Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:
> On Mon, Mar 20, 2023 at 9:23 PM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
>>
>> On Mon, Mar 20, 2023 at 2:22 PM Christian Göttsche
>> <cgzones@xxxxxxxxxxxxxx> wrote:
>> >
>> > On Mon, 20 Mar 2023 at 19:14, Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote:
>> > >
>> > > Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
>> > >
>> > > > On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
>> > > > <stephen.smalley.work@xxxxxxxxx> wrote:
>> > > >> Hmm...that's interesting. I just tried in Fedora using one of the
>> > > >> type_transitions already defined in the default policy and although it
>> > > >> appears to use the type_transition to compute the new SID for the
>> > > >> create check, ls -Z of the file after creation showed it labeled
>> > > >> cgroup_t instead. So it doesn't appear to be working or I am doing it
>> > > >> wrong.
>> > >
>> > > I am totally confused now as well because Christian on IRC say's it
>> > > works for him but I cannot get it to work here and I tried various
>> > > combinations
>> > >
>> > > >
>> > > > Reproducer, on F34,
>> > > > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> > > > mkdir: cannot create directory
>> > > > ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
>> > > > $ sudo ausearch -m AVC -ts recent -i
>> > > > ----
>> > > > type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
>> > > > associate } for pid=152325 comm=mkdir name=.snapshots
>> > > > scontext=unconfined_u:object_r:snapperd_data_t:s0
>> > > > tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
>> > > > $ seinfo --fs_use | grep cgroup
>> > > > $ seinfo --genfscon | grep cgroup
>> > > > genfscon cgroup / system_u:object_r:cgroup_t:s0
>> > > > genfscon cgroup2 / system_u:object_r:cgroup_t:s0
>> > > > $ sesearch -T -s unconfined_t -t cgroup_t -c dir
>> > > > type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
>> > > > $ sudo setenforce 0
>> > > > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> > > > $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
>> > > > system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
>> > >
>> > > --
>> > > gpg --locate-keys dominick.grift@xxxxxxxxxxx
>> > > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
>> > > Dominick Grift
>> >
>> > Debian sid (Linux debianBullseye 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC
>> > Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux):
>> >
>> > type cgroup_test_t;
>> > allow cgroup_test_t cgroup_t:filesystem associate;
>> > filetrans_pattern(sysadm_t, cgroup_t, cgroup_test_t, dir, "testdir")
>> > allow sysadm_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
>> > allow sysadm_t cgroup_test_t:file getattr;
>> >
>> >
>> > $ seinfo --all | grep cgroup
>> > genfscon cgroup / system_u:object_r:cgroup_t:s0
>> > genfscon cgroup2 / system_u:object_r:cgroup_t:s0
>> > genfscon proc /cgroups system_u:object_r:proc_info_t:s0
>> > cgroup_seclabel
>> > cgroup_t
>> > cgroup_test_t
>> > systemd_cgroups_agent_exec_t
>> > systemd_cgroups_agent_runtime_t
>> > systemd_cgroups_agent_t
>> >
>> >
>> > $ grep cgroup /etc/selinux/debian/contexts/files/file_contexts
>> > /cgroup/.* <<none>>
>> > /sys/fs/cgroup/.* <<none>>
>> > /sys/fs/cgroup/[^/]+ -l system_u:object_r:cgroup_t:s0
>> > /cgroup -d system_u:object_r:cgroup_t:s0
>> > /sys/fs/cgroup -d system_u:object_r:cgroup_t:s0
>> > /usr/lib/systemd/systemd-cgroups-agent --
>> > system_u:object_r:systemd_cgroups_agent_exec_t:s0
>> >
>> >
>> > $ mkdir /sys/fs/cgroup/system.slice/testdir
>> > $ ls -laZ /sys/fs/cgroup/system.slice/testdir/
>> > total 0
>> > drwxr-x---. 2 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>> > .
>> > drwxr-xr-x. 19 root root system_u:object_r:cgroup_t:s0 0 Mar 20 19:19
>> > ..
>> > -r--r--r--. 1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>> > cgroup.controllers
>> > -r--r--r--. 1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>> > cgroup.events
>>
>> Hmm...I don't get the same result with 6.1.14-200.fc37.x86_64, using
>> the corresponding slightly tweaked policy module:
>> policy_module(cgrouptest, 1.0)
>> require {
>> type cgroup_t;
>> type unconfined_t;
>> }
>> type cgroup_test_t;
>> allow cgroup_test_t cgroup_t:filesystem associate;
>> filetrans_pattern(unconfined_t, cgroup_t, cgroup_test_t, dir, "testdir")
>> allow unconfined_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
>> allow unconfined_t cgroup_test_t:file getattr;
>>
>> That's on Fedora 37, not 34, sorry for the typo.
>
> Ah, now I remembered that we made it such that the transitions would
> only apply if the parent directory has a label explicitly set by
> userspace (via setxattr). Not sure if we can improve it easily, since
> we can't use the normal inode-based logic for cgroupfs (the xattrs are
> stored in kernfs nodes, each of which can be exposed via multiple
> inodes if there is more than one cgroupfs mount).
Thanks. I can confirm that this indeed enabled transition functionality.
It does not solve my memory.pressure challenge but I implementing it
regardless in hopes that it addresses the races I encountered when
solely relying on genfscon for user.slice
https://git.defensec.nl/?p=dssp5.git;a=commitdiff;h=1920c9f751445bfd51f43a7c4e9b7fedda057d15
We should probably document this "gotcha" in the selinux-notebook
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
