Re: In permissive setting labels that are not in host policy when running unprivileged fails with EINVAL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 10, 2024 at 9:32 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote:
>
> Hello,
>
> this is originally reported at
> https://github.com/SELinuxProject/selinux/issues/437
>
> There a question why kernel blocks changing SELinux label to some
> unknown label and requires CAP_MAC_ADMIN even in permissive mode?
>
> Reproducer:
>
> $ id -u
> 1000
>
> $ getenforce
> Permissive
>
> $ chcon -t bin_t /var/lib/mock/fedora-rawhide-x86_64/root/usr/lib/systemd/system-generators/systemd-ssh-generator
>
> $ chcon -t selinux_unknown_type_t /var/lib/mock/fedora-rawhide-x86_64/root/usr/lib/systemd/system-generators/systemd-ssh-generator
> chcon: failed to change context of '/var/lib/mock/fedora-rawhide-x86_64/root/usr/lib/systemd/system-generators/systemd-ssh-generator' to ‘system_u:object_r:selinux_unknown_type_t:s0’: Invalid argument
>
>
> Quotes from the issue:
>
> This is happening on a system with SELinux in permissive mode. Applying
> your suggestion does not change the result. I assume this is gated
> behind CAP_MAC_ADMIN for unprivileged users. Is there any way to make
> this work without needing root privileges?
>
> Hmm so the kernel blocks unknown labels unless the user has
> CAP_MAC_ADMIN in the initial user namespace. I'm assuming this is for a
> good reason and it would be unsafe to allow any user to do this so I
> don't think there's anything that can be done here
>
> One thing that's not clear to me, why is an unprivileged user allowed to
> write labels known by the host but not labels that are not known to the
> host? What specifically is unsafe about unknown labels that's not an
> issue with known labels?

With SELinux disabled, setting of security.* xattrs at all is gated by
CAP_SYS_ADMIN.
With SELinux enabled, the security.selinux xattrs can be set to valid
security contexts without any capability if allowed by policy.
Support for setting unknown security contexts was a later addition to
SELinux for a specific use case (original motivation provided by Red
Hat was to permit rpm to set contexts on files unpacked from a package
before it inserted the corresponding policy module from %post), and
was not expected to be used by unprivileged users.
Smack had already introduced CAP_MAC_ADMIN at that point, and it
seemed reasonable to use it for this purpose, since setting labels
unknown to the policy is effectively like being the admin of the MAC
policy.
The policy can't make useful determinations about what to do with
unknown labels so it can't provide any information flow guarantees.
There may also have been a concern about the facility being abused to
push arbitrary data into a security.selinux xattr to be fetched by
some other privileged process later in a manner that would ultimately
lead to a vulnerability.
Not saying that we can't change things here, but would require a
graceful and compatible transition path.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux