Re: cgroup2 labeling question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Matthew Sheets <masheets@xxxxxxxxxxxxxxxxxxx> writes:

> On 3/21/2023 7:42 AM, Dominick Grift wrote:
>> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:
>> 
>>> On Mon, Mar 20, 2023 at 9:23 PM Stephen Smalley
>>> <stephen.smalley.work@xxxxxxxxx> wrote:
>>>>
>>>> On Mon, Mar 20, 2023 at 2:22 PM Christian Göttsche
>>>> <cgzones@xxxxxxxxxxxxxx> wrote:
>>>>>
>>>>> On Mon, 20 Mar 2023 at 19:14, Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote:
>>>>>>
>>>>>> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
>>>>>>
>>>>>>> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
>>>>>>> <stephen.smalley.work@xxxxxxxxx> wrote:
>>>>>>>> Hmm...that's interesting. I just tried in Fedora using one of the
>>>>>>>> type_transitions already defined in the default policy and although it
>>>>>>>> appears to use the type_transition to compute the new SID for the
>>>>>>>> create check, ls -Z of the file after creation showed it labeled
>>>>>>>> cgroup_t instead. So it doesn't appear to be working or I am doing it
>>>>>>>> wrong.
>>>>>>
>>>>>> I am totally confused now as well because Christian on IRC say's it
>>>>>> works for him but I cannot get it to work here and I tried various
>>>>>> combinations
>>>>>>
>>>>>>>
>>>>>>> Reproducer, on F34,
>>>>>>> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>>>>>>> mkdir: cannot create directory
>>>>>>> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
>>>>>>> $ sudo ausearch -m AVC -ts recent -i
>>>>>>> ----
>>>>>>> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc:  denied  {
>>>>>>> associate } for  pid=152325 comm=mkdir name=.snapshots
>>>>>>> scontext=unconfined_u:object_r:snapperd_data_t:s0
>>>>>>> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
>>>>>>> $ seinfo --fs_use | grep cgroup
>>>>>>> $ seinfo --genfscon | grep cgroup
>>>>>>>     genfscon cgroup /  system_u:object_r:cgroup_t:s0
>>>>>>>     genfscon cgroup2 /  system_u:object_r:cgroup_t:s0
>>>>>>> $ sesearch -T -s unconfined_t -t cgroup_t -c dir
>>>>>>> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
>>>>>>> $ sudo setenforce 0
>>>>>>> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>>>>>>> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
>>>>>>> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
>>>>>>
>>>>>> --
>>>>>> gpg --locate-keys dominick.grift@xxxxxxxxxxx
>>>>>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
>>>>>> Dominick Grift
>>>>>
>>>>> Debian sid (Linux debianBullseye 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC
>>>>> Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux):
>>>>>
>>>>> type cgroup_test_t;
>>>>> allow cgroup_test_t cgroup_t:filesystem associate;
>>>>> filetrans_pattern(sysadm_t, cgroup_t, cgroup_test_t, dir, "testdir")
>>>>> allow sysadm_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
>>>>> allow sysadm_t cgroup_test_t:file getattr;
>>>>>
>>>>>
>>>>> $ seinfo --all | grep cgroup
>>>>> genfscon cgroup /  system_u:object_r:cgroup_t:s0
>>>>> genfscon cgroup2 /  system_u:object_r:cgroup_t:s0
>>>>> genfscon proc /cgroups  system_u:object_r:proc_info_t:s0
>>>>> cgroup_seclabel
>>>>> cgroup_t
>>>>> cgroup_test_t
>>>>> systemd_cgroups_agent_exec_t
>>>>> systemd_cgroups_agent_runtime_t
>>>>> systemd_cgroups_agent_t
>>>>>
>>>>>
>>>>> $ grep cgroup /etc/selinux/debian/contexts/files/file_contexts
>>>>> /cgroup/.*              <<none>>
>>>>> /sys/fs/cgroup/.*               <<none>>
>>>>> /sys/fs/cgroup/[^/]+            -l      system_u:object_r:cgroup_t:s0
>>>>> /cgroup         -d      system_u:object_r:cgroup_t:s0
>>>>> /sys/fs/cgroup          -d      system_u:object_r:cgroup_t:s0
>>>>> /usr/lib/systemd/systemd-cgroups-agent          --
>>>>> system_u:object_r:systemd_cgroups_agent_exec_t:s0
>>>>>
>>>>>
>>>>> $ mkdir /sys/fs/cgroup/system.slice/testdir
>>>>> $ ls -laZ /sys/fs/cgroup/system.slice/testdir/
>>>>> total 0
>>>>> drwxr-x---.  2 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>>>>> .
>>>>> drwxr-xr-x. 19 root root system_u:object_r:cgroup_t:s0  0 Mar 20 19:19
>>>>> ..
>>>>> -r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>>>>> cgroup.controllers
>>>>> -r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
>>>>> cgroup.events
>>>>
>>>> Hmm...I don't get the same result with 6.1.14-200.fc37.x86_64, using
>>>> the corresponding slightly tweaked policy module:
>>>> policy_module(cgrouptest, 1.0)
>>>> require {
>>>> type cgroup_t;
>>>> type unconfined_t;
>>>> }
>>>> type cgroup_test_t;
>>>> allow cgroup_test_t cgroup_t:filesystem associate;
>>>> filetrans_pattern(unconfined_t, cgroup_t, cgroup_test_t, dir, "testdir")
>>>> allow unconfined_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
>>>> allow unconfined_t cgroup_test_t:file getattr;
>>>>
>>>> That's on Fedora 37, not 34, sorry for the typo.
>>>
>>> Ah, now I remembered that we made it such that the transitions would
>>> only apply if the parent directory has a label explicitly set by
>>> userspace (via setxattr). Not sure if we can improve it easily, since
>>> we can't use the normal inode-based logic for cgroupfs (the xattrs are
>>> stored in kernfs nodes, each of which can be exposed via multiple
>>> inodes if there is more than one cgroupfs mount).
>> Thanks. I can confirm that this indeed enabled transition
>> functionality.
>> It does not solve my memory.pressure challenge but I implementing it
>> regardless in hopes that it addresses the races I encountered when
>> solely relying on genfscon for user.slice
>> https://git.defensec.nl/?p=dssp5.git;a=commitdiff;h=1920c9f751445bfd51f43a7c4e9b7fedda057d15
>> We should probably document this "gotcha" in the selinux-notebook
>> 
>
> Just to unify some other threads of conversation that has been going
> on for this.
>
> I helped the author of the initial PR that started this discussion.
> We knew we needed a new unique label and I suggested that we try a
> named file trans pattern from init_t just to see if it works, and it
> seemed to right out of the gates.  We didn't need to flip any other
> switches on our test environment.
>
> Here is an example of an AVC we are seeing:
> AVC avc:  denied  { getattr } for  pid=5953 comm="systemd"
> path="/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/memory.pressure"
> dev="cgroup2" ino=27721
> scontext=unconfined_u:unconfined_r:unconfined_t
> tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=0
>
> I do fear there is something different from the other folks that have
> tested this and our setup, since out setup is fairly bespoke compared
> to your standard Linux distro.  But off the top of my head I don't
> know any special setting we would have in place to make this work.
>

I just retested it here and i can't get it to work. (but i might be
overlooking something)

recorded the test for people interested:

https://www.defensec.nl/~kcinimod/stuff/cgroup8.mp4

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux