Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> writes:
> If this is not the the right forum for this discussion, please redirect
> me to some place more appropriate. Where to go for good advice on the
> trickier details of selinux is not obvious.
>
> The setting is CentOS 8.1. I'm running tcpserver as a systemd service.
> tcpserver is a general-purpose Internet (actually TCP) service
> dispatcher, rather like inetd.
>
> In this case, I'm trying to use tcpserver as an entryway to sshd. It
> works fine when selinux is in permissive mode but fails in enforcing
> mode. According to audit.log, the error is:
>
> type=AVC msg=audit(1584123331.011:167): avc: denied { dyntransition } for pid=2002 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
>
> I take this to mean that tcpserver runs in the unconfined_service_t
> domain (confirmed by ps -Z), that when it execs the sshd program it
> doesn't make the transition to the sshd_t domain, and consequently sshd
> is prevented from doing what it wants.
>
> audit2allow's recommendation is:
>
> allow unconfined_service_t unconfined_t:process dyntransition;
>
> which probably would work, but it seems like treating the symptom
> rather than the disease, not to mention opening up a fairly large
> security hole. I'd like something a little more specific, particularly
> since I want to run one or two other services under tcpserver in
> addition to sshd.
>
> Probably the best approach would be to create a new tcpserver_t type
> with all the appropriate policies, but that's beyond my current skill.
> Would it make sense to create a policy module that would simply allow
> unconfined_service_t to transition to sshd_t?
>
> And what would the source for such a policy module look like? The
> impression I get is something like:
>
> allow unconfined_service_t sshd_exec_t:file { execute
> execute_no_trans getattr ioctl map open read };
That would be redundant. unconfined_service_t already has broad access
and from a unconfined_service_t perspective you just need to tell
selinux what to do:
type_transition unconfined_service_t sshd_exec_t:process sshd_t;
That will tell selinux that processes types should transition from
unconfined_service_t to sshd_t when processes with type
unconfined_service_t execute files with type sshd_exec_t.
When you do this and try it out then some avc denials will likely
surface regarding access that sshd_t processes may need to
unconfined_service_t processes. (for example sending a child terminated
signal, but possibly others as well)
>
> basically just a copy an existing policy for inetd_t and
> sshd_exec_t. Is that the right way to go about this? Is there
> something better?
>
> Thank you,
>
> Alan Stern
>
--
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
