Ok,
so my celebration was a little premature, it seems the only reason the
daemon's execution of a cmdline utility in a particular category had
worked when running in the initrc_t domain was because apparently
initrc_t is equivalent to unconfined_t[1], so it offers zero
protection.
Now i if anyone outthere has any ideas on how to allow an app in its
domain myapp_t (plus full mcs range) to use runcon to run something in
one of those categories (like 'runcon -l cX,cY /path/to/app /path/to/input'
) it would be awesome :)
[1]
On Tue, Jan 21, 2014 at 6:07 PM, jiun bookworm <thebookworm101(a)gmail.com>wrote:
Thanks,
but i tried that after sending the email, i saw it while looking at some
policies (init.te) in fedora selinux policy source, and its not worked,
(please see the end of this email for some questions)
here is what the policy looks like currently.
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type default_t ;
type usr_t ;
type root_t ;
type security_t ;
type unlabeled_t ;
type unlabeled_t ;
type milter_port_t ;
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t,myapp_exec_t);
ifdef(`enable_mcs',`
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')
systemd_unit_file(systemd_unit_file_t) ;
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process { signal transition setexec setcurrent
dyntransition };
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute execute_no_trans read open getattr
ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt
connect getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name
create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write
relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans entrypoint };
allow myapp_t default_t:dir { search read getattr write add_name
remove_name };
allow myapp_t default_t:file { read getattr open execute execute_no_trans
ioctl create write rename unlink };
allow myapp_t default_t:lnk_file { read getattr ioctl open } ;
allow myapp_t root_t:dir { write search read getattr add_name create
relabelfrom } ;
allow myapp_t root_t:file { write read getattr create open ioctl
relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;
allow myapp_t milter_port_t:tcp_socket name_bind;
mcs_process_set_categories(myapp_t);
allow myapp_t usr_t:file { execute entrypoint read getattr create open
ioctl };
allow unlabeled_t root_t:dir { search read getattr write add_name
remove_name };
allow myapp_t self:tcp_socket { create setopt connect getattr getopt
write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write
read bind append listen accept };
allow myapp_t self:netlink_route_socket { create bind getattr write
nlmsg_read nlmsg_write read setattr lock getopt setopt append };
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};
##############################################################
##############################################################
do you have any clues on what other obvious places i should look ( im
new to policy writting so im inclined
to think there is something simple iv missed as a beginner).
there is nothing in the audit_t logs about denials, now in the runcon
manual it states clearly that only
carefully chosen contexts are going to run, obviously there is something
preventing the command from
running, but runcon does not provoke any avc denials, is there a way to
figure out the specific reason for runcon
to fail?
thanks
On Tue, Jan 21, 2014 at 5:22 PM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/21/2014 03:31 AM, jiun bookworm wrote:
> > I have nanaged to get the daemon working with the full mcs range, but
> it
> > can not run a shell program under a particular category with runcon,
> what
> > special priviledges are neccessary for an app to use runcon?
> >
> > this is the error message when the app calls a shell command with runcon
> >
> > /bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606:
> > Permission denied
> >
> > after attempting to do this: /bin/runcon -l s0:c370,c606
> /path/to/app
> > input
> >
> > the daemon itself runs in the following context:
> >
> > system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660
> 60 ?
> > Ssl 01:06 0:14
> >
> >
> >
> Potentially mcs_process_set_categories(myapp_t)
>
>
> > here is the policy
> >
> > policy_module(myapp, 1.0.0)
> >
> > ######################################## # # Declarations # require {
> type
> > init_t; type initrc_t; type systemd_unit_file_t ; type urandom_device_t
> ;
> > type etc_runtime_t ; type proc_t; type bin_t; type tmp_t; type
> > user_home_dir_t; type user_home_t; type net_conf_t; type
> ldconfig_exec_t;
> > type mongod_port_t; type unreserved_port_t; type http_cache_port_t; type
> > http_port_t; type sandbox_file_t; type node_t ; type shell_exec_t ; type
> > bin_t ; type default_t ; type usr_t ; type root_t ; type security_t ;
> type
> > unlabeled_t ; }
> >
> > type myapp_t; type myapp_exec_t;
> >
> > init_daemon_domain(myapp_t,myapp_exec_t);
> >
> > ifdef(`enable_mcs',` init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 -
> > mcs_systemhigh); ') systemd_unit_file(systemd_unit_file_t) ;
> >
> >
> > ######################################## allow myapp_t self:fifo_file
> > rw_fifo_file_perms; allow myapp_t self:unix_stream_socket
> > create_stream_socket_perms; allow myapp_t self:process { signal
> transition
> > setexec }; allow myapp_t etc_runtime_t:file { read getattr open ioctl
> > execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
> bin_t:dir {
> > write add_name create }; allow myapp_t bin_t:file { execute
> > execute_no_trans read open getattr ioctl }; allow myapp_t proc_t:file
> > getattr; allow myapp_t tmp_t:dir {write add_name}; allow myapp_t
> tmp_t:file
> > {write open create}; allow myapp_t ldconfig_exec_t:file {execute read
> open
> > execute_no_trans}; allow myapp_t net_conf_t:file { read open getattr
> > ioctl}; allow myapp_t mongod_port_t:tcp_socket name_connect; allow
> myapp_t
> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
> {node_bind
> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
> setopt
> > connect getattr getopt write read bind append }; allow myapp_t
> > http_port_t:tcp_socket { name_connect }; allow myapp_t
> sandbox_file_t:dir {
> > search getattr read open write add_name create }; allow myapp_t
> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
> };
> > allow myapp_t shell_exec_t:file { execute execute_no_trans };
> >
> >
> > allow myapp_t default_t:dir { search read getattr write }; allow myapp_t
> > default_t:file { read getattr open execute execute_no_trans ioctl };
> allow
> > myapp_t default_t:lnk_file read; allow myapp_t root_t:dir { write
> search
> > read getattr add_name create relabelfrom } ; allow myapp_t root_t:file {
> > write read getattr create open ioctl relabelfrom } ; allow myapp_t
> > security_t:file write; allow myapp_t security_t:security check_context;
> >
> > allow myapp_t usr_t:file { execute entrypoint read getattr create open
> > ioctl };
> >
> > allow unlabeled_t root_t:dir search;
> >
> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write
> > read bind append listen accept}; allow myapp_t self:udp_socket { create
> > connect getattr getopt setopt write read bind append listen accept };
> >
> > domain_use_interactive_fds(myapp_t)
> >
> > #files_read_etc_files(myapp_t)
> >
> > #miscfiles_read_localization(myapp_t)
> >
> > #!!!! This avc can be allowed using the boolean 'global_ssp' allow
> myapp_t
> > urandom_device_t:chr_file {read open};
> >
> >
> >
> > On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <
> thebookworm101(a)gmail.com
> > <mailto:thebookworm101@gmail.com>> wrote:
> >
> > init_ranged_daemon_domain() was not working for me, im sure i have
> done
> > something wrong, but i have no idea what or where that is, right now
> > with the policy as it is, its running in
> system_u:object_r:unlabeled_t:s0
> > meaning iv borked things big time.
> >
> > here is the policy:
> >
> >
> > policy_module(myapp, 1.0.0)
> >
> > ######################################## # # Declarations # require { #
> > type init_t; type initrc_t;
> >
> > type systemd_unit_file_t ; type urandom_device_t ; type etc_runtime_t ;
> > type proc_t; type bin_t; type tmp_t; type user_home_dir_t; type
> > user_home_t; type net_conf_t; type ldconfig_exec_t; type mongod_port_t;
> > type unreserved_port_t; type http_cache_port_t; type http_port_t; type
> > sandbox_file_t; type node_t ; type shell_exec_t ; type bin_t ; type
> > security_t ; type setroubleshootd_t ; type unconfined_t ; type
> default_t ;
> > }
> >
> > init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
> type
> > myapp_t; domain_type(myapp_t); type myapp_exec_t;
> >
> > type myapp_unit_file_t; systemd_unit_file(systemd_unit_file_t)
> >
> > mcs_process_set_categories(myapp_t);
> >
> > ########################################
> >
> > allow myapp_t self:fifo_file rw_fifo_file_perms; allow myapp_t
> > self:unix_stream_socket create_stream_socket_perms; allow myapp_t
> > self:process signal; allow myapp_t etc_runtime_t:file { read getattr
> open
> > ioctl execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
> > bin_t:dir write; allow myapp_t bin_t:file { execute execute_no_trans };
> >
> > allow myapp_t proc_t:file getattr; allow myapp_t tmp_t:dir {write
> > add_name}; allow myapp_t tmp_t:file {write open create}; allow myapp_t
> > user_home_dir_t:dir { search getattr read open write add_name}; allow
> > myapp_t user_home_t:file { read open getattr ioctl create}; allow
> myapp_t
> > user_home_t:dir { read open search getattr }; allow myapp_t
> > ldconfig_exec_t:file {execute read open execute_no_trans}; allow
> myapp_t
> > net_conf_t:file { read open getattr ioctl}; allow myapp_t
> > mongod_port_t:tcp_socket name_connect; allow myapp_t
> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
> {node_bind
> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
> setopt
> > connect getattr getopt write read bind append }; allow myapp_t
> > http_port_t:tcp_socket { name_connect }; allow myapp_t
> sandbox_file_t:dir {
> > search getattr read open write add_name create }; allow myapp_t
> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
> };
> > allow myapp_t shell_exec_t:file { execute execute_no_trans }; allow
> myapp_t
> > security_t:file write;
> >
> >
> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write
> > read bind append listen accept}; allow myapp_t self:udp_socket { create
> > connect getattr getopt setopt write read bind append listen accept };
> >
> >
> > allow myapp_t self:netlink_route_socket { create bind getattr write
> > nlmsg_read nlmsg_write read setattr lock getopt setopt append };
> >
> >
> > domain_use_interactive_fds(myapp_t)
> >
> >
> >
> > allow myapp_t urandom_device_t:chr_file {read open};
> >
> > allow myapp_t default_t:file { read getattr execute open
> > execute_no_trans}; allow setroubleshootd_t myapp_exec_t:file getattr;
> allow
> > init_t myapp_exec_t:file execute; allow init_t myapp_exec_t:file { read
> > open execute getattr entrypoint };
> >
> >
> >
> > On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <
> dominick.grift(a)gmail.com
> > <mailto:dominick.grift@gmail.com>> wrote:
> >
> > On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
> >> Let me try the question again, all init daemons are started with the
> >> context specified at [jiun@localhost ~]$ cat
> >> /etc/selinux/targeted/contexts/initrc_context
> >> system_u:system_r:initrc_t:s0
> >>
> >>
> >> is it possible to have my application specifically override this and
> >> start with the full mcs range? you mentioned that the init_t is able to
> >> do something like this because of some mcsconstraints, what constraints
> >> are these?
> >>
> >> iv tried these and they do not work:
> >>
> >> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
> >
> > In theory the above should work maybe theres a small error somewhere You
> > should probably look more into the source policy for examples
> >
> >> mcs_process_set_categories(myapp_t);
> >
> > Thats one of the available mcs interfaces. Theres more in the policy
> >
> > seinfo -a | grep mcs
> >
> >> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
> >>
> > oh right, it should probably be:
> >
> > range_transition init_t myapp_exec_t:process s0:c0.c1023;
> >
> > So maybe init_ranged_daemon_domain() needed to be updated to reflect
> > systems.
> >
> > But the idea is that init_ranged_daemon_domain() should work
> >
> >>
> >> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift <
> dominick.grift(a)gmail.com
> >> <mailto:dominick.grift@gmail.com>> wrote: On Mon, 2014-01-20 at
01:42
> >> +0300, jiun bookworm wrote:
> >>
> >>> Dominick, thanks but you may have misunderstood my question, its not
> >> the daemon
> >>> that is confined to one category its the child processes that it
> >>> spawns, previously when in
> >> init_t
> >>> the app could spawn processes and assign
> >>>
> >>> them categories, now it can not, when running under
> >> myapp_t, what
> >>> makes init_t or other types able to support mcs and myapp_t can not?
> >>
> >>
> >> There are two options:
> >>
> >> 1. you run the parent with the full mcs range 2. you override mcs
> >> constraints for the parent using the applicable mcs type attributes
> >>
> >> the latter is why init is allowed to do it but i recommend the former
> for
> >> your parent process
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
> > -- selinux mailing list selinux(a)lists.fedoraproject.org
> >
https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>
> iEYEARECAAYFAlLegqIACgkQrlYvE4MpobOXLACeNQ5HyBr3PSqIps0qbks+gPXZ
> /xUAnR6nuOXHAoGuhqPCysSyOunVukbJ
> =qRfS
> -----END PGP SIGNATURE-----
>