On 01/28/2016 08:08 PM, lou(a)sfu.ca wrote:
Folks,
I have a problem with SEL file type in /tmp --- I just don't understand why a
particular type is being used. More precisely, I don't understand how the domain that
uses this file type comes into play. I'm hoping someone can enlighten me.
I have a setup where subversion is accessed through httpd (mod_dav_svn). The
post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a
different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow
this. It uses the sudo_role_template macro as part of the setup. The full domain
transition sequence to get to the sudo'd script is:
* Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the
top-level hook script is
executed
* User changes from apache to coin by sudo'ing a second-level script. The expected
domain transition would be
svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
When I run 'id' in the second-level script, it says the context is
uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0
as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory
management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I
run, for example, 'svn export' in this script, it happily creates entire directory
trees of type tmp_t in /tmp, as expected.
But ... if I try to redirect output to a file, or execute something like 'touch
foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the
sudo_role_template macro). I've opened this macro up, and I can see it will create the
rule 'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I
understand. And I've managed to deal with the issue by allowing domain svn_hook_t to
manage files of type svn_hook_sudo_tmp_t.
What I don't understand: Why is domain svn_hook_sudo_t in play here? According to
id, the script is running in domain svn_hook_t.
Yes, this is correct. You can see
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
in thee sudo_role_template() interface.
Which is the reason why you see svn_hook_sudo_t vs. svn_hook_t when 'id'
is executed. 'id' is labeled as bin_t.
If anyone can enlighten me on what's happening here, I'd be a
much happier person.
Thanks,
Lou
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.