Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

Dominick Grift domg472 at gmail.com
Wed Jun 9 15:58:58 UTC 2010 

On Wed, Jun 09, 2010 at 12:06:35PM +0200, Laurent Rineau wrote:
> Hi,

I seems thar aicco policy is incomplete. I do not see any radvd avc denials so i am assuming that this works.

As for the audit2allow output. I guess we need to extend the aiccu modules. looking at the source policy module, it indeed looks incomplete.

As for how to go about writing a proper patch:

First we need to add policy for domain transitions where possible as this may change behavious and thus other avc denials.

So where/what to transition? Well transitions happen on execution of an "entry file". In the rules below the executions are:

> allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };


So first thing we should do is write a module that makes sure the transitions go well:

create a working directory:

mkdir ~/mywork; cd mywork;

lets create a policy patch:

echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
echo "require { type aiccu_t; }" >> myaiccu.te;
echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;

see if it build:

make -f /usr/share/selinux/devel/Makefile myaiccu.pp

Install it:

sudo semodule -i myaiccu.pp

Now reproduce the issue. Do exactly as you did be fore and please paste again the list with audit2allow rules.

In short: the aiccu policy is incomplete you can help us finish it by testing and providing feedback. Once we have it working we can share our result by submitting it to fedora.

> 
> (My second post in this list in two years of lurking.)
> 
> My machines run F-13.
> 
> My selinux packages are:
>   selinux-policy-3.7.19-23.fc13.noarch
>   selinux-policy-targeted-3.7.19-23.fc13.noarch
> 
> 
> I want to trigger the services aiccu and radvd from NetworkManager, to get a Sixxs IPv6 tunnel and announce a Sixxs IPv6 subnet on the 
> LAN. For that, I have created this file:
> 
> $ cat /etc/NetworkManager/dispatcher.d/20-aiccu
> #!/bin/sh
> 
> if [ "$2" = "up" ] ; then
>         /sbin/service aiccu start && /sbin/service radvd start || :
> fi
> 
> if [ "$2" = "down" ] ; then
>         /sbin/service radvd stop || :
>         /sbin/service aiccu stop || :
> fi
> 
> 
> It works in permissive mode but, I had to create the following local.te module using audit2allow in order to get that work in enforcing 
> mode:
> 
> ==================================================================
> module local 1.1;
> 
> require {
>         type insmod_exec_t;
>         type modules_conf_t;
>         type urandom_device_t;
>         type syslogd_t;
>         type ifconfig_exec_t;
>         type sysfs_t;
>         type port_t;
>         type modules_dep_t;
>         type shell_exec_t;
>         type bin_t;
>         type devlog_t;
>         type proc_t;
>         type random_device_t;
>         type console_device_t;
>         type modules_object_t;
>         type aiccu_t;
>         class tun_socket create;
>         class chr_file { read open };
>         class capability { net_admin sys_module sys_tty_config };
>         class tcp_socket { write name_connect connect shutdown read create };
>         class file { execute read execute_no_trans getattr open };
>         class sock_file write;
>         class netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
>         class lnk_file read;
>         class unix_dgram_socket { write create connect sendto };
>         class udp_socket { write read create connect };
>         class dir read;
> }
> 
> #============= aiccu_t ==============
> allow aiccu_t bin_t:lnk_file read;
> allow aiccu_t devlog_t:sock_file write;
> allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
> allow aiccu_t modules_conf_t:dir read;
> allow aiccu_t modules_conf_t:file { read getattr open };
> allow aiccu_t modules_dep_t:file { read getattr open };
> allow aiccu_t modules_object_t:file { read open };
> allow aiccu_t port_t:tcp_socket name_connect;
> allow aiccu_t proc_t:file { read getattr open };
> allow aiccu_t random_device_t:chr_file read;
> allow aiccu_t self:capability net_admin;
> allow aiccu_t self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
> allow aiccu_t self:tcp_socket { read write create connect shutdown };
> allow aiccu_t self:tun_socket create;
> allow aiccu_t self:udp_socket { write read create connect };
> allow aiccu_t self:unix_dgram_socket { write create connect };
> allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };
> allow aiccu_t sysfs_t:file { read getattr open };
> allow aiccu_t syslogd_t:unix_dgram_socket sendto;
> #!!!! This avc can be allowed using the boolean 'global_ssp'
> 
> allow aiccu_t urandom_device_t:chr_file { read open };
> 
> allow aiccu_t console_device_t:chr_file open;
> allow aiccu_t modules_object_t:file getattr;
> allow aiccu_t self:capability { sys_module sys_tty_config };
> 
> ==================================================================
> 
> The AVC audit log is attached (compressed with bzip2). To get it, I used this sort of command:
> cnetworkmanager -o off; DATE=`date '+%H:%M'`; cnetworkmanager -o on; sleep 10; sudo sh -c "/sbin/ausearch -ts $DATE -m avc | tee 
> /root/audit.log"
> 
> This shell one-liner disables the network, stores the current time in $DATE, then enables the network, and uses ausearch (after a sleep 
> of 10 seconds) to get AVCs starting from the time $DATE.
> 
> I do not understand the AVC. Both aiccu and radvd have their own modules. I am not really used to selinux context transitions. I wonder 
> if it is possible that the AVCs are because radvd is running in the selinux context aiccu_t.
> 
> -- 
> Laurent Rineau
> http://fedoraproject.org/wiki/LaurentRineau


> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100609/18f0ed54/attachment.bin

More information about the selinux mailing list