headers
Guido Trentalancia | 1 Feb 2010 14:03

Allowing MLS->non-MLS and vice versa upon policy reload

Hello !

When switching at runtime from the standard reference policy and the MLS/MCS reference policy
(2.20091117), the ssh server on a Debian Lenny system does not accept new connections until it is restarted.

The following denials are generated:

type=1400 audit(1265028026.079:19): avc:  denied  { transition } for  pid=8973 comm="sshd"
path="/bin/bash" dev=dm-1 ino=146597 scontext=system_u:system_r:sshd_t:s0
tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

Unfortunately, simply adding a custom module such as the following:

require {
        type staff_t;
        type sshd_t;
        class process transition;
}

#============= sshd_t ==============
allow sshd_t staff_t:process transition;

does not help.

I believe the problem arises as soon as the ssh server opens a shell for the user as I get "/bin/bash:
Permission denied" after the initial /etc/motd banner (and the connection is dropped at that point).

Does anybody have an idea on how to sort out this issue ?

I believe the server is OpenSSH version 5.1p1, while bash is version 3.2.39(1). I have not had time to test
(Continue reading)

Permalink | Reply | 1 comment |
headers
Stephen Smalley | 1 Feb 2010 15:29
Picon

Re: how to trace an avc denial

On Sat, 2010-01-30 at 18:43 +0100, Stefan Schulze Frielinghaus wrote:
> Hi all,
> 
> I'm trying to create a policy for pidgin and hit the following problem:
> When pidgin is started via the GNOME menu "Applications -> Internet ->
> Pidgin" then I get the following AVC:
> 
> type=1400 audit(1264870417.250:22382): avc:  denied  { search } for
> pid=9114 comm="pidgin" name="1" dev=proc ino=160141
> scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=dir
> type=1400 audit(1264870417.250:22382): avc:  denied  { read } for
> pid=9114 comm="pidgin" name="exe" dev=proc ino=160142
> scontext=unconfined_u:unconfined_r:pidgin_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
> 
> At the moment I just don't audit the denials:
> 
> require {
>         type init_t;
> }
> 
> dontaudit pidgin_t init_t:dir search;
> dontaudit pidgin_t init_t:lnk_file read;
> 
> What I would like to do is find out if pidgin itself is
> accessing /proc/1/exe or if it is a library. A simple
> "grep -R '/proc/' ./pidgin-source" does not provide any helpful output.
> My guess is that it is a leaked file descriptor because if I start
> pidgin from a shell, then I do not have this problem (I have a rule for
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Smalley | 1 Feb 2010 15:28
Picon

Re: access decision API

On Sat, 2010-01-30 at 12:03 +0330, michel m wrote:
> as the last question, 
> what I need, is to ask the security server if a data residing in
> userspace owning a context, can be written to a file in OS.
> does it make sense if I do it in this way :
>     avc_has_perm(data_sid  ,file_sid,  SECLASS_FILE , null, null)
> 
> I am confused, because I guessed using such a syntax means if a
> process is able to write to file, but here we are going to check if
> data can be written to file.
> 
> if everything ok, how the action is specified, that is write?

I would recommend defining a new security class and permission for your
purpose to avoid confusion with existing ones and to avoid conflicts
with any future additions to the existing ones.  You can define new
classes and permissions by adding them to the security_classes and
access_vectors files under refpolicy/policy/flask in the reference
policy.  Then you can define your own SECCLASS_FOO and FOO__WRITE
definitions, and establish a mapping via selinux_set_mapping().

--

-- 
Stephen Smalley
National Security Agency
Permalink | Reply | 0 comments |
headers
Stephen Smalley | 1 Feb 2010 15:33
Picon

Re: Cannot go to enforcing

On Sun, 2010-01-31 at 19:05 +0300, AlannY wrote:
> Hi there. Still tryint to go to enforcing in Archlinux.
> 
> First of all, my sestatus -v
> 
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        refpolicy
> 
> Process contexts:
> Current context:                user_u:user_r:user_t:s0
> Init context:                   system_u:system_r:init_t:s0
> /sbin/agetty                    system_u:system_r:getty_t:s0
> 
> File contexts:
> Controlling term:               user_u:object_r:user_tty_device_t:s0
> /etc/passwd                     system_u:object_r:etc_t:s0
> /etc/shadow                     system_u:object_r:shadow_t:s0
> /bin/bash                       system_u:object_r:shell_exec_t:s0
> /bin/login                      system_u:object_r:login_exec_t:s0
> /bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
> /sbin/agetty                    system_u:object_r:getty_exec_t:s0
> /sbin/init                      system_u:object_r:init_exec_t:s0
> /lib/libc.so.6                  system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
> 
> I'm using latest refpolicy with build.conf as in Fedora:
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
James Carter | 1 Feb 2010 16:11
Picon

Re: [PATCH 14/15] [src-policy] semodule: user message support

On Tue, 2010-01-26 at 17:08 -0500, Caleb Case wrote:
> This adds the -m,--message option to semodule so that users can specify
> a message for the ChangeLog.
> 

Is there plans to add user message support to semanage?  Unfortunately,
in semanage "-m" is already in use.

>   -m,--message=MSG user message for the ChangeLog
> 
> Example:
> 
> # semodule -E alsa -m "Allow alsa to execute cowsay."
> ---
>  policycoreutils/semodule/semodule.8 |    3 +++
>  policycoreutils/semodule/semodule.c |   24 +++++++++++++++++++++++-
>  2 files changed, 26 insertions(+), 1 deletions(-)
> 
> diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> index 8baad8b..97d31dd 100644
> --- a/policycoreutils/semodule/semodule.8
> +++ b/policycoreutils/semodule/semodule.8
>  <at>  <at>  -87,6 +87,9  <at>  <at>  prints help message and quit
>  .TP
>  .B  \-v,\-\-verbose     
>  be verbose
> +.TP
> +.B  \-m,\-\-message=MSG
> +user message for the ChangeLog
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Stephen Smalley | 1 Feb 2010 16:28
Picon

Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload

On Sun, 2010-01-31 at 23:43 +0100, Guido Trentalancia wrote:
> Dear Stephen,
> 
> I have created the patch for allowing runtime switch between different policy types, according to your
advice and previous discussions on this mailing list. The patch obsoletes the small piece of
documentation that I wrote a few days ago to help new users cope with the limitation.
> 
> I would be very grateful if you could review the patch so that, as soon as it is reviewed, it can be posted to
the kernel mailing list. I have done some basic testing and it works on one of my systems, although
sometimes I get the following side-effect:
> 
> /dev/pts/0 changed labels.
> Unable to restore tty label...
> 
> which however doesn't affect the system. I am not sure where that comes from (perhaps bash)...

pam_selinux and openssh set the tty label on session open and restore it
upon session close.  But if it changes in the interim, they won't
restore it.  Switching MLS status will appear to change the tty label
because of the addition or removal of the MLS suffix.  I guess we'll
have to think about how/whether the userspace logic should change.

> Regards,
> 
> Guido Trentalancia
> 
> Author: Guido Trentalancia <guido@...>
> Date:   Sun Jan 31 22:10:22 2010 +0100
> 
>     Allow runtime switching between different policy types (e.g. from a MLS/MCS
(Continue reading)

Permalink | Reply | 1 comment |
headers
Stephen Smalley | 1 Feb 2010 16:32
Picon

Re: Allowing MLS->non-MLS and vice versa upon policy reload

On Mon, 2010-02-01 at 14:03 +0100, Guido Trentalancia wrote:
> Hello !
> 
> When switching at runtime from the standard reference policy and the MLS/MCS reference policy
(2.20091117), the ssh server on a Debian Lenny system does not accept new connections until it is restarted.
> 
> The following denials are generated:
> 
> type=1400 audit(1265028026.079:19): avc:  denied  { transition } for  pid=8973 comm="sshd"
path="/bin/bash" dev=dm-1 ino=146597 scontext=system_u:system_r:sshd_t:s0
tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
> 
> Unfortunately, simply adding a custom module such as the following:
> 
> require {
>         type staff_t;
>         type sshd_t;
>         class process transition;
> }
> 
> #============= sshd_t ==============
> allow sshd_t staff_t:process transition;
> 
> does not help.
> 
> I believe the problem arises as soon as the ssh server opens a shell for the user as I get "/bin/bash:
Permission denied" after the initial /etc/motd banner (and the connection is dropped at that point).
> 
> Does anybody have an idea on how to sort out this issue ?
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Smalley | 1 Feb 2010 16:37
Picon

Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload

On Mon, 2010-02-01 at 10:28 -0500, Stephen Smalley wrote:
> On Sun, 2010-01-31 at 23:43 +0100, Guido Trentalancia wrote:
> > Dear Stephen,
> > 
> > I have created the patch for allowing runtime switch between different policy types, according to your
advice and previous discussions on this mailing list. The patch obsoletes the small piece of
documentation that I wrote a few days ago to help new users cope with the limitation.
> > 
> > I would be very grateful if you could review the patch so that, as soon as it is reviewed, it can be posted to
the kernel mailing list. I have done some basic testing and it works on one of my systems, although
sometimes I get the following side-effect:
> > 
> > /dev/pts/0 changed labels.
> > Unable to restore tty label...
> > 
> > which however doesn't affect the system. I am not sure where that comes from (perhaps bash)...
> 
> pam_selinux and openssh set the tty label on session open and restore it
> upon session close.  But if it changes in the interim, they won't
> restore it.  Switching MLS status will appear to change the tty label
> because of the addition or removal of the MLS suffix.  I guess we'll
> have to think about how/whether the userspace logic should change.
> 
> > Regards,
> > 
> > Guido Trentalancia
> > 
> > Author: Guido Trentalancia <guido@...>
> > Date:   Sun Jan 31 22:10:22 2010 +0100
> >
(Continue reading)

Permalink | Reply | 0 comments |
headers
Guido Trentalancia | 1 Feb 2010 17:36

Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload

Excellent Stephen, very timely !

I am now going to make the necessary amendments and then I will post a proposed final patch that you can
eventually review again or otherwise just add an Acked-by or Reviewed-by line and I will forward it to the
kernel mailing list.

Of course comments from other list members are always welcome.

A few notes on your comments...

> Avoid adding extern declarations to .c files - they are
> discouraged. The current code isn't pristine in this
> regard, but let's not make it worse.

You are right, I did check with checkpatch.pl, but because selinuxfs.c hasn't got its own header file, I
wasn't sure on how to deal with the warning. Shall I create an header file specifically for it or otherwise
try to reuse other global header files ?

> I wouldn't take these functions to their own .c file, and 
> if you do so, then "inline" no longer makes sense.  But 
> why did you do so?  It will add overhead to make them 
> out-of-line with no obvious benefit.

I was getting compilation errors. Perhaps you can give it a try.

> This seems inconsistent with the other functions - here 
> you pass the policydb as an argument rather than just 
> using the active policydb. If that were truly necessary, 
> I'd argue for passing the policydb to all of the 
> functions for consistency.  But I think in fact that we
(Continue reading)

Permalink | Reply | 1 comment |
headers
Caleb Case | 1 Feb 2010 18:00
Favicon

RE: [PATCH 14/15] [src-policy] semodule: user message support


> -----Original Message-----
> From: James Carter [mailto:jwcart2@...]
> Sent: Monday, February 01, 2010 10:12 AM
> To: Caleb Case
> Cc: selinux@...; Chad Sellers; Karl MacMillan; Joshua
Brindle;
> sds@...
> Subject: Re: [PATCH 14/15] [src-policy] semodule: user message support
> 
> On Tue, 2010-01-26 at 17:08 -0500, Caleb Case wrote:
> > This adds the -m,--message option to semodule so that users can
specify
> > a message for the ChangeLog.
> >
> 
> Is there plans to add user message support to semanage?
Unfortunately,
> in semanage "-m" is already in use.

Yes, maybe -M is better so we can use the same flag in both tools?

> 
> >   -m,--message=MSG user message for the ChangeLog
> >
> > Example:
> >
> > # semodule -E alsa -m "Allow alsa to execute cowsay."
> > ---
> >  policycoreutils/semodule/semodule.8 |    3 +++
(Continue reading)

Permalink | Reply | 1 comment |

Gmane