From patchwork Mon Nov 23 15:34:48 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Laurent Bigonville X-Patchwork-Id: 7683231 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B4C7B9F1BE for ; Mon, 23 Nov 2015 15:37:56 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9A150206D8 for ; Mon, 23 Nov 2015 15:37:55 +0000 (UTC) Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EA4AF206E8 for ; Mon, 23 Nov 2015 15:37:53 +0000 (UTC) X-TM-IMSS-Message-ID: <50dc592f0003178a@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1) id 50dc592f0003178a ; Mon, 23 Nov 2015 10:35:31 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tANFZBPs004238; Mon, 23 Nov 2015 10:35:20 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tANFZAlG009530 for ; Mon, 23 Nov 2015 10:35:10 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tANFZ9Tm004236 for ; Mon, 23 Nov 2015 10:35:10 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AZBQCXMFNW/2OteVteGQEBAQEPAQEBAYJfLFNvrAoGBpR7JYVqAoFDTAEBAQEBAYU/AQEBAQMjVRELEQMBAgoWCwICCQMCAQIBPQgTBgICiCoBAwmuR5AEAQEBBwEBAQEBFQUEhg2FRYQ7AQE+gnqBRAWHQocPh3+CWYJLiA2BW4dlkwkCY4IRHYFXcQEEg2WBQQEBAQ X-IPAS-Result: A1AZBQCXMFNW/2OteVteGQEBAQEPAQEBAYJfLFNvrAoGBpR7JYVqAoFDTAEBAQEBAYU/AQEBAQMjVRELEQMBAgoWCwICCQMCAQIBPQgTBgICiCoBAwmuR5AEAQEBBwEBAQEBFQUEhg2FRYQ7AQE+gnqBRAWHQocPh3+CWYJLiA2BW4dlkwkCY4IRHYFXcQEEg2WBQQEBAQ X-IronPort-AV: E=Sophos; i="5.20,337,1444708800"; d="scan'208,223"; a="4957684" Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]) by goalie.tycho.ncsc.mil with ESMTP; 23 Nov 2015 10:34:58 -0500 X-TM-IMSS-Message-ID: <50d4bbb800031578@nsa.gov> Received: from anor.bigon.be (anor.bigon.be [91.121.173.99]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 ADH-AES256-SHA (256/256)) id 50d4bbb800031578 ; Mon, 23 Nov 2015 10:36:02 -0500 Received: from anor.bigon.be (localhost.localdomain [127.0.0.1]) by anor.bigon.be (Postfix) with ESMTP id 10B3D1A1D8 for ; Mon, 23 Nov 2015 16:34:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at bigon.be Received: from anor.bigon.be ([127.0.0.1]) by anor.bigon.be (anor.bigon.be [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Sex4mjMIlsLL for ; Mon, 23 Nov 2015 16:34:50 +0100 (CET) Received: from [IPv6:2a02:578:85fc:1:c84e:489:bf64:5e4f] (unknown [IPv6:2a02:578:85fc:1:c84e:489:bf64:5e4f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: bigon) by anor.bigon.be (Postfix) with ESMTPSA id B46031A070 for ; Mon, 23 Nov 2015 16:34:50 +0100 (CET) Subject: Re: (Userspace) AVC denial generated even if allowed by the policy? To: selinux@tycho.nsa.gov References: <5652636F.2060609@debian.org> From: Laurent Bigonville Message-ID: <56533218.7090601@debian.org> Date: Mon, 23 Nov 2015 16:34:48 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.3.0 Mime-Version: 1.0 In-Reply-To: <5652636F.2060609@debian.org> X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Le 23/11/15 01:53, Laurent Bigonville a écrit : > Hi, > > I'm still looking at adding SELinux support in the "at" daemon and I > now have the following patch[0]. > > With this patch, at seems to behave like the cron daemon, as explained > in the commit log: > > - When cron_userdomain_transition is set to off, a process for an > unconfined user will transition to unconfined_cronjob_t. For > confined > user, the job is run as cronjob_t. > > - When cron_userdomain_transition is set to on, the processes are run > under the user default context. > > But every time an AVC denial is generated (with > cron_userdomain_transition set to off and the user running as staff_u, > in permissive with unmodified refpolicy): > > avc: denied { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0 > tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file > > The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0 > > But audit2{allow,why} are saying that this is already allowed in the > policy > > Setting the cron_userdomain_transition boolean to on, I have the > following avc: > > avc: denied { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0 > tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file > > The job runs as (id -Z): staff_u:sysadm_r:sysadm_t:s0 > > So as said it seems to work, but I'm not sure why this AVC denial is > generated. > > sesearch shows: > > $ sesearch -ATSC -t user_cron_spool_t -c file -p entrypoint > Found 6 semantic av rules: > allow files_unconfined_type file_type : file { ioctl read write > create getattr setattr lock relabelfrom relabelto append unlink link > rename execute swapon quotaon mounton execute_no_trans entrypoint open > audit_access } ; > DT allow unconfined_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow user_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > EF allow cronjob_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow staff_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow sysadm_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > > Did I overlooked something? > > Cheers, > > Laurent Bigonville > > [0] > https://anonscm.debian.org/cgit/users/bigon/at.git/commit/?h=selinux&id=0112f006b74a36f7200e315575fd25d78e11b170 I'm attaching the patch to this mail for the people that cannot access the website and FTR. Cheers, Laurent Bigonville From c8aa69e51d8781da782a50dbdf20b258288093d4 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Mon, 23 Nov 2015 12:25:13 +0100 Subject: [PATCH] Allow the user cronjobs to run in their userdomain When cron_userdomain_transition boolean is set to on, the user cronjobs are supposed to run in their domains. Without this patch the default context is not properly computed: $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 /usr/sbin/getdefaultcon: Invalid argument $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 staff_u:sysadm_r:sysadm_t:s0 With this patch applied: $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 user_u:user_r:user_t:s0 $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 staff_u:staff_r:staff_t:s0 --- config/appconfig-mcs/staff_u_default_contexts | 2 +- config/appconfig-mcs/user_u_default_contexts | 2 +- config/appconfig-mls/staff_u_default_contexts | 2 +- config/appconfig-mls/user_u_default_contexts | 2 +- config/appconfig-standard/staff_u_default_contexts | 2 +- config/appconfig-standard/user_u_default_contexts | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts index 881a292..5606c4e 100644 --- a/config/appconfig-mcs/staff_u_default_contexts +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts index cacbc93..56d6071 100644 --- a/config/appconfig-mcs/user_u_default_contexts +++ b/config/appconfig-mcs/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts index 881a292..5606c4e 100644 --- a/config/appconfig-mls/staff_u_default_contexts +++ b/config/appconfig-mls/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts index cacbc93..56d6071 100644 --- a/config/appconfig-mls/user_u_default_contexts +++ b/config/appconfig-mls/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts index c2a5ea8..300694c 100644 --- a/config/appconfig-standard/staff_u_default_contexts +++ b/config/appconfig-standard/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t system_r:remote_login_t staff_r:staff_t system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t -system_r:crond_t staff_r:cronjob_t +system_r:crond_t staff_r:staff_t staff_r:cronjob_t system_r:xdm_t staff_r:staff_t staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts index f5bfac3..63b7eec 100644 --- a/config/appconfig-standard/user_u_default_contexts +++ b/config/appconfig-standard/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t system_r:sshd_t user_r:user_t -system_r:crond_t user_r:cronjob_t +system_r:crond_t user_r:user_t user_r:cronjob_t system_r:xdm_t user_r:user_t user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t -- 2.6.2