Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
3 years, 10 months
Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 1 month
Contributing to Fedora's SELinux policies
by Jag Raman
Hi,
I'm new to this email list. I'm wondering if it's possible to contribute
to Fedora's SELinux policy.
We are developing "multi-process" QEMU, which dis-aggregates emulated
devices into separate processes. We are also developing SELinux policies
to confine the dis-aggregated processes to the resources they need.
We would like to contribute to Fedora's SELinux policy as it appears to
be the upstream for similar distros like RHEL, CentOS, etc...
Could you please confirm how we could go about contributing to Fedora's
SELinux policy? Is there a publicly accessible repo. where we could
contribute?
Thanks!
--
Jag
4 years, 5 months
permission denied without an (obvious) reason when changing directory
permissions
by Philippe Kueck
Hi all,
I'm running into a SELinux permission issue when simply changing the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of "system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd.
When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine.
As soon as I change the ownership to apache:apache and remove permissions for other users (e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd
drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (works fine)
$ chown apache: /var/lib/smokeping/rrd
$ chmod 770 /var/lib/smokeping/rrd
$ ls -dZ /var/lib/smokeping/rrd
drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.*
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission denied)
open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission denied)
mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
imho smokeping *should* be able to perform these actions (well, except for /etc/shadow):
$ sesearch -s smokeping_t -t smokeping_var_lib_t -Ad
Found 2 semantic av rules:
allow smokeping_t smokeping_var_lib_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smokeping_t smokeping_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
When circumventing SELinux using either setenforce 0 or semanage permissive -a smokeping_t it works fine again.
Does anyone have a clue?
Thanks!
- Philippe
4 years, 5 months
rsync: add mac_admin capability
by Bill shirley
I'm running rsync (over ssh) to backup files from servers with a later release Fedora (24, 27, and 28)
to my server which is Fedora 22. Some of the files copied have file contexts that aren't available on
my server which creates errors (the source, bb8, is Fedora 27; /bacula is just the target mountpoint):
[0:root@elmo testing 23]$ rsync --delete -axAXv -e "ssh -p 22" "rsync://bb8.example.com/etc/" /bacula/clients/etc/bb8/
receiving incremental file list
rsync: rsync_xal_set: lsetxattr(""/bacula/clients/etc/bb8/udev/hwdb.bin"","security.selinux") failed: Invalid argument (22)
Since this is strictly for backups, I would like to allow rsync to set these unknown contexts. The AVC:
type=AVC msg=audit(1555319931.042:30687): avc: denied { mac_admin } for pid=7061 comm="rsync" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2 permissive=0
Running:
grep rsync /var/log/audit/audit.log | audit2allow -m my_rsync > my_rsync.te
generates:
module my_rsync 1.0;
require {
type unconfined_t;
class capability2 mac_admin;
}
#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;
This should work however I don't want to grant this to any program except rsync. I've looked
the rsync booleans and tried "setsebool -P rsync_client 1" but it doesn't fix it. Searched the interwebs too.
Can anyone help?
[0:root@elmo rsync 130]$ rpm -q rsync
rsync-3.1.1-7.fc22.x86_64
[0:root@elmo rsync]$ ls -lZ `which rsync`
-rwxr-xr-x. 1 root root system_u:object_r:rsync_exec_t:s0 495792 Jan 8 2016 /usr/bin/rsync
Bill
4 years, 5 months
using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Members,
My new topic is slightly related to my last message.
Since then I managed to sort things out, and my new policy seems to work
fine, at least far as I was able to test it.
My current situation is the following:
I had a policy that I created for the main application "A" a while ago. Now
I am creating a policy for a submodule of application "A", called "B" for
the sake of illustrating it.
"B" is a separate helper application that communicates with "A", but "A"
can perfectly work without "B" being in use.
In this situation it makes sense to create a separate policy for "A" and
"B".
Now, if submodule "B" is in use, then I would need to make use some
interfaces, defined in the SELinux policy of "B", within the policy
belonging to "A".
Now how should I do this? I tried googling around for a few hours, but
practically found no examples of this on the web.
The policy module of "B" is built and loaded first, and when I'm compiling
the now extended policy of "A", I get the following:
Compiling targeted syslog_ng module
/usr/bin/checkmodule: loading policy configuration from tmp/A.tmp
A.te:5:ERROR 'syntax error' at token 'transition_to_B_t' on line 3212:
transition_to_B_t(A_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/A.mod] Error 1
How do I need to reference the interface defined in another module, that is
already loaded, when trying to use it?
Currently this is the interface file of policy module "B":
=================================================================================
########################################
## <summary>
## Allow the specified program domain
## to manage to the B socket.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which
## to allow managing the socket
## </summary>
## </param>
#
interface(`B_sock_manage', `
gen_require(`
type B_t, B_sock_t;
')
manage_sock_files_pattern($1, B_sock_t, B_sock_t)
')
########################################
## <summary>
## Allow the specified program domain
## to transition to B_t through the entry point.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow transitioning to B_t
## </summary>
## </param>
#
interface(`transition_to_B_t',`
gen_require(`
type B_t, B_exec_t;
')
domtrans_pattern($1, B_exec_t, B_t)
')
########################################
## <summary>
## Allow the specified program domain
## to read B_exec_t files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow read access
## to B_exec_t
## </summary>
## </param>
#
interface(`read_B_exec_t',`
gen_require(`
type B_exec_t;
')
allow $1 B_exec_t:lnk_file { read };
allow $1 B_exec_t:file { read };
')
=================================================================================
And this is the way I am trying to access it from the policy module of "A":
=================================================================================
transition_to_B_t(A_t)
B_sock_manage(A_t)
filetrans_pattern(A_t, A_var_run_t, B_sock_t, sock_file, "B.sock")
read_B_exec_t(A_t)
=================================================================================
I would be thankful for any suggestions for this!
Thanks for your help in advance!
Best Regards,
János Szigetvári
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
4 years, 5 months
