Re: Puzzle involving sudo_role_template, shell script context, file type in /tmp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/28/2016 08:08 PM, lou@xxxxxx wrote:
> Folks,
> 
>     I have a problem with SEL file type in /tmp --- I just don't understand why a particular type is being used. More precisely, I don't understand how the domain that uses this file type comes into play. I'm hoping someone can enlighten me.
> 
>    I have a setup where subversion is accessed through httpd (mod_dav_svn). The post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow this. It uses the sudo_role_template macro as part of the setup. The full domain transition sequence to get to the sudo'd script is:
>   * Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the top-level hook script is
>     executed
>   * User changes from apache to coin by sudo'ing a second-level script. The expected domain transition would be
>     svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
> 
> When I run 'id' in the second-level script, it says the context is
>   uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0
> as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I run, for example, 'svn export' in this script, it happily creates entire directory trees of type tmp_t in /tmp, as expected.
> 
>     But ... if I try to redirect output to a file, or execute something like 'touch foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the sudo_role_template macro). I've opened this macro up, and I can see it will create the rule   'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I understand. And I've managed to deal with the issue by allowing domain svn_hook_t to manage files of type svn_hook_sudo_tmp_t.
> 
>     What I don't understand: Why is domain svn_hook_sudo_t in play here? According to id, the script is running in domain svn_hook_t. 

Yes, this is correct. You can see

    # Enter this derived domain from the user domain
    domtrans_pattern($3, sudo_exec_t, $1_sudo_t)


    # By default, revert to the calling domain when a shell is executed.
    corecmd_shell_domtrans($1_sudo_t, $3)
    corecmd_bin_domtrans($1_sudo_t, $3)

in thee sudo_role_template() interface.

Which is the reason why you see svn_hook_sudo_t vs. svn_hook_t when 'id'
is executed. 'id' is labeled as bin_t.	


> If anyone can enlighten me on what's happening here, I'd be a much happier person.
> 
>           Thanks,
>                             Lou
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux