Ok,
so my celebration was a little premature, it seems the only reason the daemon's execution of a cmdline utility in a particular category had worked when running in the initrc_t domain was because apparently initrc_t is equivalent to unconfined_t[1], so it offers zero protection. [1] http://mgrepl.fedorapeople.org/Presentations/HowToBeSELinuxAware.pdf
On Tue, Jan 21, 2014 at 6:07 PM, jiun bookworm <thebookworm101@xxxxxxxxx> wrote:
running, but runcon does not provoke any avc denials, is there a way to figure out the specific reason for runconcarefully chosen contexts are going to run, obviously there is something preventing the command fromhere is what the policy looks like currently.Thanks,but i tried that after sending the email, i saw it while looking at some policies (init.te) in fedora selinux policy source, and its not worked, (please see the end of this email for some questions)
type unlabeled_t ;
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type default_t ;
type usr_t ;
type root_t ;
type security_t ;
type unlabeled_t ;
type milter_port_t ;allow myapp_t self:process { signal transition setexec setcurrent dyntransition };
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t,myapp_exec_t);
ifdef(`enable_mcs',`
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')
systemd_unit_file(systemd_unit_file_t) ;
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t shell_exec_t:file { execute execute_no_trans entrypoint };
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute execute_no_trans read open getattr ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t default_t:dir { search read getattr write add_name remove_name };
allow myapp_t default_t:file { read getattr open execute execute_no_trans ioctl create write rename unlink };
allow myapp_t default_t:lnk_file { read getattr ioctl open } ;allow myapp_t milter_port_t:tcp_socket name_bind;
allow myapp_t root_t:dir { write search read getattr add_name create relabelfrom } ;
allow myapp_t root_t:file { write read getattr create open ioctl relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;
mcs_process_set_categories(myapp_t);allow unlabeled_t root_t:dir { search read getattr write add_name remove_name };
allow myapp_t usr_t:file { execute entrypoint read getattr create open ioctl };
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };
allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };
domain_use_interactive_fds(myapp_t)#files_read_etc_files(myapp_t)##############################################################
#miscfiles_read_localization(myapp_t)
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};
##############################################################do you have any clues on what other obvious places i should look ( im new to policy writting so im inclinedto think there is something simple iv missed as a beginner).there is nothing in the audit_t logs about denials, now in the runcon manual it states clearly that only
to fail?thanksOn Tue, Jan 21, 2014 at 5:22 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Potentially mcs_process_set_categories(myapp_t)
On 01/21/2014 03:31 AM, jiun bookworm wrote:
> I have nanaged to get the daemon working with the full mcs range, but it
> can not run a shell program under a particular category with runcon, what
> special priviledges are neccessary for an app to use runcon?
>
> this is the error message when the app calls a shell command with runcon
>
> /bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606:
> Permission denied
>
> after attempting to do this: /bin/runcon -l s0:c370,c606 /path/to/app
> input
>
> the daemon itself runs in the following context:
>
> system_u:system_r:myapp_t:s0-s0:c0.c1023 myapp 7542 0.2 0.0 909660 60 ?
> Ssl 01:06 0:14
>
>
>
> here is the policy
>
> policy_module(myapp, 1.0.0)
>
> ######################################## # # Declarations # require { type
> init_t; type initrc_t; type systemd_unit_file_t ; type urandom_device_t ;
> type etc_runtime_t ; type proc_t; type bin_t; type tmp_t; type
> user_home_dir_t; type user_home_t; type net_conf_t; type ldconfig_exec_t;
> type mongod_port_t; type unreserved_port_t; type http_cache_port_t; type
> http_port_t; type sandbox_file_t; type node_t ; type shell_exec_t ; type
> bin_t ; type default_t ; type usr_t ; type root_t ; type security_t ; type
> unlabeled_t ; }
>
> type myapp_t; type myapp_exec_t;
>
> init_daemon_domain(myapp_t,myapp_exec_t);
>
> ifdef(`enable_mcs',` init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 -
> mcs_systemhigh); ') systemd_unit_file(systemd_unit_file_t) ;
>
>
> ######################################## allow myapp_t self:fifo_file
> rw_fifo_file_perms; allow myapp_t self:unix_stream_socket
> create_stream_socket_perms; allow myapp_t self:process { signal transition
> setexec }; allow myapp_t etc_runtime_t:file { read getattr open ioctl
> execute}; allow myapp_t proc_t:file { read open}; allow myapp_t bin_t:dir {
> write add_name create }; allow myapp_t bin_t:file { execute
> execute_no_trans read open getattr ioctl }; allow myapp_t proc_t:file
> getattr; allow myapp_t tmp_t:dir {write add_name}; allow myapp_t tmp_t:file
> {write open create}; allow myapp_t ldconfig_exec_t:file {execute read open
> execute_no_trans}; allow myapp_t net_conf_t:file { read open getattr
> ioctl}; allow myapp_t mongod_port_t:tcp_socket name_connect; allow myapp_t
> unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> getopt write read bind append}; allow myapp_t node_t:tcp_socket {node_bind
> }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write read bind append }; allow myapp_t
> http_port_t:tcp_socket { name_connect }; allow myapp_t sandbox_file_t:dir {
> search getattr read open write add_name create }; allow myapp_t
> sandbox_file_t:file { read open getattr ioctl create write relabelfrom
> relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans };
>
>
> allow myapp_t default_t:dir { search read getattr write }; allow myapp_t
> default_t:file { read getattr open execute execute_no_trans ioctl }; allow
> myapp_t default_t:lnk_file read; allow myapp_t root_t:dir { write search
> read getattr add_name create relabelfrom } ; allow myapp_t root_t:file {
> write read getattr create open ioctl relabelfrom } ; allow myapp_t
> security_t:file write; allow myapp_t security_t:security check_context;
>
> allow myapp_t usr_t:file { execute entrypoint read getattr create open
> ioctl };
>
> allow unlabeled_t root_t:dir search;
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt write
> read bind append listen accept}; allow myapp_t self:udp_socket { create
> connect getattr getopt setopt write read bind append listen accept };
>
> domain_use_interactive_fds(myapp_t)
>
> #files_read_etc_files(myapp_t)
>
> #miscfiles_read_localization(myapp_t)
>
> #!!!! This avc can be allowed using the boolean 'global_ssp' allow myapp_t
> urandom_device_t:chr_file {read open};
>
>
>
> On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <thebookworm101@xxxxxxxxx
> <mailto:thebookworm101@xxxxxxxxx>> wrote:
>
> init_ranged_daemon_domain() was not working for me, im sure i have done
> something wrong, but i have no idea what or where that is, right now
> with the policy as it is, its running in system_u:object_r:unlabeled_t:s0
> meaning iv borked things big time.
>
> here is the policy:
>
>
> policy_module(myapp, 1.0.0)
>
> ######################################## # # Declarations # require { #
> type init_t; type initrc_t;
>
> type systemd_unit_file_t ; type urandom_device_t ; type etc_runtime_t ;
> type proc_t; type bin_t; type tmp_t; type user_home_dir_t; type
> user_home_t; type net_conf_t; type ldconfig_exec_t; type mongod_port_t;
> type unreserved_port_t; type http_cache_port_t; type http_port_t; type
> sandbox_file_t; type node_t ; type shell_exec_t ; type bin_t ; type
> security_t ; type setroubleshootd_t ; type unconfined_t ; type default_t ;
> }
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh); type
> myapp_t; domain_type(myapp_t); type myapp_exec_t;
>
> type myapp_unit_file_t; systemd_unit_file(systemd_unit_file_t)
>
> mcs_process_set_categories(myapp_t);
>
> ########################################
>
> allow myapp_t self:fifo_file rw_fifo_file_perms; allow myapp_t
> self:unix_stream_socket create_stream_socket_perms; allow myapp_t
> self:process signal; allow myapp_t etc_runtime_t:file { read getattr open
> ioctl execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
> bin_t:dir write; allow myapp_t bin_t:file { execute execute_no_trans };
>
> allow myapp_t proc_t:file getattr; allow myapp_t tmp_t:dir {write
> add_name}; allow myapp_t tmp_t:file {write open create}; allow myapp_t
> user_home_dir_t:dir { search getattr read open write add_name}; allow
> myapp_t user_home_t:file { read open getattr ioctl create}; allow myapp_t
> user_home_t:dir { read open search getattr }; allow myapp_t
> ldconfig_exec_t:file {execute read open execute_no_trans}; allow myapp_t
> net_conf_t:file { read open getattr ioctl}; allow myapp_t
> mongod_port_t:tcp_socket name_connect; allow myapp_t
> unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> getopt write read bind append}; allow myapp_t node_t:tcp_socket {node_bind
> }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write read bind append }; allow myapp_t
> http_port_t:tcp_socket { name_connect }; allow myapp_t sandbox_file_t:dir {
> search getattr read open write add_name create }; allow myapp_t
> sandbox_file_t:file { read open getattr ioctl create write relabelfrom
> relabelto }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans }; allow myapp_t
> security_t:file write;
>
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt write
> read bind append listen accept}; allow myapp_t self:udp_socket { create
> connect getattr getopt setopt write read bind append listen accept };
>
>
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
>
> domain_use_interactive_fds(myapp_t)
>
>
>
> allow myapp_t urandom_device_t:chr_file {read open};
>
> allow myapp_t default_t:file { read getattr execute open
> execute_no_trans}; allow setroubleshootd_t myapp_exec_t:file getattr; allow
> init_t myapp_exec_t:file execute; allow init_t myapp_exec_t:file { read
> open execute getattr entrypoint };
>
>
>
> On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <dominick.grift@xxxxxxxxx
>> <mailto:dominick.grift@xxxxxxxxx>> wrote: On Mon, 2014-01-20 at 01:42> <mailto:dominick.grift@xxxxxxxxx>> wrote:
>
> On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
>> Let me try the question again, all init daemons are started with the
>> context specified at [jiun@localhost ~]$ cat
>> /etc/selinux/targeted/contexts/initrc_context
>> system_u:system_r:initrc_t:s0
>>
>>
>> is it possible to have my application specifically override this and
>> start with the full mcs range? you mentioned that the init_t is able to
>> do something like this because of some mcsconstraints, what constraints
>> are these?
>>
>> iv tried these and they do not work:
>>
>> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
>
> In theory the above should work maybe theres a small error somewhere You
> should probably look more into the source policy for examples
>
>> mcs_process_set_categories(myapp_t);
>
> Thats one of the available mcs interfaces. Theres more in the policy
>
> seinfo -a | grep mcs
>
>> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>>
> oh right, it should probably be:
>
> range_transition init_t myapp_exec_t:process s0:c0.c1023;
>
> So maybe init_ranged_daemon_domain() needed to be updated to reflect
> systems.
>
> But the idea is that init_ranged_daemon_domain() should work
>
>>
>> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift <dominick.grift@xxxxxxxxx
>> +0300, jiun bookworm wrote:> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>> Dominick, thanks but you may have misunderstood my question, its not
>> the daemon
>>> that is confined to one category its the child processes that it
>>> spawns, previously when in
>> init_t
>>> the app could spawn processes and assign
>>>
>>> them categories, now it can not, when running under
>> myapp_t, what
>>> makes init_t or other types able to support mcs and myapp_t can not?
>>
>>
>> There are two options:
>>
>> 1. you run the parent with the full mcs range 2. you override mcs
>> constraints for the parent using the applicable mcs type attributes
>>
>> the latter is why init is allowed to do it but i recommend the former for
>> your parent process
>>
>>
>>
>>
>
>
>
>
>
>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLegqIACgkQrlYvE4MpobOXLACeNQ5HyBr3PSqIps0qbks+gPXZ
/xUAnR6nuOXHAoGuhqPCysSyOunVukbJ
=qRfS
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
