I created a new policy module using sepolgen for my RL9 server to manage
the shibboleth service, then started customizing it. Part of the new
policy is a new shibboleth_etc_t file type.
This system is also using puppet to manage various config files on the
filesystem.
The shibd process, running in its shibd_t domain, is able to read this
file type with no problem, but I notice that puppet (running in the
unconfined_t domain) now generates a new AVC denial when trying to
access files of this new file type.
Do I need to explicitly allow the unconfined_t domain access to my new
file type, or is there some other piece that I'm missing?
--Mike
fc file:
/usr/sbin/shibd -- gen_context(system_u:object_r:shibd_exec_t,s0)
/etc/shibboleth(/.*)? --
gen_context(system_u:object_r:shibboleth_etc_t,s0)
/var/log/shibboleth(/.*)?
gen_context(system_u:object_r:shibboleth_var_log_t,s0)
/var/cache/shibboleth(/.*)?
gen_context(system_u:object_r:shibboleth_var_cache_t,s0)
/var/run/shibboleth -d
gen_context(system_u:object_r:shibboleth_var_run_t,s0)
/var/run/shibboleth/shibd.sock -s
gen_context(system_u:object_r:shibboleth_var_run_t,s0)
/etc/shibboleth/.*.pem -- gen_context(system_u:object_r:cert_t,s0)
/etc/shibboleth/.*pem -- gen_context(system_u:object_r:cert_t,s0)
if file:
## <summary>policy for shibd</summary>
########################################
## <summary>
## Execute shibd_exec_t in the shibd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`shibd_domtrans',`
gen_require(`
type shibd_t, shibd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, shibd_exec_t, shibd_t)
')
######################################
## <summary>
## Execute shibd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shibd_exec',`
gen_require(`
type shibd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, shibd_exec_t)
')
te file:
policy_module(local_shibd, 1.0.0)
########################################
#
# Declarations
#
require {
type httpd_t;
type var_run_t;
type cert_t;
type http_port_t;
type kernel_t;
class file { append create getattr open read rename unlink write };
class dir { add_name remove_name search write };
class tcp_socket { name_connect };
class sock_file { create setattr write };
class unix_stream_socket { connectto };
class unix_dgram_socket { create getopt sendto setopt };
}
type shibd_t;
type shibd_exec_t;
type shibboleth_etc_t;
type shibboleth_var_log_t;
type shibboleth_var_cache_t;
type shibboleth_var_run_t;
init_daemon_domain(shibd_t, shibd_exec_t)
permissive shibd_t;
########################################
#
# shibd local policy
#
allow shibd_t self:capability { setgid setuid };
allow shibd_t self:process { fork signal_perms };
allow shibd_t self:fifo_file rw_fifo_file_perms;
allow shibd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(shibd_t)
files_read_etc_files(shibd_t)
auth_use_nsswitch(shibd_t)
miscfiles_read_localization(shibd_t)
allow shibd_t shibboleth_etc_t:file { getattr open read };
allow shibd_t shibboleth_var_log_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_log_t:file { append create getattr open
read rename unlink write };
allow shibd_t cert_t:file { open read };
allow shibd_t shibboleth_var_run_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_run_t:sock_file { create setattr unlink };
allow shibd_t shibboleth_var_cache_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_cache_t:file { create getattr open read
unlink write };
allow shibd_t http_port_t:tcp_socket name_connect;
# Let apache talk to shibd and vice versa
allow httpd_t shibboleth_etc_t:file { getattr open read };
allow httpd_t shibd_t:unix_stream_socket connectto;
allow httpd_t shibboleth_var_run_t:dir search;
allow httpd_t shibboleth_var_run_t:sock_file write;
allow shibd_t kernel_t:unix_dgram_socket sendto;
allow shibd_t self:unix_dgram_socket { create getopt setopt };
The AVC denial:
----
time->Mon Dec 4 14:40:45 2023
node=llodmt.ligo-la.caltech.edu type=PROCTITLE
msg=audit(1701722445.997:630306):
proctitle=707570706574206167656E743A206170706C79696E6720636F6E66696775726174696F6E
node=llodmt.ligo-la.caltech.edu type=PATH
msg=audit(1701722445.997:630306): item=0
name="/etc/shibboleth/shibboleth2.xml" inode=17384656 dev=09:7e
mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shibboleth_etc_t:s0 nametype=NORMAL cap_fp=0
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=llodmt.ligo-la.caltech.edu type=CWD
msg=audit(1701722445.997:630306): cwd="/"
node=llodmt.ligo-la.caltech.edu type=SYSCALL
msg=audit(1701722445.997:630306): arch=c000003e syscall=257 success=yes
exit=35 a0=ffffff9c a1=7fa634a38e68 a2=80000 a3=0 items=1 ppid=2725223
pid=4135271 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppet"
exe="/opt/puppetlabs/puppet/bin/ruby"
subj=system_u:system_r:unconfined_service_t:s0 key=(null)
node=llodmt.ligo-la.caltech.edu type=AVC
msg=audit(1701722445.997:630306): avc: denied { open } for
pid=4135271 comm="puppet" path="/etc/shibboleth/shibboleth2.xml"
dev="md126" ino=17384656
scontext=system_u:system_r:unconfined_service_t:s0
tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1
node=llodmt.ligo-la.caltech.edu type=AVC
msg=audit(1701722445.997:630306): avc: denied { read } for
pid=4135271 comm="puppet" name="shibboleth2.xml" dev="md126"
ino=17384656 scontext=system_u:system_r:unconfined_service_t:s0
tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
