On Fri, Mar 13, 2015 at 02:50:10PM -0400, Stephen Smalley wrote: > On 03/13/2015 02:43 PM, Dominick Grift wrote: > > On Fri, Mar 13, 2015 at 02:26:21PM -0400, Stephen Smalley wrote: > >> On 03/13/2015 02:15 PM, Dominick Grift wrote: > >>> I was playing with systemd-nspawn/machine, and machinectl allows one to pull in images. I am trying to confine it and i hit issues: > >>> > >>> systemd runs systemd-importd, and systemd-importd runs systemd-pull > >>> > >>> It seems as if though its some multithreading going on because i get: > >>> > >>> type=SELINUX_ERR msg=audit(1426268982.258:2559): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:systemd_t newcontext=system_u:system_r:importd_t > >>> > >>> Even though I am in permissive mode, and a transition rule "allow systemd_t importd_t:process transition;" is present, SELinux does not transition. > >>> > >>> When i add a typebounds statement (typebounds systemd_t importd_t), then the scenario changes: > >>> > >>> type=SELINUX_ERR msg=audit(1426268121.044:2414): op=security_compute_av reason=bounds scontext=system_u:system_r:systemd_t tcontext=system_u:system_r:importd_t tclass=process perms=transition > >>> ---- > >>> type=AVC msg=audit(1426268121.044:2415): avc: denied { transition } for pid=9210 comm="(-importd)" path="/usr/lib/systemd/systemd-importd" dev="dm-1" ino=2232532 scontext=system_u:system_r:systemd_t tcontext=system_u:system_r:importd_t tclass=process permissive=1 > >>> ---- > >>> type=SELINUX_ERR msg=audit(1426268121.044:2416): op=security_compute_av reason=bounds scontext=system_u:system_r:importd_t tcontext=system_u:object_r:importd_exec_t tclass=file perms=entrypoint > >>> ---- > >>> type=AVC msg=audit(1426268121.044:2417): avc: denied { entrypoint } for pid=9210 comm="(-importd)" path="/usr/lib/systemd/systemd-importd" dev="dm-1" ino=2232532 scontext=system_u:system_r:importd_t tcontext=system_u:object_r:importd_exec_t tclass=file permissive=1 > >>> ---- > >>> type=SELINUX_ERR msg=audit(1426268121.046:2418): op=security_compute_av reason=bounds scontext=system_u:system_r:importd_t tcontext=system_u:system_r:systemd_t tclass=fd perms=use > >>> ---- > >>> type=AVC msg=audit(1426268121.046:2419): avc: denied { use } for pid=9210 comm="systemd-importd" path="/dev/null" dev="devtmpfs" ino=1028 scontext=system_u:system_r:importd_t tcontext=system_u:system_r:systemd_t tclass=fd permissive=1 > >>> > >>> These rules are present in the policy (the transition is obviously taking place in permissive mode) and so is the typebounds rule, but access looks still denied. > >>> > >>> I do not understand what is going on here. > >>> > >>> First of all importd_t is bounded to systemd. So why does it appear to be a problem that systemd operates on importd_t entities? > >>> > >>> Also why does selinux refuse to type transition without a typebounds, and why does it give me a permission denied with a typebounds > > > >> NO_NEW_PRIVS? See http://marc.info/?l=selinux&m=140717412324539&w=2 > >> Previously domain transitions on exec were always disabled under > >> NO_NEW_PRIVS and nosuid mounts. This was introduced as a way of > >> supporting e.g. the SELinux sandbox or other cases where NNP is being > >> used and they want to transition domains on exec. Typebounds makes this > >> safe, but typebounds requires you to cap the child type's permissions to > >> a subset of the parent type's permissions. This is normally checked by > >> checkpolicy or libsemanage at policy build/link time but I'm sure Red > >> Hat has disabled it along with neverallow checking, so you probably > >> don't see it until the kernel recognizes the discrepancy and dynamically > >> blocks the access that would violate the bound. > > > > Yes that is what i mentioned on #selinux. However i am not using checkpolicy or libsemanage. I am using secilc (and i have it check for neverallow rule violations). I would have expected it to catch it on compile time. > > > > However there is still something strange in that importd_t is bounded to systemd_t: thus why would: "systemd_t importd_t:process transition;" be denied? > > > > systemd_t is the parent and not the bounded child. > > > > A rule "allow systemd_t importd_t:process transition;" is present in the output of "sesearch -A -s systemd_t -t > importd_t". Yet it still prints a denial. > > Typebounds restricts its use both as a source and as a target context. > Does systemd_t have transition to self? It has a lot but not that: # sesearch -A -s systemd_t -t systemd_t -c process Found 3 semantic av rules: allow subject_type systemd_t : process sigchld ; allow systemd_t systemd_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getcap setcap setexec setfscreate setrlimit setkeycreate setsockcreate } ; allow systemd_t subject_common_type : process { sigkill signull signal getattr } ; > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgp3yctthGF9q.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.