Re: Trying to set context on a FIFO for nut_upsmon_t process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First, note that the existing policy's "allow" rule is not something I wrote. It is in the nut-2.8.0-3.el8.x86_64.rpm package. It is a complete mystery to me how a policy could allow those types of access to a type that is not a valid file type.

Second, opening up the permissions of nut_upsmon_t to write to user_tmp_t is precisely what I said I do _not_ want to do.

The solution I found (see my response to Trevor Hemsley) is to change the context of the FIFO to "initctl_t. That is one of the few fifo_file types that nut_upsmon_t is allowed to access. No change needed to the policy.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

On 6/9/23 10:49, Henry Zhang wrote:
Robert,

based on your audit.log message, the new policy should be
allow nut_upsmon_t user_tmp_t:fifo_file getattr

your policy:
allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };

destination type should be user_tmp_t instead of nut_upsmon_t

Normally, after updating your policy, your operation should go through

---henry

On Thu, Jun 8, 2023 at 2:49 PM Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx <mailto:rnicholsNOSPAM@xxxxxxxxxxx>> wrote:

    On 6/8/23 16:12, Henry Zhang wrote:
     > Robert,
     >
     > If your application fails due to selinux policy, you could check /var/log/audit/audit.log.
     > If the audit.log contains denial, please post or attach the log here.
     > It should show what kind of policy your application needed in order to execute it.
     >
     > ---henry

    Since you asked, see below. I really don't want to allow a nut_upsmon_t process to write to any user_tmp_t file. That's adding unnecessary privilege. The right solution is to give the FIFO a label that allows the access. I used sesearch to find out what target types would be appropriate, and found:

         allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };

    Note that the error is for "getattr", not "write". The script is checking that the name refers to a FIFO before writing to it. The same problem would occur for a "write" attempt.

    chcon fails when trying to set that context on the FIFO, and when it tries I see a message that nut_upsmon_t is not a valid file type. What is it, then? Perhaps valid on a FIFO but not on an ordinary file?? The above "allow" rule shows what I need, but there is no way to set it.

    SELinux is preventing /usr/bin/bash from getattr access on the fifo_file /tmp/.alertFIFO2.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that bash should be allowed getattr access on the .alertFIFO2 fifo_file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'UPS-alert' --raw | audit2allow -M my-UPSalert
    # semodule -X 300 -i my-UPSalert.pp

    Additional Information:
    Source Context                system_u:system_r:nut_upsmon_t:s0
    Target Context                unconfined_u:object_r:user_tmp_t:s0
    Target Objects                /tmp/.alertFIFO2 [ fifo_file ]
    Source                        UPS-alert
    Source Path                   /usr/bin/bash
    Port                          <Unknown>
    Host                          omega-3x.local
    Source RPM Packages
    Target RPM Packages
    SELinux Policy RPM            selinux-policy-targeted-3.14.3-117.el8.noarch
    Local Policy RPM              selinux-policy-targeted-3.14.3-117.el8.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     omega-3x.local
    Platform                      Linux omega-3x.local 4.18.0-477.13.1.el8_8.x86_64
                                    #1 SMP Tue May 30 22:15:39 UTC 2023 x86_64 x86_64
    Alert Count                   4
    First Seen                    2023-06-08 16:32:07 CDT
    Last Seen                     2023-06-08 16:32:17 CDT
    Local ID                      87bfa152-e72e-4bff-872e-2ccd882f0d48

    Raw Audit Messages
    type=AVC msg=audit(1686259937.20:17430): avc:  denied  { getattr } for  pid=860169 comm="UPS-alert" path="/tmp/.alertFIFO2" dev="tmpfs" ino=19804366 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0


    Hash: UPS-alert,nut_upsmon_t,user_tmp_t,fifo_file,getattr




-- Bob Nichols     "NOSPAM" is really part of my email address.
                      Do NOT delete it.

    _______________________________________________
    selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
    To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx <mailto:selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx>
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines>
    List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx <https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx>
    Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux