From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds
Date: Mon, 08 Sep 2008 11:31:29 -0400 [thread overview]
Message-ID: <1220887889.28287.117.camel@gorn> (raw)
In-Reply-To: <20080908141529.GA22294@bobek.pm.i.cz>
On Mon, 2008-09-08 at 16:15 +0200, V?clav Ovs?k wrote:
> On Wed, Sep 03, 2008 at 03:52:37PM +0200, V?clav Ovs?k wrote:
> > > ...
> > > ldd is just a shell script, which does "LD_TRACE_LOADED_OBJECTS=1 $cmd" (you
> > > can run that on the command line if you want). Setting
> > > LD_TRACE_LOADED_OBJECTS causes the dynamic linker to link the program and
> > > output the objects it has linked but then exit without calling main().
> > >
> > > Since $cmd is never properly executed, it doesn't make sense to be
> > > transitioning to its domain. So I think ldd should have a domain of its
> > > own, which has no privileges except to write to the terminal and to
> > > execute_no_trans everything.
> >
> > Hmm, it sounds like the right way to solve this.
I'm not entirely convinced that ldd should have its own domain. ldd
should only have access to binaries that the caller has access to. By
having a special domain you lose that.
I'm kicking around the idea that ldd should just setexeccon() to the
current domain when it does the "LD_TRACE_LOADED_OBJECTS=1 $cmd" to
override any transition that might exist in the policy. But that causes
problems if the domain can't setexeccon(), unless those failures are
nonfatal. But then you could still be denied if the caller domain
doesn't have execute_no_trans permission on the binary. So even this
isn't a perfect solution.
> > Maybe this could solve the problem with the transition to rsync_t from user
> > domains while rsync is running over ssh. Great.
I don't know what problem you're referring to.
> Please hit me to the right direction. ;)
>
> I have prepared a patch - domain for ldd, but did not know, how to
> prevent SE Linux from trying transition into other domains.
>
> For this time I allow ldd only for sysadm.
>
> test at sid:~$ ldd /sbin/udevd
> [ 7994.537291] type=1401 audit(1220882097.504:11): security_compute_sid: invalid context sysadm_u:system_r:ldd_t:s0 for scontext=sysadm_u:sysadm_r:ldd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=process
> [ 7994.541371] type=1400 audit(1220882097.504:11): avc: denied { transition }
> for pid=4283 comm="ldd" path="/sbin/udevd" dev=hda2 ino=114501 scontext=sysadm_u:sysadm_r:ldd_t:s0 tcontext=sysadm_u:system_r:ldd_t:s0 tclass=process
> [ 7994.547602] type=1400 audit(1220882097.504:11): avc: denied { entrypoint }
> for pid=4283 comm="ldd" path="/sbin/udevd" dev=hda2 ino=114501 scontext=sysadm_u:system_r:ldd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
> [ 7994.566746] type=1300 audit(1220882097.504:11): arch=40000003 syscall=11 success=yes exit=0 a0=9d21fc8 a1=9d21928 a2=9d19008 a3=0 items=0 ppid=4282 pid=4283
> auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=sysadm_u:system_r:ldd_t:s0 key=(null)
> linux-gate.so.1 => (0xb7f30000)
> libselinux.so.1 => /lib/libselinux.so.1 (0xb7f0f000)
> libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7db4000)
> libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7daf000)
> /lib/ld-linux.so.2 (0xb7f31000)
> test at sid:~$
>
>
> zito at sid:~$ sesearch -T -t udev_exec_t
> Found 6 semantic te rules:
> type_transition sysadm_t udev_exec_t : process udev_t;
> type_transition unconfined_t udev_exec_t : process udev_t;
> type_transition kernel_t udev_exec_t : process udev_t;
> type_transition hald_t udev_exec_t : process udev_t;
> type_transition initrc_t udev_exec_t : process udev_t;
> type_transition hotplug_t udev_exec_t : process udev_t;
>
> There is no type_transition rule for ldd_t.
>
>
> zito at sid:~$ sesearch -A -s ldd_t -t udev_exec_t
> Found 1 semantic av rules:
> allow ldd_t @ttr0292 : file { ioctl read getattr lock execute execute_no_trans } ;
>
> Ldd has allow rule for execute_no_trans, so SE Linux should quietly
> execute udevd without transition. Am I wrong?
Unfortunately I don't see why you are encountering this behavior, based
on the messages and the patch you attached. Without the type_transition
there shouldn't be a transition, unless there was a setexeccon() in the
ldd script, in which case you'd see a corresponding denial for that
permission.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
next prev parent reply other threads:[~2008-09-08 15:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-01 17:12 [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds Václav Ovsík
2008-09-02 13:19 ` Christopher J. PeBenito
2008-09-02 14:27 ` Václav Ovsík
2008-09-03 11:22 ` Martin Orr
2008-09-03 13:52 ` Václav Ovsík
2008-09-08 14:15 ` V�clav Ovs�k
2008-09-08 15:31 ` Christopher J. PeBenito [this message]
2008-09-11 19:00 ` Martin Orr
2008-09-12 14:29 ` Václav Ovsík
2008-09-15 13:36 ` Václav Ovsík
2008-09-15 17:14 ` Václav Ovsík
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1220887889.28287.117.camel@gorn \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.