If this is not the the right forum for this discussion, please redirect
me to some place more appropriate. Where to go for good advice on the
trickier details of selinux is not obvious.
The setting is CentOS 8.1. I'm running tcpserver as a systemd service.
tcpserver is a general-purpose Internet (actually TCP) service
dispatcher, rather like inetd.
In this case, I'm trying to use tcpserver as an entryway to sshd. It
works fine when selinux is in permissive mode but fails in enforcing
mode. According to audit.log, the error is:
type=AVC msg=audit(1584123331.011:167): avc: denied { dyntransition } for pid=2002 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
I take this to mean that tcpserver runs in the unconfined_service_t
domain (confirmed by ps -Z), that when it execs the sshd program it
doesn't make the transition to the sshd_t domain, and consequently sshd
is prevented from doing what it wants.
audit2allow's recommendation is:
allow unconfined_service_t unconfined_t:process dyntransition;
which probably would work, but it seems like treating the symptom
rather than the disease, not to mention opening up a fairly large
security hole. I'd like something a little more specific, particularly
since I want to run one or two other services under tcpserver in
addition to sshd.
Probably the best approach would be to create a new tcpserver_t type
with all the appropriate policies, but that's beyond my current skill.
Would it make sense to create a policy module that would simply allow
unconfined_service_t to transition to sshd_t?
And what would the source for such a policy module look like? The
impression I get is something like:
allow unconfined_service_t sshd_exec_t:file { execute
execute_no_trans getattr ioctl map open read };
basically just a copy an existing policy for inetd_t and
sshd_exec_t. Is that the right way to go about this? Is there
something better?
Thank you,
Alan Stern
