On Tue, Apr 27, 2021 at 6:46 PM Sam Morris <sam(a)robots.org.uk> wrote:
Certmonger allows for the configuration of a post-save command to be
run
after it has obtained new certificates. This can be used to copy the key &
certificates out of wherever certmonger is allowed to put them, and save
them elsewhere with a particular owner/group, combine the certificate &
chain into a single file as required by some software, etc.
The problem comes with SELinux which prevents my post-save scripts from
being able to do all of that. I thought the solution was to give the
scripts the context of certmonger_unconfined_exec_t, which would cause a
transition to the certmonger_unconfined_t domain which is as its name
suggests unconfined; but I can't get this to work.
I'm trying to use runcon to simulate certmonger executing a fake script:
# cat /tmp/fakescript
#!/bin/bash
set -eu
id -Z
# /tmp/fakescript
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /tmp/fakescript
unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript
# runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
runcon: ‘/tmp/fakescript’: Permission denied
Here is the avc denial:
----
type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon
system_u:system_r:certmonger_t:s0 /tmp/fakescript
type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab
a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796
auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied {
entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0"
ino=33563064 scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file
permissive=0
Even though:
# sepolicy transition -s certmonger_t -t certmonger_unconfined_t
certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t
Diving in a little deeper, I can see that certmonger can execute the file:
# sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p
execute -A
allow certmonger_t certmonger_unconfined_exec_t:file { execute
execute_no_trans getattr ioctl map open read };
... and that the file type is an entrypoint for the
certmonger_unconfined_t domain:
# sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c
file -p entrypoint -A
allow certmonger_unconfined_t certmonger_unconfined_exec_t:file {
entrypoint execute getattr ioctl lock map open read };
... and that transition is permitted from certmonger_t:
# sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p
transition -A
allow certmonger_t certmonger_unconfined_t:process transition;
Which leaves me scratching my head, unsure why it doesn't work in
practice...
Hi,
runcon is a useful tool, but its usage is a bit tricky: it can be used to
run a process in a different context, but only if policy allows it. Namely,
it uses setexeccon(3) to set the new process context and on the very next
execvp(2) the context is checked and the change evaluated.
You are right with your commands how to check the 3 important parts to
allow a transition. However, in your first command, you see the shell is
running in unconfined_t. Is there a transition allowed to certmonger_t?
# sesearch -T -s unconfined_t -c process |grep certmonger_t
<>
No. You would actually need a 3-link chain (certmonger_initrc_exec_t,
certmonger_exec_t, certmonger_unconfined_exec_t), so it'd be worth writing
a custom policy if you need to have it working from console. I still don't
quite understand what is to be done there though. For instance, which
process executes the post-save commands? Are there any audit records when
it fails? Are there additional error messages in journal?
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team