On Wed, Apr 05, 2017 at 10:54:08AM -0400, Stephen Smalley wrote: > On Wed, 2017-04-05 at 14:58 +0200, cgzones wrote: > > Hi list, > > > > when running `apt update` i'm getting a bunch of the following > > security_bounded_transition audits: > > > > type=PROCTITLE msg=audit(05/04/17 14:47:20.268:219) : > > proctitle=/usr/bin/dpkg --print-foreign-architectures > > type=PATH msg=audit(05/04/17 14:47:20.268:219) : item=1 > > name=/lib64/ld-linux-x86-64.so.2 inode=132140 dev=08:01 mode=file,755 > > ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 > > nametype=NORMAL > > type=PATH msg=audit(05/04/17 14:47:20.268:219) : item=0 > > name=/usr/bin/dpkg inode=131862 dev=08:01 mode=file,755 ouid=root > > ogid=root rdev=00:00 obj=system_u:object_r:dpkg_exec_t:s0 > > nametype=NORMAL > > type=CWD msg=audit(05/04/17 14:47:20.268:219) : > > cwd=/root/selinux/policy > > type=EXECVE msg=audit(05/04/17 14:47:20.268:219) : argc=2 > > a0=/usr/bin/dpkg a1=--print-foreign-architectures > > type=SYSCALL msg=audit(05/04/17 14:47:20.268:219) : arch=x86_64 > > syscall=execve success=yes exit=0 a0=0x56455b39a820 a1=0x56455b39e6d0 > > a2=0x7ffdfaf43cd0 a3=0x2 items=2 ppid=2328 pid=2329 auid=debianuser > > uid=_apt gid=nogroup euid=_apt suid > > =_apt fsuid=_apt egid=nogroup sgid=nogroup fsgid=nogroup tty=pts0 > > ses=1 comm=dpkg exe=/usr/bin/dpkg > > subj=staff_u:sysadm_r:apt_t:s0-s0:c0.c1023 key=(null) > > type=SELINUX_ERR msg=audit(05/04/17 14:47:20.268:219) : > > op=security_bounded_transition seresult=denied > > oldcontext=staff_u:sysadm_r:apt_t:s0-s0:c0.c1023 > > newcontext=staff_u:sysadm_r:dpkg_t:s0-s0:c0.c1023 > > > > I do not use any type-/role-bounds rules, and apt and dpkg are > > working > > without (noticeable) issues. > > This means that the process or one of its ancestors had set > NO_NEW_PRIVS, and then tried to execve a program that normally would > have triggered a domain transition. Domain transitions are only > allowed under NO_NEW_PRIVS if the new domain is bounded by the calling > domain, since this ensures that no privilege escalation is possible > (originally we did not allow domain transitions at all under > NO_NEW_PRIVS; this was relaxed to allow them if bounded to support the > SELinux sandbox when it began using NO_NEW_PRIVS). Unless the program > explicitly requested the domain transition (via setexeccon), this is > treated as a non-fatal error and the process just stays in the calling > domain. > > Hence, at present, apt will continue running in apt_t rather than > transitioning into dpkg_t when running dpkg (at least in cases where > apt has set NO_NEW_PRIVS prior to execve - I do not know whether it > does this universally when running dpkg or only in specific instances). > This could be a problem for labeling of any files created by dpkg if > relying on type transitions or it could prevent dpkg from performing > operations only allowed to dpkg_t (or it could expose dpkg to > performing operations only allowed to apt_t). > > Adding typebounds rules (ala typebounds apt_t dpkg_t; typebounds > apt_exec_t dpkg_exec_t; typebounds apt_tmp_t dpkg_tmp_t; ...) would > allow the transition to occur, but would then require dpkg_t to be a > strict subset of permissions allowed to apt_t. This does not appear to > be the case in current policy, so it would likely break other uses of > dpkg. > > This is an issue for the Debian SELinux maintainers to resolve. Also note that the NNP flag is inherited. So if dpkg_t also in turn runs things with domain transitions then you will have to bound those types to the parents as well and so forth and so forth. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
