Running racoon from init

All of lore.kernel.org
 help / color / mirror / Atom feed

* Running racoon from init_t?
@ 2007-03-09 17:09 Paul Moore
  2007-03-09 17:36 ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2007-03-09 17:09 UTC (permalink / raw)
  To: SE Linux; +Cc: Daniel J Walsh, Christopher J.PeBenito

This is in regards to RHEL5 and the MLS policy.

I'm trying to run racoon at startup, from within the rc.local script, which 
means it is being run from init/init_t.  Whenever I try to do this I see the 
following AVC denials:

***
type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
comm="racoon" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
comm="racoon" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
comm="racoon" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
***

I suspect this can fixed by adding the following to the policy, suggestions?

 init_use_fds(racoon_t)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Running racoon from init_t?
  2007-03-09 17:09 Running racoon from init_t? Paul Moore
@ 2007-03-09 17:36 ` Stephen Smalley
  2007-03-09 17:40   ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2007-03-09 17:36 UTC (permalink / raw)
  To: Paul Moore; +Cc: SE Linux, Daniel J Walsh, Christopher J.PeBenito

On Fri, 2007-03-09 at 12:09 -0500, Paul Moore wrote:
> This is in regards to RHEL5 and the MLS policy.
> 
> I'm trying to run racoon at startup, from within the rc.local script, which 
> means it is being run from init/init_t.  Whenever I try to do this I see the 
> following AVC denials:

Should be run from initrc_t (rc.local should have initrc_exec_t on it).
Although the inherited fds may still have init_t on them due to being
created by /sbin/init and then just inherited by the descendants.

> 
> ***
> type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> comm="racoon" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> comm="racoon" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> comm="racoon" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> ***
> 
> I suspect this can fixed by adding the following to the policy, suggestions?
> 
>  init_use_fds(racoon_t)

I'd have expected it to pick up the right rules from being an
init_daemon_domain().

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Running racoon from init_t?
  2007-03-09 17:36 ` Stephen Smalley
@ 2007-03-09 17:40   ` Stephen Smalley
  2007-03-09 19:31     ` Paul Moore
  2007-03-09 21:30     ` Christopher J. PeBenito
  0 siblings, 2 replies; 5+ messages in thread
From: Stephen Smalley @ 2007-03-09 17:40 UTC (permalink / raw)
  To: Paul Moore; +Cc: SE Linux, Daniel J Walsh, Christopher J.PeBenito

On Fri, 2007-03-09 at 12:36 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 12:09 -0500, Paul Moore wrote:
> > This is in regards to RHEL5 and the MLS policy.
> > 
> > I'm trying to run racoon at startup, from within the rc.local script, which 
> > means it is being run from init/init_t.  Whenever I try to do this I see the 
> > following AVC denials:
> 
> Should be run from initrc_t (rc.local should have initrc_exec_t on it).
> Although the inherited fds may still have init_t on them due to being
> created by /sbin/init and then just inherited by the descendants.
> 
> > 
> > ***
> > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > comm="racoon" name="console" dev=tmpfs ino=725 
> > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > comm="racoon" name="console" dev=tmpfs ino=725 
> > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > comm="racoon" name="console" dev=tmpfs ino=725 
> > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > ***
> > 
> > I suspect this can fixed by adding the following to the policy, suggestions?
> > 
> >  init_use_fds(racoon_t)
> 
> I'd have expected it to pick up the right rules from being an
> init_daemon_domain().

Actually, I'd tend to think that should be dontaudit'd - it doesn't have
a legitimate need to access the console, right?  Then SELinux will just
close the descriptor silently and replace it with a ref to the null
device.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Running racoon from init_t?
  2007-03-09 17:40   ` Stephen Smalley
@ 2007-03-09 19:31     ` Paul Moore
  2007-03-09 21:30     ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Paul Moore @ 2007-03-09 19:31 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SE Linux, Daniel J Walsh, Christopher J.PeBenito

On Friday, March 9 2007 12:40:20 pm Stephen Smalley wrote:
> On Fri, 2007-03-09 at 12:36 -0500, Stephen Smalley wrote:
> > On Fri, 2007-03-09 at 12:09 -0500, Paul Moore wrote:
> > > I suspect this can fixed by adding the following to the policy,
> > > suggestions?
> > >
> > >  init_use_fds(racoon_t)
> >
> > I'd have expected it to pick up the right rules from being an
> > init_daemon_domain().
>
> Actually, I'd tend to think that should be dontaudit'd - it doesn't have
> a legitimate need to access the console, right?  Then SELinux will just
> close the descriptor silently and replace it with a ref to the null
> device.

That sounds reasonable as any configuration done in in this context will have 
to be from a configuration file and not from stdin.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Running racoon from init_t?
  2007-03-09 17:40   ` Stephen Smalley
  2007-03-09 19:31     ` Paul Moore
@ 2007-03-09 21:30     ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2007-03-09 21:30 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Paul Moore, SE Linux, Daniel J Walsh

On Fri, 2007-03-09 at 12:40 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 12:36 -0500, Stephen Smalley wrote:
> > On Fri, 2007-03-09 at 12:09 -0500, Paul Moore wrote:
> > > This is in regards to RHEL5 and the MLS policy.
> > > 
> > > I'm trying to run racoon at startup, from within the rc.local script, which 
> > > means it is being run from init/init_t.  Whenever I try to do this I see the 
> > > following AVC denials:
> > 
> > Should be run from initrc_t (rc.local should have initrc_exec_t on it).
> > Although the inherited fds may still have init_t on them due to being
> > created by /sbin/init and then just inherited by the descendants.
> > 
> > > 
> > > ***
> > > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > > comm="racoon" name="console" dev=tmpfs ino=725 
> > > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > > comm="racoon" name="console" dev=tmpfs ino=725 
> > > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > > type=AVC msg=audit(1173457995.784:305): avc:  denied  { use } for  pid=2105 
> > > comm="racoon" name="console" dev=tmpfs ino=725 
> > > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 
> > > tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> > > ***
> > > 
> > > I suspect this can fixed by adding the following to the policy, suggestions?
> > > 
> > >  init_use_fds(racoon_t)
> > 
> > I'd have expected it to pick up the right rules from being an
> > init_daemon_domain().
> 
> Actually, I'd tend to think that should be dontaudit'd - it doesn't have
> a legitimate need to access the console, right?  Then SELinux will just
> close the descriptor silently and replace it with a ref to the null
> device.

I agree.  Actually there's a noticeable amount of services that allow
this already.  If the service has rules that allow the console access,
we can leave the init fd inheritance for now (making note to revisit
it).  But if it doesn't use the console, we can remove the
init_use_fds() and have the fds be dontaudited through the
init_daemon_domain() interface.  Make sense?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-03-09 21:30 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-09 17:09 Running racoon from init_t? Paul Moore
2007-03-09 17:36 ` Stephen Smalley
2007-03-09 17:40   ` Stephen Smalley
2007-03-09 19:31     ` Paul Moore
2007-03-09 21:30     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.