I have nanaged to get the daemon working with the full mcs range, but it can not run a shell program under a particular category with runcon, what special priviledges are neccessary for an app to use runcon?
this is the error message when the app calls a shell command with runcon
/bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606: Permission denied
/bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606: Permission denied
after attempting to do this:
/bin/runcon -l s0:c370,c606 /path/to/app input
/bin/runcon -l s0:c370,c606 /path/to/app input
the daemon itself runs in the following context:
system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660 60 ? Ssl 01:06 0:14
here is the policy
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type default_t ;
type usr_t ;
type root_t ;
type security_t ;
type unlabeled_t ;
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t,myapp_exec_t);
ifdef(`enable_mcs',`
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')
systemd_unit_file(systemd_unit_file_t) ;
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process { signal transition setexec };
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute execute_no_trans read open getattr ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t default_t:dir { search read getattr write };
allow myapp_t default_t:file { read getattr open execute execute_no_trans ioctl };
allow myapp_t default_t:lnk_file read;
allow myapp_t root_t:dir { write search read getattr add_name create relabelfrom } ;
allow myapp_t root_t:file { write read getattr create open ioctl relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;
allow myapp_t usr_t:file { execute entrypoint read getattr create open ioctl };
allow unlabeled_t root_t:dir search;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};
On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <thebookworm101@xxxxxxxxx> wrote:
init_ranged_daemon_domain() was not working for me, im sure i have done something wrong, but i have no idea what or where that is, right now with the policy as it is, its running in system_u:object_r:unlabeled_t:s0 meaning iv borked things big time.here is the policy:
type initrc_t;
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
# type init_t;type unreserved_port_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type security_t ;
type setroubleshootd_t ;
type unconfined_t ;
type default_t ;
}
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
type myapp_t;
domain_type(myapp_t);
type myapp_exec_t;
type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
mcs_process_set_categories(myapp_t);
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};allow myapp_t bin_t:file { execute execute_no_trans };
allow myapp_t bin_t:dir write;
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};allow myapp_t net_conf_t:file { read open getattr ioctl};allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write read bind append};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t security_t:file write;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };domain_use_interactive_fds(myapp_t)
allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };
allow myapp_t default_t:file { read getattr execute open execute_no_trans};
allow myapp_t urandom_device_t:chr_file {read open};
allow setroubleshootd_t myapp_exec_t:file getattr;
allow init_t myapp_exec_t:file execute;
allow init_t myapp_exec_t:file { read open execute getattr entrypoint };On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:In theory the above should work maybe theres a small error somewhere
> Let me try the question again, all init daemons are started with
> the context specified at
> [jiun@localhost ~]$ cat /etc/selinux/targeted/contexts/initrc_context
> system_u:system_r:initrc_t:s0
>
>
> is it possible to have my application specifically override this and
> start with the full mcs range? you mentioned that
> the init_t is able to do something like this because of some
> mcsconstraints, what constraints are these?
>
> iv tried these and they do not work:
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
You should probably look more into the source policy for examples
> mcs_process_set_categories(myapp_t);
Thats one of the available mcs interfaces. Theres more in the policy
seinfo -a | grep mcs
oh right, it should probably be:
> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>
range_transition init_t myapp_exec_t:process s0:c0.c1023;
So maybe init_ranged_daemon_domain() needed to be updated to reflect
systems.
But the idea is that init_ranged_daemon_domain() should work
>
> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift
> <dominick.grift@xxxxxxxxx> wrote:
> On Mon, 2014-01-20 at 01:42 +0300, jiun bookworm wrote:
>
> > Dominick,
> > thanks but you may have misunderstood my question, its not
> the daemon
> > that is confined to one category
> > its the child processes that it spawns, previously when in
> init_t
> > the app could spawn processes and assign
> >
> > them categories, now it can not, when running under
> myapp_t, what
> > makes init_t or other types able to
> > support mcs and myapp_t can not?
>
>
> There are two options:
>
> 1. you run the parent with the full mcs range
> 2. you override mcs constraints for the parent using the
> applicable mcs
> type attributes
>
> the latter is why init is allowed to do it but i recommend the
> former
> for your parent process
>
>
>
>
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux