OpenVPN launching scripts

Dominick Grift dominick.grift at gmail.com
Thu Feb 7 17:08:33 UTC 2013 

On Thu, 2013-02-07 at 16:40 +0100, Bruno Vernay wrote:

Some quick comments in-line

> OK, I found "semodule -DB"
> (http://selinux-mac.blogspot.fr/2009/07/faq-selinux-denies-access-but-avc.html)
> Also thanks for allowing me to skip "semodule -r"
> 
> So I can continue ...
> 21/ #============= amzsns_t ==============
> allow amzsns_t self:netlink_route_socket { write read };
> allow amzsns_t self:tcp_socket { write read };
> allow amzsns_t self:udp_socket { write read };
> 
> #============= openvpn_t ==============
> allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };
> 

its probably inheriting those sockets from openvpn or else it may signal
a leaked file descriptor. You would need to look in the audit.log to see
if the SYSCALL succeeds.

If things do not work without the above permissions then i' am pretty
certain that its some inheritance from openvpn or some other process.

> and below is my working result.
> Problem is: what does it do ?? (I will do some research, but if you
> have some idea to simplify or some warning, do not hesitate to
> comment)
> 
> policy_module( amzsns, 1.0.0)
> 
> require {
>         type openvpn_t;
>         type openvpn_tmp_t;
>         type shell_exec_t;
>         type unlabeled_t;
>         type etc_t;
>         type openvpn_etc_t;
>         type openvpn_etc_rw_t;
>         type proc_t;
>         type usr_t;
>         type java_exec_t;
>         type tmp_t;
>         type locale_t;
>         type net_conf_t;
>         type proc_net_t;
>         type ephemeral_port_t;
>         type http_port_t;
>         type random_device_t;
>         type urandom_device_t;
>         type cert_t;
> }
> 
> type amzsns_t;
> type amzsns_exec_t;
> type amzsns_lib_t;
> domain_type(amzsns_t)
> domain_entry_file(amzsns_t, amzsns_exec_t)
> role system_r types amzsns_t;
> 
> domtrans_pattern(openvpn_t, amzsns_exec_t, amzsns_t)
> 
> allow openvpn_t unlabeled_t:file { execute getattr }; # Execute
> unlabeled files ? But why ?

See the avc denials for clues. There should be no unlabeled files

> 
> allow openvpn_t amzsns_t:process { siginh rlimitinh noatsecure };  #

The above should not be needed and you can/should probably dontaudit
that (there are a few cases where it is needed but not many so see if
you can do without

> Necessary for transition
> 
> allow amzsns_t openvpn_tmp_t:file write;

Either a leaked file descriptor or inherited
See if the SYSCALL succeeds. If it doesnt even though you allowed access
then chances are that its a leaked file descriptor that you can
dontaudit instead.

> 
> corecmd_exec_shell(amzsns_t)
> 
> # Read some files:
> allow amzsns_t etc_t:file  { read open getattr };
> allow amzsns_t etc_t:lnk_file read;
> allow amzsns_t openvpn_etc_t:dir { search getattr };
> allow amzsns_t openvpn_etc_rw_t:file { read write };  # This is
> openVPN ipp.txt (I will move it)

Its also either a leak or inherited since amzsns does not actually "
open"  it

> allow amzsns_t proc_t:file { read open getattr };
> allow amzsns_t usr_t:lnk_file { read getattr };
> allow amzsns_t usr_t:file { getattr read open };
> 
> allow amzsns_t amzsns_exec_t:file execute_no_trans; # ?

I guess it re-executes itself or executes a command that is also labeled
amzsns_exec_t

> allow amzsns_t bin_t:file { read open execute getattr execute_no_trans }; # ???
> 

Its running generic binaries (stuff like ls etc, no problem)

> allow amzsns_t amzsns_lib_t:dir { read open search getattr };
> allow amzsns_t amzsns_lib_t:file { read  getattr open };

Not sure what amzsns_lib_t is for content but it might not be needed to
create a private type for this content

> allow amzsns_t self:fifo_file { read ioctl write getattr };  # ??

Internal communication is often done with fifo files (this is common and
no problem)

> allow amzsns_t self:process execmem;

The above sucks, but i guess if you need it, you need it

> # Network access:
> allow amzsns_t net_conf_t:file { read open getattr };
> allow amzsns_t proc_net_t:file { read open getattr };
> allow amzsns_t self:tcp_socket { create listen getattr connect accept
> shutdown getopt setopt read write };
> allow amzsns_t self:udp_socket { create connect getattr read write };
> allow amzsns_t self:netlink_route_socket { create bind getattr
> nlmsg_read read write };
> allow amzsns_t ephemeral_port_t:tcp_socket name_connect;

Should probably figure out which port it is and see if you can give it a
label that is more appropriate because this is kind of coarse

> allow amzsns_t http_port_t:tcp_socket name_connect;
> 
> allow amzsns_t tmp_t:dir { write add_name create read remove_name } ;
> allow amzsns_t tmp_t:file { create read write open unlink };
> allow amzsns_t locale_t:dir { read open search getattr };
> allow amzsns_t locale_t:file { getattr read open };
> allow amzsns_t cert_t:dir search;
> allow amzsns_t cert_t:file { getattr read open };
> 
> allow amzsns_t random_device_t:chr_file { getattr read open  };
> allow amzsns_t urandom_device_t:chr_file { getattr read open };
> 
> allow amzsns_t java_exec_t:file { read open execute getattr
> execute_no_trans };  # ???

I guess it executes java ( is this some java app?) anyways no problem

More information about the selinux mailing list