I am writing an SELinux module to confine a commercial VPN application. The application consists of two server processes that run as root, with a “tray” process that users run. The tray process talks to the server processes via various mechanisms, including D-Bus. I have both server processes running in the myvpn_t domain. For now, my module is in permissive mode, so that I can work through the various SELinux denials and see how to best allow (or in some cases, dontaudit) the actions the server processes take. I noticed that the server processes were attempting to perform certain actions on unconfined_t directories/files. From audit2allow: allow myvpn_t unconfined_t:dir search; allow myvpn_t unconfined_t:file read; allow myvpn_t unconfined_t:lnk_file read; Looking through the raw AVC audit messages, the issue is that once the tray process contacts the server processes, the server processes begin watching the health of the tray process, by reading (e.g.): /proc/12345/exe …where 12345 is the pid of the tray process. (My guess is that the server processes are attempting to verify not just that the tray process is still running, but that it’s still the tray process, and not some other process that grabbed the same pid after the tray process exited.) Because our users run in unconfined_t, the /proc/12345 directory (and files underneath it) are owned by the user running the tray and are in the unconfined_t context. There are a bunch of macros to permit domains to perform various operations in /proc, but they all assume the file context is proc_t. So these macros aren’t really designed to permit access to the individual pid directories in /proc. If I deny (dontaudit) these accesses, I will likely break the server processes, as they will no longer be able to monitor the tray. But I see no way to grant them the access they want without doing as audit2allow suggests: allow myvpn_t unconfined_t:dir search; allow myvpn_t unconfined_t:file read; allow myvpn_t unconfined_t:lnk_file read; …which will grant the server processes the ability to read/search unconfined_t files/directories *anywhere*, not just in /proc. That’s undesirable. Is there some way to grant the above access, but only if the files/directories are in /proc? Alternatively, it occurred to me that a better solution might be to set up a transition so that when a user invokes the tray executable, it transitions to (e.g.) myvpn_user_t. But I can find vanishingly few examples of user-level transitions like this anywhere else in Fedora and/or RHEL, so I don’t know if it’s something to be avoided. (xserver_exec_t (/usr/libexec/Xorg) transitioning to xserver_t when invoked by a user context is the only obvious example I found.) Is there a better solution that I’m not seeing? -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue