Re: how to transition a daemon to its own domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have nanaged to get  the daemon working with the full mcs range, but it can not run a shell program under a particular category with runcon, what special priviledges are neccessary for an app to use runcon?

this is the error message when the app calls a shell command with runcon

/bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606: Permission denied

after attempting to do this:
/bin/runcon   -l s0:c370,c606   /path/to/app   input

the daemon itself runs in the following context:

system_u:system_r:myapp_t:s0-s0:c0.c1023  myapp  7542 0.2  0.0 909660 60 ? Ssl  01:06   0:14



here is the policy

policy_module(myapp, 1.0.0)

########################################
#
# Declarations
#
require {
         type init_t;
         type initrc_t;
         type systemd_unit_file_t ;
         type urandom_device_t ;
         type etc_runtime_t ;
         type proc_t;
         type bin_t;
         type tmp_t;
         type user_home_dir_t;
         type user_home_t;
         type net_conf_t;
         type ldconfig_exec_t;
         type mongod_port_t;
         type unreserved_port_t;
         type http_cache_port_t;
         type http_port_t;
         type sandbox_file_t;
         type node_t ;
         type shell_exec_t ;
         type bin_t ;
         type default_t ;
         type usr_t ;
         type root_t ;
         type security_t ;
         type unlabeled_t ;
}

type myapp_t;
type myapp_exec_t;

init_daemon_domain(myapp_t,myapp_exec_t);

ifdef(`enable_mcs',`
    init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')
systemd_unit_file(systemd_unit_file_t) ;


########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process { signal transition setexec };
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute  execute_no_trans read open  getattr ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute  read open  execute_no_trans};
allow myapp_t net_conf_t:file { read  open   getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write  read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write  read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create  };
allow myapp_t sandbox_file_t:file { read open  getattr ioctl create write  relabelfrom relabelto  };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };


allow myapp_t default_t:dir { search read getattr write };
allow myapp_t default_t:file { read getattr open execute execute_no_trans ioctl };
allow myapp_t default_t:lnk_file read;
allow myapp_t root_t:dir {  write search read getattr add_name create relabelfrom } ;
allow myapp_t root_t:file {  write  read getattr  create open ioctl  relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;

allow myapp_t usr_t:file { execute entrypoint  read getattr  create open ioctl };

allow unlabeled_t root_t:dir search;

allow myapp_t self:tcp_socket { create setopt connect getattr getopt write  read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };

domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};



On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <thebookworm101@xxxxxxxxx> wrote:
init_ranged_daemon_domain() was not working for me,  im  sure i have done something wrong,  but i have no idea what or where that is,    right now with the policy as it is, its running in   system_u:object_r:unlabeled_t:s0   meaning iv borked things big time.

here is the policy:


policy_module(myapp, 1.0.0)

########################################
#
# Declarations
#
require {
#        type init_t;
         type initrc_t;

         type systemd_unit_file_t ;
         type urandom_device_t ;
         type etc_runtime_t ;
         type proc_t;
         type bin_t;
         type tmp_t;
         type user_home_dir_t;
         type user_home_t;
         type net_conf_t;
         type ldconfig_exec_t;
         type mongod_port_t;
         type unreserved_port_t;
         type http_cache_port_t;
         type http_port_t;
         type sandbox_file_t;
         type node_t ;
         type shell_exec_t ;
         type bin_t ;
         type security_t ;
         type setroubleshootd_t ;
         type unconfined_t ;
         type default_t ;
}

init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
type myapp_t;
domain_type(myapp_t);
type myapp_exec_t;

type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)

mcs_process_set_categories(myapp_t);

########################################

allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t bin_t:file { execute execute_no_trans };

allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open  getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute  read open  execute_no_trans};
allow myapp_t net_conf_t:file { read  open   getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write  read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write  read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create  };
allow myapp_t sandbox_file_t:file { read open  getattr ioctl create write  relabelfrom relabelto  };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t security_t:file write;


allow myapp_t self:tcp_socket { create setopt connect getattr getopt write  read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };


allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };


domain_use_interactive_fds(myapp_t)



allow myapp_t urandom_device_t:chr_file {read open};

allow myapp_t default_t:file { read getattr execute  open  execute_no_trans};
allow setroubleshootd_t myapp_exec_t:file getattr;
allow init_t myapp_exec_t:file execute;
allow init_t myapp_exec_t:file { read open execute  getattr entrypoint };



On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
> Let me try the question again,  all  init daemons are started  with
> the context specified at
> [jiun@localhost ~]$ cat /etc/selinux/targeted/contexts/initrc_context
> system_u:system_r:initrc_t:s0
>
>
> is it possible to have my application specifically override this and
> start with the full mcs range? you mentioned that
> the init_t is able to do something like this because of some
> mcsconstraints, what constraints are these?
>
> iv tried these and they do not work:
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)

In theory the above should work maybe theres a small error somewhere
You should probably look more into the source policy for examples

> mcs_process_set_categories(myapp_t);

Thats one of the available mcs interfaces. Theres more in the policy

seinfo -a | grep mcs

> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>
oh right, it should probably be:

range_transition init_t myapp_exec_t:process s0:c0.c1023;

So maybe init_ranged_daemon_domain() needed to be updated to reflect
systems.

But the idea is that init_ranged_daemon_domain() should work

>
> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift
> <dominick.grift@xxxxxxxxx> wrote:
>         On Mon, 2014-01-20 at 01:42 +0300, jiun bookworm wrote:
>
>         > Dominick,
>         > thanks but you may have misunderstood my question,  its not
>         the daemon
>         > that is confined to one category
>         > its the child processes that it spawns,   previously when in
>         init_t
>         > the app could spawn processes and assign
>         >
>         > them categories, now it  can not,  when running under
>         myapp_t,   what
>         > makes init_t or  other types able to
>         > support mcs and myapp_t can not?
>
>
>         There are two options:
>
>         1. you run the parent with the full mcs range
>         2. you override mcs constraints for the parent using the
>         applicable mcs
>         type attributes
>
>         the latter is why init is allowed to do it but i recommend the
>         former
>         for your parent process
>
>
>
>




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux