how to transition a daemon to its own domain
jiun bookworm
thebookworm101 at gmail.com
Wed Jan 22 00:48:57 UTC 2014
Ok,
so my celebration was a little premature, it seems the only reason the
daemon's execution of a cmdline utility in a particular category had
worked when running in the initrc_t domain was because apparently
initrc_t is equivalent to unconfined_t[1], so it offers zero
protection.
Now i if anyone outthere has any ideas on how to allow an app in its
domain myapp_t (plus full mcs range) to use runcon to run something in
one of those categories (like 'runcon -l cX,cY /path/to/app /path/to/input'
) it would be awesome :)
[1] http://mgrepl.fedorapeople.org/Presentations/HowToBeSELinuxAware.pdf
On Tue, Jan 21, 2014 at 6:07 PM, jiun bookworm <thebookworm101 at gmail.com>wrote:
> Thanks,
> but i tried that after sending the email, i saw it while looking at some
> policies (init.te) in fedora selinux policy source, and its not worked,
> (please see the end of this email for some questions)
>
> here is what the policy looks like currently.
>
>
> policy_module(myapp, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
> require {
> type init_t;
> type initrc_t;
> type systemd_unit_file_t ;
> type urandom_device_t ;
> type etc_runtime_t ;
> type proc_t;
> type bin_t;
> type tmp_t;
> type user_home_dir_t;
> type user_home_t;
> type net_conf_t;
> type ldconfig_exec_t;
> type mongod_port_t;
> type unreserved_port_t;
> type http_cache_port_t;
> type http_port_t;
> type sandbox_file_t;
> type node_t ;
> type shell_exec_t ;
> type bin_t ;
> type default_t ;
> type usr_t ;
> type root_t ;
> type security_t ;
> type unlabeled_t ;
> type unlabeled_t ;
> type milter_port_t ;
>
> }
>
> type myapp_t;
> type myapp_exec_t;
>
> init_daemon_domain(myapp_t,myapp_exec_t);
>
> ifdef(`enable_mcs',`
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
> ')
>
> systemd_unit_file(systemd_unit_file_t) ;
>
>
> ########################################
> allow myapp_t self:fifo_file rw_fifo_file_perms;
> allow myapp_t self:unix_stream_socket create_stream_socket_perms;
> allow myapp_t self:process { signal transition setexec setcurrent
> dyntransition };
>
> allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
> allow myapp_t proc_t:file { read open};
> allow myapp_t bin_t:dir { write add_name create };
> allow myapp_t bin_t:file { execute execute_no_trans read open getattr
> ioctl };
> allow myapp_t proc_t:file getattr;
> allow myapp_t tmp_t:dir {write add_name};
> allow myapp_t tmp_t:file {write open create};
> allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
> allow myapp_t net_conf_t:file { read open getattr ioctl};
> allow myapp_t mongod_port_t:tcp_socket name_connect;
> allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt
> connect getattr getopt write read bind append};
> allow myapp_t node_t:tcp_socket {node_bind };
> allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write read bind append };
> allow myapp_t http_port_t:tcp_socket { name_connect };
> allow myapp_t sandbox_file_t:dir { search getattr read open write add_name
> create };
> allow myapp_t sandbox_file_t:file { read open getattr ioctl create write
> relabelfrom relabelto };
> allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans entrypoint };
>
> allow myapp_t default_t:dir { search read getattr write add_name
> remove_name };
> allow myapp_t default_t:file { read getattr open execute execute_no_trans
> ioctl create write rename unlink };
> allow myapp_t default_t:lnk_file { read getattr ioctl open } ;
>
> allow myapp_t root_t:dir { write search read getattr add_name create
> relabelfrom } ;
> allow myapp_t root_t:file { write read getattr create open ioctl
> relabelfrom } ;
> allow myapp_t security_t:file write;
> allow myapp_t security_t:security check_context;
> allow myapp_t milter_port_t:tcp_socket name_bind;
>
> mcs_process_set_categories(myapp_t);
>
>
> allow myapp_t usr_t:file { execute entrypoint read getattr create open
> ioctl };
> allow unlabeled_t root_t:dir { search read getattr write add_name
> remove_name };
>
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write read bind append listen accept};
> allow myapp_t self:udp_socket { create connect getattr getopt setopt write
> read bind append listen accept };
>
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
>
> domain_use_interactive_fds(myapp_t)
>
> #files_read_etc_files(myapp_t)
>
> #miscfiles_read_localization(myapp_t)
>
> #!!!! This avc can be allowed using the boolean 'global_ssp'
> allow myapp_t urandom_device_t:chr_file {read open};
>
> ##############################################################
> ##############################################################
>
>
> do you have any clues on what other obvious places i should look ( im
> new to policy writting so im inclined
> to think there is something simple iv missed as a beginner).
> there is nothing in the audit_t logs about denials, now in the runcon
> manual it states clearly that only
> carefully chosen contexts are going to run, obviously there is something
> preventing the command from
> running, but runcon does not provoke any avc denials, is there a way to
> figure out the specific reason for runcon
> to fail?
>
>
> thanks
>
>
> On Tue, Jan 21, 2014 at 5:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/21/2014 03:31 AM, jiun bookworm wrote:
>> > I have nanaged to get the daemon working with the full mcs range, but
>> it
>> > can not run a shell program under a particular category with runcon,
>> what
>> > special priviledges are neccessary for an app to use runcon?
>> >
>> > this is the error message when the app calls a shell command with runcon
>> >
>> > /bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606:
>> > Permission denied
>> >
>> > after attempting to do this: /bin/runcon -l s0:c370,c606
>> /path/to/app
>> > input
>> >
>> > the daemon itself runs in the following context:
>> >
>> > system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660
>> 60 ?
>> > Ssl 01:06 0:14
>> >
>> >
>> >
>> Potentially mcs_process_set_categories(myapp_t)
>>
>>
>> > here is the policy
>> >
>> > policy_module(myapp, 1.0.0)
>> >
>> > ######################################## # # Declarations # require {
>> type
>> > init_t; type initrc_t; type systemd_unit_file_t ; type urandom_device_t
>> ;
>> > type etc_runtime_t ; type proc_t; type bin_t; type tmp_t; type
>> > user_home_dir_t; type user_home_t; type net_conf_t; type
>> ldconfig_exec_t;
>> > type mongod_port_t; type unreserved_port_t; type http_cache_port_t; type
>> > http_port_t; type sandbox_file_t; type node_t ; type shell_exec_t ; type
>> > bin_t ; type default_t ; type usr_t ; type root_t ; type security_t ;
>> type
>> > unlabeled_t ; }
>> >
>> > type myapp_t; type myapp_exec_t;
>> >
>> > init_daemon_domain(myapp_t,myapp_exec_t);
>> >
>> > ifdef(`enable_mcs',` init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 -
>> > mcs_systemhigh); ') systemd_unit_file(systemd_unit_file_t) ;
>> >
>> >
>> > ######################################## allow myapp_t self:fifo_file
>> > rw_fifo_file_perms; allow myapp_t self:unix_stream_socket
>> > create_stream_socket_perms; allow myapp_t self:process { signal
>> transition
>> > setexec }; allow myapp_t etc_runtime_t:file { read getattr open ioctl
>> > execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
>> bin_t:dir {
>> > write add_name create }; allow myapp_t bin_t:file { execute
>> > execute_no_trans read open getattr ioctl }; allow myapp_t proc_t:file
>> > getattr; allow myapp_t tmp_t:dir {write add_name}; allow myapp_t
>> tmp_t:file
>> > {write open create}; allow myapp_t ldconfig_exec_t:file {execute read
>> open
>> > execute_no_trans}; allow myapp_t net_conf_t:file { read open getattr
>> > ioctl}; allow myapp_t mongod_port_t:tcp_socket name_connect; allow
>> myapp_t
>> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
>> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
>> {node_bind
>> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
>> setopt
>> > connect getattr getopt write read bind append }; allow myapp_t
>> > http_port_t:tcp_socket { name_connect }; allow myapp_t
>> sandbox_file_t:dir {
>> > search getattr read open write add_name create }; allow myapp_t
>> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
>> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
>> };
>> > allow myapp_t shell_exec_t:file { execute execute_no_trans };
>> >
>> >
>> > allow myapp_t default_t:dir { search read getattr write }; allow myapp_t
>> > default_t:file { read getattr open execute execute_no_trans ioctl };
>> allow
>> > myapp_t default_t:lnk_file read; allow myapp_t root_t:dir { write
>> search
>> > read getattr add_name create relabelfrom } ; allow myapp_t root_t:file {
>> > write read getattr create open ioctl relabelfrom } ; allow myapp_t
>> > security_t:file write; allow myapp_t security_t:security check_context;
>> >
>> > allow myapp_t usr_t:file { execute entrypoint read getattr create open
>> > ioctl };
>> >
>> > allow unlabeled_t root_t:dir search;
>> >
>> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
>> write
>> > read bind append listen accept}; allow myapp_t self:udp_socket { create
>> > connect getattr getopt setopt write read bind append listen accept };
>> >
>> > domain_use_interactive_fds(myapp_t)
>> >
>> > #files_read_etc_files(myapp_t)
>> >
>> > #miscfiles_read_localization(myapp_t)
>> >
>> > #!!!! This avc can be allowed using the boolean 'global_ssp' allow
>> myapp_t
>> > urandom_device_t:chr_file {read open};
>> >
>> >
>> >
>> > On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <
>> thebookworm101 at gmail.com
>> > <mailto:thebookworm101 at gmail.com>> wrote:
>> >
>> > init_ranged_daemon_domain() was not working for me, im sure i have
>> done
>> > something wrong, but i have no idea what or where that is, right now
>> > with the policy as it is, its running in
>> system_u:object_r:unlabeled_t:s0
>> > meaning iv borked things big time.
>> >
>> > here is the policy:
>> >
>> >
>> > policy_module(myapp, 1.0.0)
>> >
>> > ######################################## # # Declarations # require { #
>> > type init_t; type initrc_t;
>> >
>> > type systemd_unit_file_t ; type urandom_device_t ; type etc_runtime_t ;
>> > type proc_t; type bin_t; type tmp_t; type user_home_dir_t; type
>> > user_home_t; type net_conf_t; type ldconfig_exec_t; type mongod_port_t;
>> > type unreserved_port_t; type http_cache_port_t; type http_port_t; type
>> > sandbox_file_t; type node_t ; type shell_exec_t ; type bin_t ; type
>> > security_t ; type setroubleshootd_t ; type unconfined_t ; type
>> default_t ;
>> > }
>> >
>> > init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
>> type
>> > myapp_t; domain_type(myapp_t); type myapp_exec_t;
>> >
>> > type myapp_unit_file_t; systemd_unit_file(systemd_unit_file_t)
>> >
>> > mcs_process_set_categories(myapp_t);
>> >
>> > ########################################
>> >
>> > allow myapp_t self:fifo_file rw_fifo_file_perms; allow myapp_t
>> > self:unix_stream_socket create_stream_socket_perms; allow myapp_t
>> > self:process signal; allow myapp_t etc_runtime_t:file { read getattr
>> open
>> > ioctl execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
>> > bin_t:dir write; allow myapp_t bin_t:file { execute execute_no_trans };
>> >
>> > allow myapp_t proc_t:file getattr; allow myapp_t tmp_t:dir {write
>> > add_name}; allow myapp_t tmp_t:file {write open create}; allow myapp_t
>> > user_home_dir_t:dir { search getattr read open write add_name}; allow
>> > myapp_t user_home_t:file { read open getattr ioctl create}; allow
>> myapp_t
>> > user_home_t:dir { read open search getattr }; allow myapp_t
>> > ldconfig_exec_t:file {execute read open execute_no_trans}; allow
>> myapp_t
>> > net_conf_t:file { read open getattr ioctl}; allow myapp_t
>> > mongod_port_t:tcp_socket name_connect; allow myapp_t
>> > unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
>> > getopt write read bind append}; allow myapp_t node_t:tcp_socket
>> {node_bind
>> > }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create
>> setopt
>> > connect getattr getopt write read bind append }; allow myapp_t
>> > http_port_t:tcp_socket { name_connect }; allow myapp_t
>> sandbox_file_t:dir {
>> > search getattr read open write add_name create }; allow myapp_t
>> > sandbox_file_t:file { read open getattr ioctl create write relabelfrom
>> > relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto
>> };
>> > allow myapp_t shell_exec_t:file { execute execute_no_trans }; allow
>> myapp_t
>> > security_t:file write;
>> >
>> >
>> > allow myapp_t self:tcp_socket { create setopt connect getattr getopt
>> write
>> > read bind append listen accept}; allow myapp_t self:udp_socket { create
>> > connect getattr getopt setopt write read bind append listen accept };
>> >
>> >
>> > allow myapp_t self:netlink_route_socket { create bind getattr write
>> > nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>> >
>> >
>> > domain_use_interactive_fds(myapp_t)
>> >
>> >
>> >
>> > allow myapp_t urandom_device_t:chr_file {read open};
>> >
>> > allow myapp_t default_t:file { read getattr execute open
>> > execute_no_trans}; allow setroubleshootd_t myapp_exec_t:file getattr;
>> allow
>> > init_t myapp_exec_t:file execute; allow init_t myapp_exec_t:file { read
>> > open execute getattr entrypoint };
>> >
>> >
>> >
>> > On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <
>> dominick.grift at gmail.com
>> > <mailto:dominick.grift at gmail.com>> wrote:
>> >
>> > On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
>> >> Let me try the question again, all init daemons are started with the
>> >> context specified at [jiun at localhost ~]$ cat
>> >> /etc/selinux/targeted/contexts/initrc_context
>> >> system_u:system_r:initrc_t:s0
>> >>
>> >>
>> >> is it possible to have my application specifically override this and
>> >> start with the full mcs range? you mentioned that the init_t is able to
>> >> do something like this because of some mcsconstraints, what constraints
>> >> are these?
>> >>
>> >> iv tried these and they do not work:
>> >>
>> >> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
>> >
>> > In theory the above should work maybe theres a small error somewhere You
>> > should probably look more into the source policy for examples
>> >
>> >> mcs_process_set_categories(myapp_t);
>> >
>> > Thats one of the available mcs interfaces. Theres more in the policy
>> >
>> > seinfo -a | grep mcs
>> >
>> >> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>> >>
>> > oh right, it should probably be:
>> >
>> > range_transition init_t myapp_exec_t:process s0:c0.c1023;
>> >
>> > So maybe init_ranged_daemon_domain() needed to be updated to reflect
>> > systems.
>> >
>> > But the idea is that init_ranged_daemon_domain() should work
>> >
>> >>
>> >> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift <
>> dominick.grift at gmail.com
>> >> <mailto:dominick.grift at gmail.com>> wrote: On Mon, 2014-01-20 at 01:42
>> >> +0300, jiun bookworm wrote:
>> >>
>> >>> Dominick, thanks but you may have misunderstood my question, its not
>> >> the daemon
>> >>> that is confined to one category its the child processes that it
>> >>> spawns, previously when in
>> >> init_t
>> >>> the app could spawn processes and assign
>> >>>
>> >>> them categories, now it can not, when running under
>> >> myapp_t, what
>> >>> makes init_t or other types able to support mcs and myapp_t can not?
>> >>
>> >>
>> >> There are two options:
>> >>
>> >> 1. you run the parent with the full mcs range 2. you override mcs
>> >> constraints for the parent using the applicable mcs type attributes
>> >>
>> >> the latter is why init is allowed to do it but i recommend the former
>> for
>> >> your parent process
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >
>> >
>> > -- selinux mailing list selinux at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlLegqIACgkQrlYvE4MpobOXLACeNQ5HyBr3PSqIps0qbks+gPXZ
>> /xUAnR6nuOXHAoGuhqPCysSyOunVukbJ
>> =qRfS
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140122/668d36cd/attachment-0001.html>
More information about the selinux
mailing list