On 3/16/20 5:04 PM, Alan Stern wrote:
> If this is not the the right forum for this discussion, please redirect
> me to some place more appropriate. Where to go for good advice on the
> trickier details of selinux is not obvious.
>
> The setting is CentOS 8.1. I'm running tcpserver as a systemd service.
> tcpserver is a general-purpose Internet (actually TCP) service
> dispatcher, rather like inetd.
>
> In this case, I'm trying to use tcpserver as an entryway to sshd. It
> works fine when selinux is in permissive mode but fails in enforcing
> mode. According to audit.log, the error is:
>
> type=AVC msg=audit(1584123331.011:167): avc: denied { dyntransition } for pid=2002 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
>
> I take this to mean that tcpserver runs in the unconfined_service_t
> domain (confirmed by ps -Z), that when it execs the sshd program it
> doesn't make the transition to the sshd_t domain, and consequently sshd
> is prevented from doing what it wants.
>
> audit2allow's recommendation is:
>
> allow unconfined_service_t unconfined_t:process dyntransition;
>
> which probably would work, but it seems like treating the symptom
> rather than the disease, not to mention opening up a fairly large
> security hole. I'd like something a little more specific, particularly
> since I want to run one or two other services under tcpserver in
> addition to sshd.
>
> Probably the best approach would be to create a new tcpserver_t type
> with all the appropriate policies, but that's beyond my current skill.
> Would it make sense to create a policy module that would simply allow
> unconfined_service_t to transition to sshd_t?
>
> And what would the source for such a policy module look like? The
> impression I get is something like:
>
> allow unconfined_service_t sshd_exec_t:file { execute
> execute_no_trans getattr ioctl map open read };
>
> basically just a copy an existing policy for inetd_t and
> sshd_exec_t. Is that the right way to go about this? Is there
> something better?
The hole idea with MAC is that you should explicit declare what is allowed.
Starting with anything unconfined is a bad idea for anything that is seen
from the internet. If you do it for the security your tcpserver should have it's own
domain that is not unconfined. And then you can give rules on what it is allowed
to start. So you need to create a tcpservice_service_t, so your rule should be
allow tcpservice_service_t sshd_exec_t:file { execute
execute_no_trans getattr ioctl map open read };
/* execute_no_trans is probably not what you want */
But you do NOT want
allow tcpservice_service_t unconfined_t:process dyntransition;
On fedora it would be like:
allow tcpservice_service_t sshd_t:process dyntransition;
and sshd is then allowed to create unconfined shell or what ever.
> Thank you,
>
> Alan Stern
>
>
