On Mon, Mar 20, 2023 at 9:23 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Mon, Mar 20, 2023 at 2:22 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > On Mon, 20 Mar 2023 at 19:14, Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote:
> > >
> > > Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
> > >
> > > > On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
> > > > <stephen.smalley.work@xxxxxxxxx> wrote:
> > > >> Hmm...that's interesting. I just tried in Fedora using one of the
> > > >> type_transitions already defined in the default policy and although it
> > > >> appears to use the type_transition to compute the new SID for the
> > > >> create check, ls -Z of the file after creation showed it labeled
> > > >> cgroup_t instead. So it doesn't appear to be working or I am doing it
> > > >> wrong.
> > >
> > > I am totally confused now as well because Christian on IRC say's it
> > > works for him but I cannot get it to work here and I tried various
> > > combinations
> > >
> > > >
> > > > Reproducer, on F34,
> > > > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> > > > mkdir: cannot create directory
> > > > ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
> > > > $ sudo ausearch -m AVC -ts recent -i
> > > > ----
> > > > type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
> > > > associate } for pid=152325 comm=mkdir name=.snapshots
> > > > scontext=unconfined_u:object_r:snapperd_data_t:s0
> > > > tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
> > > > $ seinfo --fs_use | grep cgroup
> > > > $ seinfo --genfscon | grep cgroup
> > > > genfscon cgroup / system_u:object_r:cgroup_t:s0
> > > > genfscon cgroup2 / system_u:object_r:cgroup_t:s0
> > > > $ sesearch -T -s unconfined_t -t cgroup_t -c dir
> > > > type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
> > > > $ sudo setenforce 0
> > > > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> > > > $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
> > > > system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
> > >
> > > --
> > > gpg --locate-keys dominick.grift@xxxxxxxxxxx
> > > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> > > Dominick Grift
> >
> > Debian sid (Linux debianBullseye 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC
> > Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux):
> >
> > type cgroup_test_t;
> > allow cgroup_test_t cgroup_t:filesystem associate;
> > filetrans_pattern(sysadm_t, cgroup_t, cgroup_test_t, dir, "testdir")
> > allow sysadm_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
> > allow sysadm_t cgroup_test_t:file getattr;
> >
> >
> > $ seinfo --all | grep cgroup
> > genfscon cgroup / system_u:object_r:cgroup_t:s0
> > genfscon cgroup2 / system_u:object_r:cgroup_t:s0
> > genfscon proc /cgroups system_u:object_r:proc_info_t:s0
> > cgroup_seclabel
> > cgroup_t
> > cgroup_test_t
> > systemd_cgroups_agent_exec_t
> > systemd_cgroups_agent_runtime_t
> > systemd_cgroups_agent_t
> >
> >
> > $ grep cgroup /etc/selinux/debian/contexts/files/file_contexts
> > /cgroup/.* <<none>>
> > /sys/fs/cgroup/.* <<none>>
> > /sys/fs/cgroup/[^/]+ -l system_u:object_r:cgroup_t:s0
> > /cgroup -d system_u:object_r:cgroup_t:s0
> > /sys/fs/cgroup -d system_u:object_r:cgroup_t:s0
> > /usr/lib/systemd/systemd-cgroups-agent --
> > system_u:object_r:systemd_cgroups_agent_exec_t:s0
> >
> >
> > $ mkdir /sys/fs/cgroup/system.slice/testdir
> > $ ls -laZ /sys/fs/cgroup/system.slice/testdir/
> > total 0
> > drwxr-x---. 2 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
> > .
> > drwxr-xr-x. 19 root root system_u:object_r:cgroup_t:s0 0 Mar 20 19:19
> > ..
> > -r--r--r--. 1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
> > cgroup.controllers
> > -r--r--r--. 1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
> > cgroup.events
>
> Hmm...I don't get the same result with 6.1.14-200.fc37.x86_64, using
> the corresponding slightly tweaked policy module:
> policy_module(cgrouptest, 1.0)
> require {
> type cgroup_t;
> type unconfined_t;
> }
> type cgroup_test_t;
> allow cgroup_test_t cgroup_t:filesystem associate;
> filetrans_pattern(unconfined_t, cgroup_t, cgroup_test_t, dir, "testdir")
> allow unconfined_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
> allow unconfined_t cgroup_test_t:file getattr;
>
> That's on Fedora 37, not 34, sorry for the typo.
Ah, now I remembered that we made it such that the transitions would
only apply if the parent directory has a label explicitly set by
userspace (via setxattr). Not sure if we can improve it easily, since
we can't use the normal inode-based logic for cgroupfs (the xattrs are
stored in kernfs nodes, each of which can be exposed via multiple
inodes if there is more than one cgroupfs mount).
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
