blocking security xattr changes when policy is not loaded

blocking security xattr changes when policy is not loaded

[Arkadiusz Miskiewicz]

Hi,

The case is that 2.6 selinux enabled kernel but _without_ policy loaded do not 
allow to change security xattr for root user.

The question is why is that?

I'm asking because for example I'm using pwconv from pwdutils (which replace 
shadow-utils + have nice selinux support) and pwconv creates temporary 
file /etc/shadow.tmpWAjQQd + does rename(). Of course pwconv wants to keep 
security xattr on shadow file intact so it tries to 
label /etc/shadow.tmpWAjQQd with same security xattr as /etc/shadow has 
but ... kernel won't allow it to do that! setfilecon -> invalid argument

Solution is to disable copying security xattr in pwconv but then I just loose 
proper security xattr on shadow and that's bad.

Why such restriction is made in kernel? It doesn't give more security to the 
system. If I get root account (policy not loaded) then I can do anything like 
replacing kernel with modified one etc, etc.

Blocking security xattr for root in such case smells like security by 
obscurity.
-- 
Arkadiusz Miśkiewicz     CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org, 1024/3DB19BBD, JID: arekm.jabber.org, PLD/Linux


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: blocking security xattr changes when policy is not loaded

[Stephen Smalley]

On Tue, 2004-03-09 at 17:29, Arkadiusz Miskiewicz wrote:
> Hi,
> 
> The case is that 2.6 selinux enabled kernel but _without_ policy loaded do not 
> allow to change security xattr for root user.
> 
> The question is why is that?

SELinux still performs its regular processing even without the policy
load; it is just that any permission checks are allowed until a policy
is loaded.  The setxattr() is not failing due to a permission check; it
is failing because selinux_inode_setxattr() attempts to convert the
context to a SID (via security_context_to_sid) in preparation for making
permission checks, and the context is unknown to the security server
(policy engine) because no policy has been loaded.  The security server
can't just blindly accept contexts and provide SIDs; it needs to have an
internal representation of the context that it can understand.

In any event, note is_selinux_enabled() should return 0 when no policy
is loaded, so if the pwdutils code was bracketing SELinux-related
processing with if (is_selinux_enabled() > 0), it wouldn't even try to
do this.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: blocking security xattr changes when policy is not loaded

[Arkadiusz Miskiewicz]

Dnia Wednesday 10 of March 2004 13:50, Stephen Smalley napisał:

> SELinux still performs its regular processing even without the policy
> load; it is just that any permission checks are allowed until a policy
> is loaded.  The setxattr() is not failing due to a permission check; it
> is failing because selinux_inode_setxattr() attempts to convert the
> context to a SID (via security_context_to_sid) in preparation for making
> permission checks, and the context is unknown to the security server
> (policy engine) because no policy has been loaded.  The security server
> can't just blindly accept contexts and provide SIDs; it needs to have an
> internal representation of the context that it can understand.
Don't know the internals but why it can't blindly accept? No policy, so 
nothing to do with selinux stuff. If any permission checks are allowed so no 
need to check anything (no need to security_context_to_sid()) right?

> In any event, note is_selinux_enabled() should return 0 when no policy
> is loaded, so if the pwdutils code was bracketing SELinux-related
> processing with if (is_selinux_enabled() > 0), it wouldn't even try to
> do this.
That's bad - I wrote why. I will lose security xattr on the file!
When I load policy things will go really bad since /etc/shadow file won't have 
proper security context.

-- 
Arkadiusz Miśkiewicz     CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org, 1024/3DB19BBD, JID: arekm.jabber.org, PLD/Linux


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: blocking security xattr changes when policy is not loaded

[Stephen Smalley]

On Wed, 2004-03-10 at 08:20, Arkadiusz Miskiewicz wrote:
> Don't know the internals but why it can't blindly accept? No policy, so 
> nothing to do with selinux stuff. If any permission checks are allowed so no 
> need to check anything (no need to security_context_to_sid()) right?

You'd have to add tests within the hook functions themselves to see
whether policy has been loaded, and skip this kind of processing in that
case.  security_context_to_sid can't return a SID unless it can map the
context to an internal structure that can be interpreted by the security
server on subsequent permission checks.

> That's bad - I wrote why. I will lose security xattr on the file!
> When I load policy things will go really bad since /etc/shadow file won't have 
> proper security context.

You need to relabel your filesystem when you run without SELinux (and
without policy might as well be without SELinux at all).  Note that
/sbin/init will die if it cannot load a policy when SELinux is booted in
enforcing mode, so the fact that you can even operate in such a state is
only because you are booting in permissive mode.  If you don't want
SELinux, boot with selinux=0.  If you want SELinux, load a policy. 

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: blocking security xattr changes when policy is not loaded

[Thorsten Kukuk]

On Wed, Mar 10, Stephen Smalley wrote:

> On Tue, 2004-03-09 at 17:29, Arkadiusz Miskiewicz wrote:
> > Hi,
> > 
> > The case is that 2.6 selinux enabled kernel but _without_ policy loaded do not 
> > allow to change security xattr for root user.
> > 
> > The question is why is that?
> 
> SELinux still performs its regular processing even without the policy
> load; it is just that any permission checks are allowed until a policy
> is loaded.  The setxattr() is not failing due to a permission check; it
> is failing because selinux_inode_setxattr() attempts to convert the
> context to a SID (via security_context_to_sid) in preparation for making
> permission checks, and the context is unknown to the security server
> (policy engine) because no policy has been loaded.  The security server
> can't just blindly accept contexts and provide SIDs; it needs to have an
> internal representation of the context that it can understand.
> 
> In any event, note is_selinux_enabled() should return 0 when no policy
> is loaded, so if the pwdutils code was bracketing SELinux-related
> processing with if (is_selinux_enabled() > 0), it wouldn't even try to
> do this.

But if you add this check, the security attributes will be missing
for the new file. I don't think that this is the expected behavior.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Maxfeldstr. 5                 D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: blocking security xattr changes when policy is not loaded

[Stephen Smalley]

On Wed, 2004-03-10 at 10:59, Thorsten Kukuk wrote:
> But if you add this check, the security attributes will be missing
> for the new file. I don't think that this is the expected behavior.

If you run with selinux=0 (or with SELinux enabled but no policy), then
you have to assume that some file labels are going to be wrong when you
next boot SELinux with a policy.  Even if certain programs preserve the
labels on certain files, there are going to be some files (e.g.
/etc/mtab) that are no longer going to be typed correctly.  And the
trustworthiness of any of the labels is suspect, obviously, as any root
process may have tampered with them.  Hence, you need to relabel your
filesystem anyway after running with selinux=0 or no policy in order to
get it back to a known safe state.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.