Re: how to transition a daemon to its own domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok,
so my celebration was a little premature, it seems the only reason the daemon's execution of a cmdline utility in a particular category  had worked when running in  the initrc_t domain was because apparently    initrc_t  is  equivalent to  unconfined_t[1], so it offers zero protection. 
Now i  if anyone outthere has any ideas on how to allow an app in its domain myapp_t   (plus full mcs range)  to use runcon to run something in one of those categories (like 'runcon -l cX,cY /path/to/app /path/to/input' ) it would be awesome :)

[1] http://mgrepl.fedorapeople.org/Presentations/HowToBeSELinuxAware.pdf



On Tue, Jan 21, 2014 at 6:07 PM, jiun bookworm <thebookworm101@xxxxxxxxx> wrote:
Thanks,
but i tried that after sending the email,  i saw it while looking at some policies (init.te) in fedora selinux policy source, and its not worked,  (please see the end of this email for some questions)

here is what the policy looks like currently.


policy_module(myapp, 1.0.0)

########################################
#
# Declarations
#
require {
         type init_t;
         type initrc_t;
         type systemd_unit_file_t ;
         type urandom_device_t ;
         type etc_runtime_t ;
         type proc_t;
         type bin_t;
         type tmp_t;
         type user_home_dir_t;
         type user_home_t;
         type net_conf_t;
         type ldconfig_exec_t;
         type mongod_port_t;
         type unreserved_port_t;
         type http_cache_port_t;
         type http_port_t;
         type sandbox_file_t;
         type node_t ;
         type shell_exec_t ;
         type bin_t ;
         type default_t ;
         type usr_t ;
         type root_t ;
         type security_t ;
         type unlabeled_t ;
         type unlabeled_t ;
         type milter_port_t ;

}

type myapp_t;
type myapp_exec_t;

init_daemon_domain(myapp_t,myapp_exec_t);

ifdef(`enable_mcs',`

    init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
')

systemd_unit_file(systemd_unit_file_t) ;


########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process { signal transition setexec setcurrent dyntransition  };

allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir { write add_name create };
allow myapp_t bin_t:file { execute  execute_no_trans read open  getattr ioctl };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t ldconfig_exec_t:file {execute  read open  execute_no_trans};
allow myapp_t net_conf_t:file { read  open   getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write  read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write  read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create  };
allow myapp_t sandbox_file_t:file { read open  getattr ioctl create write  relabelfrom relabelto  };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans  entrypoint };

allow myapp_t default_t:dir { search read getattr write  add_name  remove_name };
allow myapp_t default_t:file { read getattr open execute execute_no_trans ioctl create write  rename unlink };
allow myapp_t default_t:lnk_file { read getattr ioctl open } ;

allow myapp_t root_t:dir {  write search read getattr add_name create relabelfrom } ;
allow myapp_t root_t:file {  write  read getattr  create open ioctl  relabelfrom } ;
allow myapp_t security_t:file write;
allow myapp_t security_t:security check_context;
allow myapp_t milter_port_t:tcp_socket name_bind;

mcs_process_set_categories(myapp_t);


allow myapp_t usr_t:file { execute entrypoint  read getattr  create open ioctl };
allow unlabeled_t root_t:dir { search read getattr write  add_name  remove_name };


allow myapp_t self:tcp_socket { create setopt connect getattr getopt write  read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };

allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };


domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};

##############################################################
##############################################################


do you have any   clues  on what other  obvious places i should look ( im new to policy writting so im inclined
 to think there is something simple iv missed as a beginner).
there is nothing in the  audit_t logs about  denials,  now in the runcon manual it states clearly that only
carefully chosen contexts are going to run, obviously there is something preventing the command from
running,  but runcon does not provoke any avc denials,  is there a way to figure out the specific reason for runcon
to fail?


thanks


On Tue, Jan 21, 2014 at 5:22 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2014 03:31 AM, jiun bookworm wrote:
> I have nanaged to get  the daemon working with the full mcs range, but it
> can not run a shell program under a particular category with runcon, what
> special priviledges are neccessary for an app to use runcon?
>
> this is the error message when the app calls a shell command with runcon
>
> /bin/runcon: invalid context: system_u:system_r:myapp_t:s0:c370,c606:
> Permission denied
>
> after attempting to do this: /bin/runcon   -l s0:c370,c606   /path/to/app
> input
>
> the daemon itself runs in the following context:
>
> system_u:system_r:myapp_t:s0-s0:c0.c1023  myapp  7542 0.2  0.0 909660 60 ?
> Ssl 01:06   0:14
>
>
>
Potentially mcs_process_set_categories(myapp_t)


> here is the policy
>
> policy_module(myapp, 1.0.0)
>
> ######################################## # # Declarations # require { type
> init_t; type initrc_t; type systemd_unit_file_t ; type urandom_device_t ;
> type etc_runtime_t ; type proc_t; type bin_t; type tmp_t; type
> user_home_dir_t; type user_home_t; type net_conf_t; type ldconfig_exec_t;
> type mongod_port_t; type unreserved_port_t; type http_cache_port_t; type
> http_port_t; type sandbox_file_t; type node_t ; type shell_exec_t ; type
> bin_t ; type default_t ; type usr_t ; type root_t ; type security_t ; type
> unlabeled_t ; }
>
> type myapp_t; type myapp_exec_t;
>
> init_daemon_domain(myapp_t,myapp_exec_t);
>
> ifdef(`enable_mcs',` init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 -
> mcs_systemhigh); ') systemd_unit_file(systemd_unit_file_t) ;
>
>
> ######################################## allow myapp_t self:fifo_file
> rw_fifo_file_perms; allow myapp_t self:unix_stream_socket
> create_stream_socket_perms; allow myapp_t self:process { signal transition
> setexec }; allow myapp_t etc_runtime_t:file { read getattr open ioctl
> execute}; allow myapp_t proc_t:file { read open}; allow myapp_t bin_t:dir {
> write add_name create }; allow myapp_t bin_t:file { execute
> execute_no_trans read open  getattr ioctl }; allow myapp_t proc_t:file
> getattr; allow myapp_t tmp_t:dir {write add_name}; allow myapp_t tmp_t:file
> {write open create}; allow myapp_t ldconfig_exec_t:file {execute  read open
> execute_no_trans}; allow myapp_t net_conf_t:file { read  open   getattr
> ioctl}; allow myapp_t mongod_port_t:tcp_socket name_connect; allow myapp_t
> unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> getopt write  read bind append}; allow myapp_t node_t:tcp_socket {node_bind
> }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write  read bind append }; allow myapp_t
> http_port_t:tcp_socket { name_connect }; allow myapp_t sandbox_file_t:dir {
> search getattr read open write add_name create  }; allow myapp_t
> sandbox_file_t:file { read open  getattr ioctl create write relabelfrom
> relabelto  }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans };
>
>
> allow myapp_t default_t:dir { search read getattr write }; allow myapp_t
> default_t:file { read getattr open execute execute_no_trans ioctl }; allow
> myapp_t default_t:lnk_file read; allow myapp_t root_t:dir {  write search
> read getattr add_name create relabelfrom } ; allow myapp_t root_t:file {
> write  read getattr  create open ioctl  relabelfrom } ; allow myapp_t
> security_t:file write; allow myapp_t security_t:security check_context;
>
> allow myapp_t usr_t:file { execute entrypoint  read getattr  create open
> ioctl };
>
> allow unlabeled_t root_t:dir search;
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt write
> read bind append listen accept}; allow myapp_t self:udp_socket { create
> connect getattr getopt setopt write read bind append listen accept };
>
> domain_use_interactive_fds(myapp_t)
>
> #files_read_etc_files(myapp_t)
>
> #miscfiles_read_localization(myapp_t)
>
> #!!!! This avc can be allowed using the boolean 'global_ssp' allow myapp_t
> urandom_device_t:chr_file {read open};
>
>
>
> On Mon, Jan 20, 2014 at 2:24 PM, jiun bookworm <thebookworm101@xxxxxxxxx
> <mailto:thebookworm101@xxxxxxxxx>> wrote:
>
> init_ranged_daemon_domain() was not working for me,  im  sure i have done
> something wrong,  but i have no idea what or where that is,    right now
> with the policy as it is, its running in system_u:object_r:unlabeled_t:s0
> meaning iv borked things big time.
>
> here is the policy:
>
>
> policy_module(myapp, 1.0.0)
>
> ######################################## # # Declarations # require { #
> type init_t; type initrc_t;
>
> type systemd_unit_file_t ; type urandom_device_t ; type etc_runtime_t ;
> type proc_t; type bin_t; type tmp_t; type user_home_dir_t; type
> user_home_t; type net_conf_t; type ldconfig_exec_t; type mongod_port_t;
> type unreserved_port_t; type http_cache_port_t; type http_port_t; type
> sandbox_file_t; type node_t ; type shell_exec_t ; type bin_t ; type
> security_t ; type setroubleshootd_t ; type unconfined_t ; type default_t ;
> }
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh); type
> myapp_t; domain_type(myapp_t); type myapp_exec_t;
>
> type myapp_unit_file_t; systemd_unit_file(systemd_unit_file_t)
>
> mcs_process_set_categories(myapp_t);
>
> ########################################
>
> allow myapp_t self:fifo_file rw_fifo_file_perms; allow myapp_t
> self:unix_stream_socket create_stream_socket_perms; allow myapp_t
> self:process signal; allow myapp_t etc_runtime_t:file { read getattr open
> ioctl execute}; allow myapp_t proc_t:file { read open}; allow myapp_t
> bin_t:dir write; allow myapp_t bin_t:file { execute execute_no_trans };
>
> allow myapp_t proc_t:file getattr; allow myapp_t tmp_t:dir {write
> add_name}; allow myapp_t tmp_t:file {write open create}; allow myapp_t
> user_home_dir_t:dir { search getattr read open write add_name}; allow
> myapp_t user_home_t:file { read open  getattr ioctl create}; allow myapp_t
> user_home_t:dir { read open search getattr }; allow myapp_t
> ldconfig_exec_t:file {execute  read open  execute_no_trans}; allow myapp_t
> net_conf_t:file { read  open   getattr ioctl}; allow myapp_t
> mongod_port_t:tcp_socket name_connect; allow myapp_t
> unreserved_port_t:tcp_socket {name_bind create setopt connect getattr
> getopt write  read bind append}; allow myapp_t node_t:tcp_socket {node_bind
> }; allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
> connect getattr getopt write  read bind append }; allow myapp_t
> http_port_t:tcp_socket { name_connect }; allow myapp_t sandbox_file_t:dir {
> search getattr read open write add_name create  }; allow myapp_t
> sandbox_file_t:file { read open  getattr ioctl create write relabelfrom
> relabelto  }; allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
> allow myapp_t shell_exec_t:file { execute execute_no_trans }; allow myapp_t
> security_t:file write;
>
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt write
>  read bind append listen accept}; allow myapp_t self:udp_socket { create
> connect getattr getopt setopt write read bind append listen accept };
>
>
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
>
> domain_use_interactive_fds(myapp_t)
>
>
>
> allow myapp_t urandom_device_t:chr_file {read open};
>
> allow myapp_t default_t:file { read getattr execute  open
> execute_no_trans}; allow setroubleshootd_t myapp_exec_t:file getattr; allow
> init_t myapp_exec_t:file execute; allow init_t myapp_exec_t:file { read
> open execute  getattr entrypoint };
>
>
>
> On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <dominick.grift@xxxxxxxxx
> <mailto:dominick.grift@xxxxxxxxx>> wrote:
>
> On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
>> Let me try the question again,  all  init daemons are started  with the
>> context specified at [jiun@localhost ~]$ cat
>> /etc/selinux/targeted/contexts/initrc_context
>> system_u:system_r:initrc_t:s0
>>
>>
>> is it possible to have my application specifically override this and
>> start with the full mcs range? you mentioned that the init_t is able to
>> do something like this because of some mcsconstraints, what constraints
>> are these?
>>
>> iv tried these and they do not work:
>>
>> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
>
> In theory the above should work maybe theres a small error somewhere You
> should probably look more into the source policy for examples
>
>> mcs_process_set_categories(myapp_t);
>
> Thats one of the available mcs interfaces. Theres more in the policy
>
> seinfo -a | grep mcs
>
>> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>>
> oh right, it should probably be:
>
> range_transition init_t myapp_exec_t:process s0:c0.c1023;
>
> So maybe init_ranged_daemon_domain() needed to be updated to reflect
> systems.
>
> But the idea is that init_ranged_daemon_domain() should work
>
>>
>> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift <dominick.grift@xxxxxxxxx
>> <mailto:dominick.grift@xxxxxxxxx>> wrote: On Mon, 2014-01-20 at 01:42
>> +0300, jiun bookworm wrote:
>>
>>> Dominick, thanks but you may have misunderstood my question,  its not
>> the daemon
>>> that is confined to one category its the child processes that it
>>> spawns,   previously when in
>> init_t
>>> the app could spawn processes and assign
>>>
>>> them categories, now it  can not,  when running under
>> myapp_t,   what
>>> makes init_t or  other types able to support mcs and myapp_t can not?
>>
>>
>> There are two options:
>>
>> 1. you run the parent with the full mcs range 2. you override mcs
>> constraints for the parent using the applicable mcs type attributes
>>
>> the latter is why init is allowed to do it but i recommend the former for
>> your parent process
>>
>>
>>
>>
>
>
>
>
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLegqIACgkQrlYvE4MpobOXLACeNQ5HyBr3PSqIps0qbks+gPXZ
/xUAnR6nuOXHAoGuhqPCysSyOunVukbJ
=qRfS
-----END PGP SIGNATURE-----


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux