Initial context for init
by Philip Seeley
Hi all,
Quick question is:
In the targeted policy should init run SystemHigh as it does in the mls
policy?
The background:
We're setting up a targeted system where we confine all users and remove
the unconfined policy module, but we also enable polyinstantiation of /tmp
and /var/tmp.
If we ssh in as a staff_u user phil and elevate to root/sysadm_r then we
have a context of:
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
And therefore /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp
Which is really:
drwxrwxrwt. root root
system_u:object_r:tmp_t:s0-s0:c0.c1023 /var/tmp-inst/system_u:object_r:tmp_t:s0-s0:c0.c1023_phil
The real /var/tmp is:
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp
Now if we use run_init to update an RPM that contains a post install
script, rpm can't create the temporary script file:
# run_init bash -c 'rpm -i
--force /root/libselinux-2.0.94-7.el6.x86_64.rpm'
Authenticating phil.
Password:
error: error creating temporary file /var/tmp/rpm-tmp.atkHTf: Permission
denied
error: Couldn't create temporary file for %post
(libselinux-2.0.94-7.el6.x86_64): Permission denied
Note: you need to use run_init as the rpm might restart a service, e.g. the
sssd rpm.
We've traced this to the /etc/selinux/targeted/contexts/initrc_context file
which contains:
system_u:system_r:initrc_t:s0
So we transition to initrc_t and then to rpm_t without any categories, but
because the polyinstantiated /var/tmp directory has c0.c1023 we get denied.
Normally in targeted init runs unconfined, but we've removed this.
type=AVC msg=audit(1467342325.016:716): avc: denied { read } for
pid=2779 comm="rpm" name="system_u:object_r:tmp_t:s0-s0:c0.c1023_phil"
dev=dm-0 ino=1966082 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:tmp_t:s0-s0:c0.c1023 tclass=dir
It works if we change initrc_context to:
system_u:system_r:initrc_t:s0-s0:c0.c1023
We don't see the issue under mls because the default initrc_context is:
system_u:system_r:initrc_t:s0-s15:c0.c1023
We've traces this back through the selinux-policy src RPM and to the
upstream refpolicy and see that config/appconfig-mcs/initrc_context is:
system_u:system_r:initrc_t:s0
whereas config/appconfig-mls/initrc_context is:
system_u:system_r:initrc_t:s0-mls_systemhigh
So under mls init's context is SystemHigh, but under mcs/targeted it
doesn't have any categories.
So the long question is should config/appconfig-mcs/initrc_context really
be:
system_u:system_r:initrc_t:mcs_systemhigh
as it seems odd that the more secure mls policy would run init at
SystemHigh but targeted doesn't.
Thanks
Phil Seeley
4 years, 8 months
SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the
cap_userns Unknown.
by Martin Gansser
I have received this error report, about boomaga.
I can print to boomaga printer, but with a delay about 30 seconds per task. SELinux Troubleshooter reports an error.
SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that boomagabackend should be allowed sys_ptrace access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend
# semodule -X 300 -i my-boomagabackend.pp
Additional Information:
Source Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023
Target Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023
Target Objects Unknown [ cap_userns ]
Source boomagabackend
Source Path boomagabackend
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.9.14-200.fc25.x86_64 #1 SMP Mon
Mar 13 19:26:40 UTC 2017 x86_64 x86_64
Alert Count 3
First Seen 2017-03-25 00:29:09 MSK
Last Seen 2017-03-25 00:32:12 MSK
Local ID 531f80ea-deab-40c6-9bd0-c7375eef6639
Raw Audit Messages
type=AVC msg=audit(1490391132.808:798): avc: denied { sys_ptrace } for pid=12332 comm="boomagabackend" capability=19 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Hash: boomagabackend,boomaga_cups_t,boomaga_cups_t,cap_userns,sys_ptrace
------------------------------------
Have someone a idea how can this be solved ?
The files of the package were stored for test purposes here: https://martinkg.fedorapeople.org/Review/test/boomaga/
7 years
Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
7 years
SELinux enabled + rsync + Permission denied (13)
by Sachin Gaikwad
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux
enabled. This process eventually executes "rsync" to do file-copy
operation. It is failing with following error:
---------------------------------*8<*
--------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13)
rsync: ERROR: cannot stat destination "/mnt/other_volume/testData":
Permission denied (13).
---------------------------------*8<*
--------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of
"source" and "target" and both have permissions for the user.
Other testing data:
1) I tested this with "SELinux" disabled and rsync succeeds.
2) I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is
something to do with "SELinux permissions" to process which do not have tty?
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but
couldn't find anything to reason it out. If you need, I can attach SELinux
configurations.
Thanks in advance,
Sachin
7 years
New selinux-policy-macros repo in fedora-selinux organization
by Lukas Vrabec
Introducing new repository called selinux-policy-macros[1]. This repo is
main store for rpm macros which can be used by rpm packages creating
custom packages with policies.
Repo contains macros for installing/uninstalling SELinux modules,
setting booleans and properly labeling objects installed by custom
SELinux module.
These macros will be part of selinux-policy package on all supported
Fedoras.
[1] https://github.com/fedora-selinux/selinux-policy-macros
Any feedback is welcomed.
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
7 years, 1 month
How to run an unconfined systemd unit?
by Jason L Tibbitts III
I just want to run this script:
#!/bin/sh
date | mail -s "Reboot: $HOST" notify
At boot. I have this unit file:
[Unit]
Description=Run boot-time things
After=network-online.target
[Service]
ExecStart=/usr/local/bin/notify-reboot
Type=oneshot
[Install]
WantedBy=multi-user.target
Now, when I start the unit manually the email goes through. When
started at boot, nothing happens. No AVCs are logged, nothing. I
thought systemd wasn't starting it or it was starting before the network
or something, but that's just not the case. If I stick setenforce 0 in
the script then everything works as expected.
I have verified that the unit is running as unconfined_service_t, but
that doesn't actually seem to be unconfined. I must be missing
something, but I'm not sure what it is. Can you actually have a truly
unconfined systemd unit? How might I run something at boot which I
really do want to be able to do anything at all to the system?
Digging deeper, obviously the real denial is set as dontaudit. I did
semodule -db and I do see a bunch of postfix-related things. Including
this:
type=AVC msg=audit(1488940201.691:492): avc: denied { read write } for
pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
permissive=0
There are actually all sorts of postfix and sendmail related denials
over a couple of boots as I've tried to work this out:
type=AVC msg=audit(1488939995.980:342): avc: denied { rlimitinh } for pid=16564 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=1
type=AVC msg=audit(1488939995.980:343): avc: denied { noatsecure } for pid=16564 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=1
type=AVC msg=audit(1488940104.809:299): avc: denied { rlimitinh } for pid=858 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940104.809:300): avc: denied { noatsecure } for pid=858 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:334): avc: denied { rlimitinh } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:335): avc: denied { siginh } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:336): avc: denied { rlimitinh } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:337): avc: denied { siginh } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:338): avc: denied { noatsecure } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.007:339): avc: denied { noatsecure } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.691:493): avc: denied { read write } for pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1488940201.701:494): avc: denied { rlimitinh } for pid=2273 comm="postdrop" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1488940201.701:495): avc: denied { siginh } for pid=2273 comm="postdrop" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1488940201.709:496): avc: denied { rlimitinh } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.709:497): avc: denied { siginh } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.710:498): avc: denied { noatsecure } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:499): avc: denied { rlimitinh } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:500): avc: denied { siginh } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:501): avc: denied { noatsecure } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.691:492): avc: denied { read write } for pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
- J<
7 years, 1 month
