selinux July 2019

selinux@lists.fedoraproject.org

3 participants
3 discussions

Re: using an interface defined in another loaded module
by SZIGETVÁRI János 08 Nov '19

08 Nov '19

Dear Gary, Thanks a zillion times for your help, the building of the policy works fine now that I have copied the .if file of the submodule to the directory you mentioned! I did not know I was reqired to copy the module's interface file to SELinux's include dirs to make it available for other modules to use. BTW, I was building my module from within my "policy builder and installer" script using the "traditional" way of: # make -f /usr/share/selinux/devel/Makefile A.pp Now the build process works, thanks to your suggestion! Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> LinkedIn: linkedin.com/in/janosszigetvari E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com Phone: +36209440412 (Hungary) __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze, 17:14): > On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote: > >Could anyone please give me some insight on this? > > > >Thanks a lot! > > > > Hi, > > How are you building and installing your policy modules? The interface > definitions (.if files) aren't preserved in the compiled policy package, > so are typically kept elsewhere. On Fedora this is under > /usr/share/selinux/devel/include and its associated subdirectories > (which are recursively walked to find .if files when building policy > using the refpolicy framework, i.e., the selinux-policy-devel package). > > So it should be as simple as copying your .if files to: > /usr/share/selinux/devel/include (though the "services" subdir is likely > more appropriate). > > Thanks, > Gary. > > >Best Regards, > >János Szigetvári > > > >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc. > >31., V, 13:47): > > > >> ... snip ... > >_______________________________________________ > >selinux mailing list -- selinux(a)lists.fedoraproject.org > >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org > >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > >

4 9

Initial context for init
by Philip Seeley 02 Aug '19

02 Aug '19

Hi all, Quick question is: In the targeted policy should init run SystemHigh as it does in the mls policy? The background: We're setting up a targeted system where we confine all users and remove the unconfined policy module, but we also enable polyinstantiation of /tmp and /var/tmp. If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we have a context of: staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 And therefore /var/tmp is: drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp Which is really: drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil The real /var/tmp is: drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp Now if we use run_init to update an RPM that contains a post install script, rpm can't create the temporary script file: # run_init bash -c 'rpm -i --force /root/libselinux-2.0.94-7.el6.x86_64.rpm' Authenticating phil. Password: error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission denied error: Couldn't create temporary file for %post (libselinux-2.0.94-7.el6.x86_64): Permission denied Note: you need to use run_init as the rpm might restart a service, e.g. the sssd rpm. We've traced this to the /etc/selinux/targeted/contexts/initrc_context file which contains: system_u:system_r:initrc_t:s0 So we transition to initrc_t and then to rpm_t without any categories, but because the polyinstantiated /var/tmp directory has c0.c1023 we get denied. Normally in targeted init runs unconfined, but we've removed this. type=AVC msg=audit(1467342325.016:716): avc: denied { read } for pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil" dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir It works if we change initrc_context to: system_u:system_r:initrc_t:s0-s0:c0.c1023 We don't see the issue under mls because the default initrc_context is: system_u:system_r:initrc_t:s0-s15:c0.c1023 We've traces this back through the selinux-policy src RPM and to the upstream refpolicy and see that config/appconfig-mcs/initrc_context is: system_u:system_r:initrc_t:s0 whereas config/appconfig-mls/initrc_context is: system_u:system_r:initrc_t:s0-mls_systemhigh So under mls init's context is SystemHigh, but under mcs/targeted it doesn't have any categories. So the long question is should config/appconfig-mcs/initrc_context really be: system_u:system_r:initrc_t:mcs_systemhigh as it seems odd that the more secure mls policy would run init at SystemHigh but targeted doesn't. Thanks Phil Seeley

3 3

file creation and selinux
by Ed Greshko 13 Jul '19

13 Jul '19

Hi, I'm not well versed in selinux and I rarely have run into issues with it. However, one point that I thought was true doesn't seem to be true. I was under the impression that when a file is created and the context for it is defined in the policy it would acquire it. For example, [egreshko@meimei ~]$ pwd /home/egreshko [egreshko@meimei ~]$ touch .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:user_home_t:s0 .fetchmailrc [egreshko@meimei ~]$ restorecon .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc Shouldn't the context have been correct when the file was created? How is an average user to know they may need to add the additional step. Thanks -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2019