1:08 p.m.
Folks,
I have a problem with SEL file type in /tmp --- I just don't understand why a
particular type is being used. More precisely, I don't understand how the domain that
uses this file type comes into play. I'm hoping someone can enlighten me.
I have a setup where subversion is accessed through httpd (mod_dav_svn). The
post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a
different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow
this. It uses the sudo_role_template macro as part of the setup. The full domain
transition sequence to get to the sudo'd script is:
* Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the
top-level hook script is
executed
* User changes from apache to coin by sudo'ing a second-level script. The expected
domain transition would be
svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
When I run 'id' in the second-level script, it says the context is
uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0
as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory
management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I
run, for example, 'svn export' in this script, it happily creates entire directory
trees of type tmp_t in /tmp, as expected.
But ... if I try to redirect output to a file, or execute something like 'touch
foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the
sudo_role_template macro). I've opened this macro up, and I can see it will create the
rule 'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I
understand. And I've managed to deal with the issue by allowing domain svn_hook_t to
manage files of type svn_hook_sudo_tmp_t.
What I don't understand: Why is domain svn_hook_sudo_t in play here? According to
id, the script is running in domain svn_hook_t. If anyone can enlighten me on what's
happening here, I'd be a much happier person.
Thanks,
Lou
1:29 a.m.
New subject: Puzzle involving sudo_role_template, shell script context, file
type in /tmp
On 01/28/2016 08:08 PM, lou(a)sfu.ca wrote:
Folks,
I have a problem with SEL file type in /tmp --- I just don't understand why a
particular type is being used. More precisely, I don't understand how the domain that
uses this file type comes into play. I'm hoping someone can enlighten me.
I have a setup where subversion is accessed through httpd (mod_dav_svn). The
post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a
different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow
this. It uses the sudo_role_template macro as part of the setup. The full domain
transition sequence to get to the sudo'd script is:
* Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the
top-level hook script is
executed
* User changes from apache to coin by sudo'ing a second-level script. The expected
domain transition would be
svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
When I run 'id' in the second-level script, it says the context is
uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0
as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory
management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I
run, for example, 'svn export' in this script, it happily creates entire directory
trees of type tmp_t in /tmp, as expected.
But ... if I try to redirect output to a file, or execute something like 'touch
foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the
sudo_role_template macro). I've opened this macro up, and I can see it will create the
rule 'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I
understand. And I've managed to deal with the issue by allowing domain svn_hook_t to
manage files of type svn_hook_sudo_tmp_t.
What I don't understand: Why is domain svn_hook_sudo_t in play here? According to
id, the script is running in domain svn_hook_t.
Yes, this is correct. You can see
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
in thee sudo_role_template() interface.
Which is the reason why you see svn_hook_sudo_t vs. svn_hook_t when 'id'
is executed. 'id' is labeled as bin_t.
If anyone can enlighten me on what's happening here, I'd be a
much happier person.
Thanks,
Lou
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
10:39 a.m.
Ouch! Somehow I managed to convince myself that id would be bright enough to interpret
'give me the security context for the current user' as 'give me the security
context of the process that invoked id'. It's a bit harsh to say 'id
lies', but it sure is misleading. Time to fall back to ps, where I can specify the
process of interest.
Thanks for the answer!
2961
days inactive
3004
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Lou Hafer -
Miroslav Grepl