Strange denials
by Orion Poplawski
I'm seeing the following on my Rawhide VM:
type=AVC msg=audit(1603594049.879:534): avc: denied { write } for
pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0
This makes no sense to me. sesearch seems to indicate that this should
be allowed (as you would expect):
# sesearch -s cobblerd_t -t cobbler_var_log_t --allow
allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock
open search write };
allow cobblerd_t cobbler_var_log_t:file { create open read setattr };
allow cobblerd_t file_type:filesystem getattr;
allow daemon logfile:file { append getattr ioctl lock };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
selinux-policy-3.14.7-6.fc34.noarch
5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
What am I missing?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
3 years, 4 months
SELinux + FUSE + Podman + rclone +gdrive = ???
by Chris S
Howdy folks!
Have an interesting concoction of technologies mixed together and have found myself in a pickle.
Currently I have a host that has pods with containers. From the host I am using rclone hooked up to Google Drive (and fuse mounted).
When looking at the directory I have mounted with rclone you see the following SELinux label:
system_u:object_r:fusefs_t:s0
Trying to relabel this with chcon does not work (probably expected) getting permission denied.
When mounting the volume into the container with :z exhibits similar behavior:
Error: relabel failed "/gdrive": operation not supported
I then bash into a test CentOS container with the volume mapped in (without the labeling :z) and attempt to touch a file to generate an audit alert:
sudo grep touch /var/log/audit/audit.log
type=AVC msg=audit(1603873529.524:951948): avc: denied { write } for pid=2226162 comm="touch" name="gdrive" dev="dm-0" ino=2359297 scontext=system_u:system_r:container_t:s0:c296,c525 tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir permissive=0
After finding the event, I attempt to pipe this into audit2allow:
grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
I then ran into this error:
could not open interface info [/var/lib/sepolgen/interface_info]
At which point I installed sepolgen-ifge - I then re-ran the audit2allow command.
This is where I get some interesting behavior:
compilation failed:
find: ‘thinclient_drives’: Permission denied
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116.
/usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466.
/usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:537: Error: duplicate definition of container_stream_connect(). Original definition on 546.
/usr/share/selinux/devel/include/services/container.if:558: Error: duplicate definition of container_spc_stream_connect(). Original definition on 567.
/usr/share/selinux/devel/include/services/container.if:579: Error: duplicate definition of container_admin(). Original definition on 588.
/usr/share/selinux/devel/include/services/container.if:626: Error: duplicate definition of container_auth_domtrans(). Original definition on 635.
/usr/share/selinux/devel/include/services/container.if:645: Error: duplicate definition of container_auth_exec(). Original definition on 654.
/usr/share/selinux/devel/include/services/container.if:664: Error: duplicate definition of container_auth_stream_connect(). Original definition on 673.
/usr/share/selinux/devel/include/services/container.if:683: Error: duplicate definition of container_runtime_typebounds(). Original definition on 692.
/usr/share/selinux/devel/include/services/container.if:702: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 711.
/usr/share/selinux/devel/include/services/container.if:709: Error: duplicate definition of docker_exec_lib(). Original definition on 718.
/usr/share/selinux/devel/include/services/container.if:713: Error: duplicate definition of docker_read_share_files(). Original definition on 722.
/usr/share/selinux/devel/include/services/container.if:717: Error: duplicate definition of docker_exec_share_files(). Original definition on 726.
/usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_manage_lib_files(). Original definition on 730.
/usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 735.
/usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_lib_filetrans(). Original definition on 739.
/usr/share/selinux/devel/include/services/container.if:734: Error: duplicate definition of docker_read_pid_files(). Original definition on 743.
/usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_systemctl(). Original definition on 747.
/usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_use_ptys(). Original definition on 751.
/usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_stream_connect(). Original definition on 755.
/usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 759.
/usr/share/selinux/devel/include/services/container.if:764: Error: duplicate definition of container_spc_read_state(). Original definition on 773.
/usr/share/selinux/devel/include/services/container.if:783: Error: duplicate definition of container_runtime_domain_template(). Original definition on 792.
/usr/share/selinux/devel/include/services/container.if:819: Error: duplicate definition of container_domain_template(). Original definition on 828.
/usr/share/selinux/devel/include/services/container.if:847: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 856.
Compiling targeted gdrive_allow module
gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 3339:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/gdrive_allow.mod] Error 1
What stands out here is gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 3339
This leads me to believe that audit2allow is not equip to handle this kind of rule - specifically:
policy_module(gdrive_allow, 1.0)
require {
type container_file_t;
type container_t;
class dir write;
}
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c296,c525) and target level (s0:c332,c605) are different.
allow container_t container_file_t:dir write;
At the current point in time, I am at a stand still as I cannot relabel the source. Any help would be extremely appreciated - I refuse to turn SELinux off hehe :)
CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
podman version 1.6.4
container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
policycoreutils-devel-2.9-9.el8.x86_64
selinux-policy-devel-3.14.3-41.el8_2.6.noarch
Regards,
Christopher
3 years, 4 months
Fedora 32 and SELinux : syntax errors for mlsconstrain
by Cătălin George Feștilă
I have last update and default SELinux install, but I got many syntax errors for mlsconstrain. Any idea ? Thank you.
[root@desk mythcat]# uname -a
Linux desk 5.8.4-200.fc32.x86_64 #1 SMP Wed Aug 26 22:28:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
compilation failed:
my-updatedb.te:25:ERROR 'syntax error' at token 'mlsconstrain' on line 25:
# mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
[root@desk mythcat]# ausearch -c 'ausearch' --raw | audit2allow -M my-ausearch
compilation failed:
my-ausearch.te:28:ERROR 'syntax error' at token 'mlsconstrain' on line 28:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
3 years, 4 months
/usr/bin/sandbox: Sandbox Policy is not currently installed.
by Jason Long
Hello,
How can I use "sandbox" on Debian?
$ sandbox
/usr/bin/sandbox: Sandbox Policy is not currently installed.
You need to install the selinux-policy-sandbox package in order to run this command
I can't find any package?
Thank you.
3 years, 4 months
SELinux Permission for download a file.
by Jason Long
Hello,
I created a file under of my root website and when I want to download it then:
# wget https://URL.com/file.txt
--2020-10-06 23:53:22-- https://URL.com/file.txt
Resolving URL.com (URL.com)... 80.253.145.77
Connecting to URL.com (URL.com)|80.253.145.77|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2020-10-06 23:53:22 ERROR 403: Forbidden.
The SELinux label of file is:
-rwxr-xr-x. 1 apache apache unconfined_u:object_r:user_home_t:s0 95849 Oct 6 23:51 file.txt
How can I solve it?
Thank you.
3 years, 5 months
Re: SELinux Permission for download a file.
by Ashish Mishra
Hi Jason ,
As a generic debugging , I would have followed the below aspects .
You can look at them if they can help you :
1) Quick test with changing to permissive and check if the problem
is via SELINUX rules or your DAC's have some issue here
2) Can ausearch give any pointers
#ausearch -m avc --start recent
3) Can enabling any boolean help
$ getsebool -a // To see all the booleans
4) Last will be to check if audit2allow can help
Thanks ,
Ashish Kumar Mishra
3 years, 5 months
How to Sandboxing a program?
by Jason Long
Hello,
I want to install an application on Debian 10.6 x86_64, but I don't like this application hurt my system or steal anything from my Debian box. How can I use SELinux to Sandboxing a program?
Thank you.
3 years, 5 months
Inputs to add SELINUX policy package on custom bsp
by Ashish Mishra
Hi All ,
Good Morning .
I was trying to get FEDORA SELINUX policy on our custom BSP
Can the team please let me know their feedback / comments / inputs on the
same .
Below is the description of what i am trying to do :
1) We are having a custom BSP ( Yocto / Buildroot ) for one of our
products.
This BSP doesn't have SELINUX on it as of now.
2) I can find the policy ".te" file at*
https://github.com/fedora-selinux/selinux-policy-contrib
<https://github.com/fedora-selinux/selinux-policy-contrib> ( approx 1005
files )*
But unable to understand the process of adding these policies to my
custom BSP.
* Is there any way we can add these Fedora SELINUX policies to our BSP ?*
3) Is there any standard way of bifurcating these ".te" files or
one has to make use of all of these as a standard practice.
Please feel free to seek any details or clarification from my side .
Also , do let me know if I am missing any aspect here or mis-understood
something completely .
Thanks ,
Ashish Kumar Mishra
3 years, 5 months
RE: Best way to copy and modify existing sysadm_u?
by Salowitz, Mark A CTR
Good morning,
Can anyone steer me in the right direction on this? I'll hopefully have time to work this out this week.
Thank you,
Mark Salowitz
-----Original Message-----
From: Salowitz, Mark A CTR
Sent: Tuesday, October 6, 2020 9:42 AM
To: selinux(a)lists.fedoraproject.org
Subject: Best way to copy and modify existing sysadm_u?
Good morning,
Long time lurker, have an issue I'm trying to sort out. I would like to create a parallel named user to the default sysadm_u and parallel module sysadm_secadm in order to support different tiers of administrative user. My end goal is to have a minimum of two "sysadm_u" type roles, one with the sys/sec role removed to prevent unauthorized policy modification, and one with it implicitly available. For the sake of discussion, I'll call them restricted_sysadm_u and super_sysadm_u.
My plan is(was?) to dump the current policy, change the name for the target profile of either restricted_ or super_ remove anything additional I don't wish restricted_ to perform, add the sysadm_secadm transitions explicitly to super_, and assign them as appropriate to their respective physical users/automation users. I would then remove the sysadm_secadm to close to door onto the default ability to modify policy.
I've attempted to extract the CIL policy from the running module and get dozens of repeated lines in the grants, so I tried to extract the syadm.pp and sysadm_secadm.pp using semodule -E as HLL and have only been able to get them down as far as the .mod file. I have sedismod available, but there doesn't seem to be a straight path to dump the module down to its constituent elements.
Is there an easy way to extract the type enforcement and file contexts from the xyz.mod file?
Is there an easier way to go about doing this without starting from scratch with a clean user?
Is there a shortcut I have completely overlooked?
Thanks very much in advance,
Mark Salowitz
3 years, 5 months
Best way to copy and modify existing sysadm_u?
by Salowitz, Mark A CTR
Good morning,
Long time lurker, have an issue I'm trying to sort out. I would like to create a parallel named user to the default sysadm_u and parallel module sysadm_secadm in order to support different tiers of administrative user. My end goal is to have a minimum of two "sysadm_u" type roles, one with the sys/sec role removed to prevent unauthorized policy modification, and one with it implicitly available. For the sake of discussion, I'll call them restricted_sysadm_u and super_sysadm_u.
My plan is(was?) to dump the current policy, change the name for the target profile of either restricted_ or super_ remove anything additional I don't wish restricted_ to perform, add the sysadm_secadm transitions explicitly to super_, and assign them as appropriate to their respective physical users/automation users. I would then remove the sysadm_secadm to close to door onto the default ability to modify policy.
I've attempted to extract the CIL policy from the running module and get dozens of repeated lines in the grants, so I tried to extract the syadm.pp and sysadm_secadm.pp using semodule -E as HLL and have only been able to get them down as far as the .mod file. I have sedismod available, but there doesn't seem to be a straight path to dump the module down to its constituent elements.
Is there an easy way to extract the type enforcement and file contexts from the xyz.mod file?
Is there an easier way to go about doing this without starting from scratch with a clean user?
Is there a shortcut I have completely overlooked?
Thanks very much in advance,
Mark Salowitz
3 years, 5 months