Is it ok to say thanks to people on this mailing list ?
Anyway since i am new to this mailing list and new guys are allowed to
screw things up,
I will take advantage of me being new to say Thanks to Daniel.
*Thanks a lot Daniel*
Thanks
Bhuvan
On Tue, Jan 27, 2015 at 5:15 AM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
On 01/21/2015 01:13 PM, Bhuvan Gupta wrote:
Hello,
After doing some more investigation *your explanation make perfect sense*
.
But while going through my own mail i released that the two allow rule
that i mentioned:
[1] *allow sandbox_domain default_t : file { ioctl read write getattr
lock append };*
*[2] * *allow domain usr_t : dir { ioctl read getattr lock search open
};*
If you notice that the first one has *sandbox_domain* and second one
just *domain*
*sandbox_domain is an attribute of all sandbox_t types seinfo
-asandbox_domain -x domain is the attribute of all process types. So the
second allow rules says every process on the system is allowed to search
through usr_t directories. *
I understand the domain and types are same so sandbox_domain ==
sandbox_t.
But what does domain in [2] signifies ?
Thanks a lot.
On Wed, Jan 21, 2015 at 7:50 PM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
> On 01/21/2015 12:28 AM, Bhuvan Gupta wrote:
>
> I am working with selinux sandbox "
>
http://danwalsh.livejournal.com/28545.html".
>
> Blog clearing mentions that the sandbox "Can not Open or Create any
> files on the system " except the the shared libraries.
>
> But current sandbox allow to read dir stuff which i think should not be
> allowed:
> currently i can successfully ran:
> * "sandbox ls /usr"*
> ls -Z for my /usr is:
> *drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr*
>
> Right this is system objects. You are allowed to read/execute most
> content under /usr, since sandbox needs to execute programs.
>
> Now i used sesearch based policy analysis tool to find the allow rules
> and i have listed few which i can understand and think should not be there:
> [1] *allow sandbox_domain default_t : file { ioctl read write getattr
> lock append } ; * # sandbox_t is allow to read write to file having
> type as default_t, but it doesnt allow to open it..so whats the
> significance of {read write}
>
> This is for leaking a file descriptor into the container. cat /foo/bar
> | sandbox app > /tmp/output
>
> We want to allow a user to open a file descriptor to any object on the
> machine and then leak the file descriptor into the sandboxed app. The
> sandboxed app is not allowed to Open any files on the system except content
> with base labels, like usr_t, etc_t, bin_t, lib_t. And these labels it is
> not allowed to write.
>
> [2] *allow domain usr_t : dir { ioctl read getattr lock search open } *
>
> Added my system details and also attached the completed allowed list .
>
> I have started with selinux about 1 week back so there might be problem
> with my thinking model.
> *Does the above stuff make sense from logical point of view and should
> fixed ?*
> Initially i thought that i will just disallow what i dont want...but
> know i have realised that selinux is denial by default model and we can
> only allow stuff.
>
> Correct. If you want to write a more confined SELinux Type, you
> can, but you have to start from scratch. And then you allow what you
> want. There is an effort to build
> a new language called CIL, which would allow you to take an existing type
> and create a new type based on that type and remove access. But we
> currently do not use this language
>
> >>yum list installed | grep selinux
> libselinux.x86_64 2.2.2-6.el7
> libselinux-python.x86_64 2.2.2-6.el7
> libselinux-utils.x86_64 2.2.2-6.el7
> selinux-policy.noarch 3.12.1-153.el7_0.13
> selinux-policy-devel.noarch 3.12.1-153.el7_0.13
> selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
> selinux-policy-targeted.noarch 3.12.1-153.el7_0.13
>
> >> yum list installed | grep sandbox
> selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13
>
> Thanks
> Bhuvan
>
> On Tue, Jan 20, 2015 at 2:36 AM, Daniel J Walsh <dwalsh(a)redhat.com>
> wrote:
>
>> What do you want to Disallow?
>>
>>
>> On 01/18/2015 06:34 AM, Bhuvan Gupta wrote:
>>
>> Hello,
>>
>> "Audit2allow" can add rule to allow some operation.
>> But let say we want to disallow some operation which is allowed by some
>> policy module. let say open operation on some files.
>>
>> Is there a easy way to achieve that ?
>>
>> Or i do have to:
>> [1] get the policy source.
>> [2] edit it accordingly
>> [3] build and reinstall the policy.
>>
>>
>> Thanks
>> Bhuvan
>>
>>
>>
>>
>> --
>> selinux mailing
listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
>
--
selinux mailing
listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux