On Wed, Apr 28, 2021 at 02:43:29PM +0200, Zdenek Pytela wrote:
> If I understand correctly, your problem is gone now. If you need some
> additional help, feel free to reply back.
I'm digging this thread up because I'm experimenting a bit more with
SELinux, this time with confined users, and I came back to the thread
while trying to figure some things out...
Originally I was trying to use runcon to reproduce the environment (in
terms of process context) that cermonger's post-save scripts run in. It
turned out that this wasn't going to work, as Zdenek explained:
> > On Tue, 2021-04-27 at 21:11 +0200, Zdenek Pytela wrote:
> > > runcon is a useful tool, but its usage is a bit tricky: it can be
> > > used to run a process in a different context, but only if policy
> > > allows it. Namely, it uses setexeccon(3) to set the new process
> > > context and on the very next execvp(2) the context is checked and the
> > > change evaluated.
> > >
> > > You are right with your commands how to check the 3 important parts
> > > to allow a transition. However, in your first command, you see the
> > > shell is running in unconfined_t. Is there a transition allowed to
> > > certmonger_t?
> > >
> > > # sesearch -T -s unconfined_t -c process |grep certmonger_t
> > > <>
> > >
> > > No. You would actually need a 3-link chain (certmonger_initrc_exec_t,
> > > certmonger_exec_t, certmonger_unconfined_exec_t), so it'd be
> > > worth writing a custom policy if you need to have it working from
> > > console.
For context, I'm experimenting with using the targeted policy's
confined users. My user is mapped to staff_u and as such, can SSH in to
a machine, but can't use the su command to become root. If I want to do
system administrator stuff, I have two options:
1. Run 'newrole -r sysadm_r' and then use 'su' to switch user
2. Use 'sudo -r sysadm_r' which transitions and switches user in a
single command; sudo can be configured to perform this transition by
default by adding ROLE=sysadm_r to the sudoers entry
So where does that leave the runcon command? What is it typically used
for?
I ask because a simple "runcon -r sysadm_r -t sysadm_t id" invocation
fails with "runcon: 'id': Permission denied", and the following AVC
denial:
avc: denied { transition } for pid=159994 comm="runcon" path="/usr/bin/id" dev="dm-0" ino=4064619 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0
I guess newrole/sudo do additional stuff that's needed in order to
transition into the target role.
If runcon doesn't do this extra stuff then what's the proper purpose of
the command and how do people use it?
Thanks,
--
Sam Morris <https://robots.org.uk/>
CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
