OpenVPN launching scripts

Bruno Vernay brunovern.a at gmail.com
Thu Feb 7 13:55:55 UTC 2013 

On Mon, Jan 14, 2013 at 12:42 PM, Dominick Grift
<dominick.grift at gmail.com> wrote:
> On Mon, 2013-01-14 at 11:05 +0100, Bruno Vernay wrote:
>> On Fri, Jan 11, 2013 at 1:29 PM, Dominick Grift
>> <dominick.grift at gmail.com> wrote:
>> > On Fri, 2013-01-11 at 10:50 +0100, Bruno Vernay wrote:
>> >> I am trying to allow OpenVPN to use Amazon Simple Notification Service
>> >> (SNS), so that each time a client connects to the VPN, OpenVPN
>> >> triggers a bash script that will use Amazon SNS.
>> >>
>> >> Amazon SNS is a Java program launched via bash scripts.
>> >> It is in aws/SimpleNotificationServiceCli/bin/ for the .sh and /lib for the .jar
>> >>
>> >> OpenVPN launches a script in /etc/openvpn/client-connect.
>> >>
>> >>
>> >> OpenVPN runs confined and I don't want to poke a big hole just to run SNS.
>> >>
>> >> So I tried to "confine" SNS and allow the transition from OpenVPN, but
>> >> it didn't went well. (config files bellow)
>> >> I wonder if it could be just as good to allow OpenVPN to escape its
>> >> confine to only call the relevant SNS script ?
>> >>
>> >>
>> >> From documentation and audit2allow I got to these configuration files.
>> >> But it still doesn't authorize the script to run and now the messages
>> >> triggers errors in audit2allow:
>> >>
>> >> libsepol.mls_from_string: invalid MLS context
>> >> libsepol.mls_from_string: could not construct mls context structure
>> >> libsepol.context_from_record: could not create context structure
>> >> libsepol.context_from_string: could not create context structure
>> >> libsepol.sepol_context_to_sid: could not convert
>> >> system_u:object_r:proc_t: to sid
>> >> libsepol.context_from_record: type op is not defined
>> >> libsepol.context_from_record: could not create context structure
>> >> libsepol.context_from_string: could not create context structure
>> >> libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
>> >> libsepol.context_from_record: type openvpn_ is not defined
>> >> libsepol.context_from_record: could not create context structure
>> >> libsepol.context_from_string: could not create context structure
>> >> libsepol.sepol_context_to_sid: could not convert
>> >> system_u:object_r:openvpn_:s0 to sid
>> >> libsepol.context_from_record: type shell_e is not defined
>> >> libsepol.context_from_record: could not create context structure
>> >> libsepol.context_from_string: could not create context structure
>> >> libsepol.sepol_context_to_sid: could not convert
>> >> system_u:object_r:shell_e:s0 to sid
>> >>
>> >
>> > Strange question maybe but what test editor did you use to create this
>> > policy?
>> >
>> > It almost seems that your amz_sns.fc messes up the file context
>> > specifications (some clients append hidden symbols)
>> >
>> > Also make sure you end your fc file with a newline
>> >
>> >>
>> >>
>> >> $ cat amz_sns.fc
>> >> /opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
>> >> gen_context(system_u:object_r:amz_sns_exec_t,s0)
>> >> /opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
>> >> gen_context(system_u:object_r:amz_sns_lib_t,s0)
>> >>
>> >>
>> >> $ cat amz_sns.te
>> >> policy_module( amz_sns, 1.0.0)
>> >>
>> >> require {
>> >>         type openvpn_t;
>> >>         type openvpn_tmp_t;
>> >>         type shell_exec_t;
>> >> }
>> >>
>> >> type amz_sns_t;
>> >> type amz_sns_exec_t;
>> >> type amz_sns_lib_t;
>> >>
>> >> files_type(amz_sns_lib_t);
>> >>
>> >> domain_type(amz_sns_t)
>> >> domain_entry_file(amz_sns_t, amz_sns_exec_t)
>> >>
>> >> allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
>> >> domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );
>> >>
>> >> role system_r types amz_sns_t;  # ???
>> >>
>> >> # The child process sends a signal to its parent as it dies
>> >> allow amz_sns_t openvpn_t:process sigchld;
>> >>
>> >> allow amz_sns_t openvpn_tmp_t:file write;   # For /tmp/debug
>> >>
>> >> allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
>> >> };  # Bash exec
>> >>
>> >>
>> >> Bruno
>> >> --
>> >> selinux mailing list
>> >> selinux at lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>> >
>>
>> - I used vi (it is a headless Amazon AMI free tier).
>> - it ends with a new line
>> - I even checked with hexdump for alien characters and it seems clean to me
>
> Strange, ok shot in the dark but you might try cleaning up the TE file a
> bit:
>
> policy_module(amz_sns, 1.0.0)
>
> gen_require(`
>         type openvpn_t;
>         type openvpn_tmp_t;
> ')
>
> type amz_sns_t;
> type amz_sns_exec_t;
> domain_type(amz_sns_t)
> domain_entry_file(amz_sns_t, amz_sns_exec_t)
> role system_r types amz_sns_t;
>
> domtrans_pattern(openvpn_t, amz_sns_exec_t, amz_sns_t)
>
> allow amz_sns_t openvpn_tmp_t:file write;
>
> corecmd_exec_shell(amz_sns_t)
>
> Also i am not sure how selinux deals with the underscore in module and type names (amz_sns)
>

Sorry for the delay ...

- I renamed "amz_sns" to "amzsns"
- I applied your changes
- I relaunched to go further each time, until I have no more messages.
But it doesn't mean that it is working either.

Now, I have no more messages in audit.log (selinux enabled or not). My
script works only when selinux is disabled.

What could I do now ??


/*************************************************************************************/
$ cat amzsns.fc
/opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
gen_context(system_u:object_r:amzsns_exec_t,s0)
/opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
gen_context(system_u:object_r:amzsns_lib_t,s0)

$ cat amzsns.te
policy_module( amzsns, 1.0.0)

require {
        type openvpn_t;
        type openvpn_tmp_t;
        type shell_exec_t;
        type unlabeled_t;
        type etc_t;
        type openvpn_etc_t;
        type openvpn_etc_rw_t;
        type proc_t;
        type usr_t;
        type java_exec_t;
        type tmp_t;
        type locale_t;
        type net_conf_t;
        type proc_net_t;
        type ephemeral_port_t;
        type http_port_t;
        type random_device_t;
        type urandom_device_t;
        type cert_t;
}

type amzsns_t;
type amzsns_exec_t;
type amzsns_lib_t;
domain_type(amzsns_t)
domain_entry_file(amzsns_t, amzsns_exec_t)
role system_r types amzsns_t;

domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)

allow amzsns_t openvpn_tmp_t:file write;

corecmd_exec_shell(amzsns_t)
allow openvpn_t unlabeled_t:file { execute getattr };

allow amzsns_t etc_t:file  { read open getattr };
allow amzsns_t openvpn_etc_t:dir { search getattr };
allow amzsns_t proc_t:file { read open getattr };
allow amzsns_t usr_t:lnk_file { read getattr };
allow amzsns_t usr_t:file { getattr read open };

allow amzsns_t amzsns_exec_t:file execute_no_trans;

allow amzsns_t bin_t:file { read open execute getattr execute_no_trans };

allow amzsns_t amzsns_lib_t:dir { read open search getattr };
allow amzsns_t amzsns_lib_t:file { read  getattr open };
allow amzsns_t etc_t:lnk_file read;
allow amzsns_t self:fifo_file { read ioctl write getattr };
allow amzsns_t self:process execmem;

allow amzsns_t tmp_t:dir { write add_name create read remove_name } ;
allow amzsns_t tmp_t:file { create read write open unlink };
allow amzsns_t locale_t:file { read open getattr };
allow amzsns_t locale_t:dir { read open search getattr };
allow amzsns_t openvpn_etc_rw_t:file { read write };

allow amzsns_t net_conf_t:file { read open getattr };
allow amzsns_t proc_net_t:file { read open getattr };
allow amzsns_t self:tcp_socket { create listen getattr connect accept
shutdown getopt setopt };
allow amzsns_t self:udp_socket { create connect getattr };
allow amzsns_t self:netlink_route_socket { create bind getattr nlmsg_read };
allow amzsns_t ephemeral_port_t:tcp_socket name_connect;
allow amzsns_t http_port_t:tcp_socket name_connect;

allow amzsns_t random_device_t:chr_file { read getattr open  };
allow amzsns_t cert_t:dir search;
allow amzsns_t cert_t:file { getattr read open };

allow amzsns_t urandom_device_t:chr_file { getattr read open };

allow amzsns_t java_exec_t:file { read open execute getattr execute_no_trans };

/*************************************************************************************/


Here are the different steps using audit2allow:
 1/ allow openvpn_t unlabeled_t:file { execute getattr };
 2/ #============= amzsns_t ==============
allow amzsns_t etc_t:file read;
allow amzsns_t openvpn_etc_t:dir { search getattr };
allow amzsns_t proc_t:file read;
allow amzsns_t usr_t:lnk_file read;
3/ #============= amzsns_t ==============
allow amzsns_t amzsns_exec_t:file execute_no_trans;
allow amzsns_t etc_t:file open;
allow amzsns_t proc_t:file open;
4/#============= amzsns_t ==============
allow amzsns_t bin_t:file execute;
allow amzsns_t etc_t:file getattr;
allow amzsns_t proc_t:file getattr;
5/#============= amzsns_t ==============
allow amzsns_t bin_t:file { read open };
6/#============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:dir read;
allow amzsns_t bin_t:file getattr;
allow amzsns_t etc_t:lnk_file read;
allow amzsns_t self:fifo_file read;
7/ #============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:dir open;
allow amzsns_t bin_t:file execute_no_trans;
allow amzsns_t java_exec_t:file { execute getattr };
8/ #============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:dir search;
allow amzsns_t java_exec_t:file { read open };
allow amzsns_t self:fifo_file ioctl;
9/ #============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:file getattr;
allow amzsns_t java_exec_t:file execute_no_trans;
10/ #============= amzsns_t ==============
allow amzsns_t self:fifo_file { write getattr };
allow amzsns_t self:process execmem;
allow amzsns_t tmp_t:dir write;
11/ #============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:file read;
allow amzsns_t locale_t:file read;
allow amzsns_t openvpn_etc_rw_t:file { read write };
allow amzsns_t tmp_t:dir add_name;
allow amzsns_t usr_t:lnk_file getattr;
12/ #============= amzsns_t ==============
allow amzsns_t amzsns_lib_t:dir getattr;
allow amzsns_t amzsns_lib_t:file open;
allow amzsns_t locale_t:file open;
allow amzsns_t tmp_t:dir create;
13/ #============= amzsns_t ==============
allow amzsns_t locale_t:file getattr;
allow amzsns_t net_conf_t:file read;
allow amzsns_t proc_net_t:file read;
allow amzsns_t random_device_t:chr_file { read getattr };
allow amzsns_t self:tcp_socket create;
allow amzsns_t tmp_t:file create;
allow amzsns_t usr_t:file getattr;
13/ #============= amzsns_t ==============
allow amzsns_t cert_t:dir search;
allow amzsns_t locale_t:dir read;
allow amzsns_t net_conf_t:file open;
allow amzsns_t proc_net_t:file open;
allow amzsns_t random_device_t:chr_file open;
allow amzsns_t self:tcp_socket listen;
allow amzsns_t tmp_t:dir read;
allow amzsns_t tmp_t:file { read write open };
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow amzsns_t urandom_device_t:chr_file getattr;
allow amzsns_t usr_t:file read;
14/ #============= amzsns_t ==============
allow amzsns_t net_conf_t:file getattr;
allow amzsns_t proc_net_t:file getattr;
allow amzsns_t self:netlink_route_socket create;
allow amzsns_t self:udp_socket create;
allow amzsns_t tmp_t:dir remove_name;
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow amzsns_t urandom_device_t:chr_file read;
15/ #============= amzsns_t ==============
allow amzsns_t cert_t:file getattr;
allow amzsns_t locale_t:dir open;
allow amzsns_t self:netlink_route_socket bind;
allow amzsns_t self:tcp_socket getattr;
allow amzsns_t self:udp_socket connect;
allow amzsns_t tmp_t:file unlink;
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow amzsns_t urandom_device_t:chr_file open;
allow amzsns_t usr_t:file open;
16/ #============= amzsns_t ==============
allow amzsns_t locale_t:dir search;
allow amzsns_t self:netlink_route_socket getattr;
allow amzsns_t self:tcp_socket connect;
17/ #============= amzsns_t ==============
allow amzsns_t ephemeral_port_t:tcp_socket name_connect;
allow amzsns_t locale_t:dir getattr;
18/ #============= amzsns_t ==============
allow amzsns_t self:tcp_socket accept;
19/ #============= amzsns_t ==============
allow amzsns_t self:tcp_socket shutdown;

At this point, I have no more messages in audit.log, but the script
isn't working either. So I setenforce 0 to continue:
20/ #============= amzsns_t ==============
allow amzsns_t http_port_t:tcp_socket name_connect;
allow amzsns_t self:netlink_route_socket nlmsg_read;
allow amzsns_t self:tcp_socket { getopt setopt };
allow amzsns_t self:udp_socket getattr;



By the way, do I have to uninstall the previous module or can I just
install the new one  "semodule -i amzsns.pp" wihtout issuing a
"semodule -r amzsns" ??? (It takes quite a time)

Regards
Bruno

More information about the selinux mailing list