash_profile
-rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 231 May
28 2018 .bashrc
....
-------------------------------------------------
I thus wanted to change system_u to unconfined_u (Do I need to do it?)
-------------------------------------------------------
# semanage fcontext -m -t admin_home_t -s unconfined_u "/var/roothome(/.*)?"
ValueError: File context for /var/roothome(/.*)? is not defined
# semanage fcontext -a -t admin_home_t -s unconfined_u "/var/roothome(/.*)?"
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
....
/var/roothome(/.*)? unconfined_u:object_r:admin_home_t:s0 <-- sounds OK
# restorecon -R -v /var/roothome
# ls -alZ
...
-rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 193 May
28 2018 .bash_profile
-rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 231 May
28 2018 .bashrc
...
-----------------------------------------------------
No changes. Why? Do I need to change to unconfined user, and if yes, how?
Thank you for help.
3 years, 11 months
Re: Reg: domain transition
by Lukas Vrabec
On 11/1/19 5:48 AM, zer0 0ne wrote:
> I am writing SELinux policies for the first time and I need some
> clarification
>
>
>
> 1. I have executable A executes a system() call, spawns a shell and
> executes a command ‘B’ and consumes the output of command B. Do I
> have to use domain transition in the above case or what is the
> correct way to go about it?> 2. In the above case A and B have different SELinux policies. Since A
> executes B, in SELinux policy of A do I need to make type B_t as a
> required type?
> 3. For process A to do domain_transition to B, do I add
> b_domain_transition macro in A.if file or in A.te
>
>
I believe you can find answers in this blog:
https://danwalsh.livejournal.com/72287.html
Thanks,
Lukas.
> TiA
>
> zer0 0ne
>
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
3 years, 11 months
Reg: domain transition
by zer0 0ne
I am writing SELinux policies for the first time and I need some clarification
1. I have executable A executes a system() call, spawns a shell and executes a command ‘B’ and consumes the output of command B. Do I have to use domain transition in the above case or what is the correct way to go about it?
2. In the above case A and B have different SELinux policies. Since A executes B, in SELinux policy of A do I need to make type B_t as a required type?
3. For process A to do domain_transition to B, do I add b_domain_transition macro in A.if file or in A.te
TiA
zer0 0ne
3 years, 11 months
