Re: unconfined_t access to a new file type

Wart <wart@xxxxxxxxxx> · Tue, 5 Dec 2023 10:56:10 -0600

That fixed it.  Thanks!

--Mike

On 12/5/23 08:56, Zdenek Pytela wrote:
On Tue, Dec 5, 2023 at 8:03 AM Wart <wart@xxxxxxxxxx> wrote:

I created a new policy module using sepolgen for my RL9 server to manage
the shibboleth service, then started customizing it.  Part of the new
policy is a new shibboleth_etc_t file type.

This system is also using puppet to manage various config files on the
filesystem.

The shibd process, running in its shibd_t domain, is able to read this
file type with no problem, but I notice that puppet (running in the
unconfined_t domain) now generates a new AVC denial when trying to
access files of this new file type.

Do I need to explicitly allow the unconfined_t domain access to my new
file type, or is there some other piece that I'm missing?

--Mike

fc file:

/usr/sbin/shibd         --   gen_context(system_u:object_r:shibd_exec_t,s0)
/etc/shibboleth(/.*)?   --
gen_context(system_u:object_r:shibboleth_etc_t,s0)
/var/log/shibboleth(/.*)?
gen_context(system_u:object_r:shibboleth_var_log_t,s0)
/var/cache/shibboleth(/.*)?
gen_context(system_u:object_r:shibboleth_var_cache_t,s0)
/var/run/shibboleth     -d
gen_context(system_u:object_r:shibboleth_var_run_t,s0)
/var/run/shibboleth/shibd.sock  -s
gen_context(system_u:object_r:shibboleth_var_run_t,s0)
/etc/shibboleth/.*.pem  --   gen_context(system_u:object_r:cert_t,s0)
/etc/shibboleth/.*pem   --   gen_context(system_u:object_r:cert_t,s0)

if file:

## <summary>policy for shibd</summary>

########################################
## <summary>
##      Execute shibd_exec_t in the shibd domain.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`shibd_domtrans',`
          gen_require(`
                  type shibd_t, shibd_exec_t;
          ')

          corecmd_search_bin($1)
          domtrans_pattern($1, shibd_exec_t, shibd_t)
')

######################################
## <summary>
##      Execute shibd in the caller domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`shibd_exec',`
          gen_require(`
                  type shibd_exec_t;
          ')

          corecmd_search_bin($1)
          can_exec($1, shibd_exec_t)
')

te file:

policy_module(local_shibd, 1.0.0)

########################################
#
# Declarations
#

require {
          type httpd_t;
          type var_run_t;
          type cert_t;
          type http_port_t;
          type kernel_t;
          class file { append create getattr open read rename unlink write
};
          class dir { add_name remove_name search write };
          class tcp_socket { name_connect };
          class sock_file { create setattr write };
          class unix_stream_socket { connectto };
          class unix_dgram_socket { create getopt sendto setopt };
}
type shibd_t;
type shibd_exec_t;
type shibboleth_etc_t;
type shibboleth_var_log_t;
type shibboleth_var_cache_t;
type shibboleth_var_run_t;
init_daemon_domain(shibd_t, shibd_exec_t)

permissive shibd_t;

########################################
#
# shibd local policy
#
allow shibd_t self:capability { setgid setuid };
allow shibd_t self:process { fork signal_perms };
allow shibd_t self:fifo_file rw_fifo_file_perms;
allow shibd_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(shibd_t)

files_read_etc_files(shibd_t)

auth_use_nsswitch(shibd_t)

miscfiles_read_localization(shibd_t)

allow shibd_t shibboleth_etc_t:file { getattr open read };

allow shibd_t shibboleth_var_log_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_log_t:file { append create getattr open
read rename unlink write };
allow shibd_t cert_t:file { open read };
allow shibd_t shibboleth_var_run_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_run_t:sock_file { create setattr unlink };
allow shibd_t shibboleth_var_cache_t:dir { add_name remove_name search
write };
allow shibd_t shibboleth_var_cache_t:file { create getattr open read
unlink write };
allow shibd_t http_port_t:tcp_socket name_connect;

# Let apache talk to shibd and vice versa
allow httpd_t shibboleth_etc_t:file { getattr open read };
allow httpd_t shibd_t:unix_stream_socket connectto;
allow httpd_t shibboleth_var_run_t:dir search;
allow httpd_t shibboleth_var_run_t:sock_file write;
allow shibd_t kernel_t:unix_dgram_socket sendto;
allow shibd_t self:unix_dgram_socket { create getopt setopt };

You should assign any type you define to an attribute using interfaces like
files_type() and others, refer e.g. to
https://github.com/fedora-selinux/selinux-policy/blame/rawhide/policy/modules/contrib/ntp.te#L24-L25

The AVC denial:

----
time->Mon Dec  4 14:40:45 2023
node=llodmt.ligo-la.caltech.edu type=PROCTITLE
msg=audit(1701722445.997:630306):

proctitle=707570706574206167656E743A206170706C79696E6720636F6E66696775726174696F6E
node=llodmt.ligo-la.caltech.edu type=PATH
msg=audit(1701722445.997:630306): item=0
name="/etc/shibboleth/shibboleth2.xml" inode=17384656 dev=09:7e
mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shibboleth_etc_t:s0 nametype=NORMAL cap_fp=0
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=llodmt.ligo-la.caltech.edu type=CWD
msg=audit(1701722445.997:630306): cwd="/"
node=llodmt.ligo-la.caltech.edu type=SYSCALL
msg=audit(1701722445.997:630306): arch=c000003e syscall=257 success=yes
exit=35 a0=ffffff9c a1=7fa634a38e68 a2=80000 a3=0 items=1 ppid=2725223
pid=4135271 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppet"
exe="/opt/puppetlabs/puppet/bin/ruby"
subj=system_u:system_r:unconfined_service_t:s0 key=(null)
node=llodmt.ligo-la.caltech.edu type=AVC
msg=audit(1701722445.997:630306): avc:  denied  { open } for
pid=4135271 comm="puppet" path="/etc/shibboleth/shibboleth2.xml"
dev="md126" ino=17384656
scontext=system_u:system_r:unconfined_service_t:s0
tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1
node=llodmt.ligo-la.caltech.edu type=AVC
msg=audit(1701722445.997:630306): avc:  denied  { read } for
pid=4135271 comm="puppet" name="shibboleth2.xml" dev="md126"
ino=17384656 scontext=system_u:system_r:unconfined_service_t:s0
tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1

Also note it is unconfined_service_t here which is a type different to
unconfined_t.

--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue