Possible bug in finding default context?

Possible bug in finding default context?

[Ole Kliemann]

[-- Attachment #1: Type: text/plain, Size: 978 bytes --]

Sometime ago I posted about a problem I had when building a 
monolithic policy. Login programs were unable to determine the 
default context of users when logging in, although i was pretty 
sure I did everything right. I never resolved that but didn't 
bother either since I started writing a new modular policy from 
scratch.

Everything worked flawlessly, including logins, until suddenly 
now logins started to fail again with the login programs unable 
to determine the context of the user.
 
Oh, what fresh hell is this?! So I started rolling back changes, 
and it turns out if there are too many types associated with one 
role and that role and one of its types is set as default context 
for a user, /bin/login gives 'Unable to get valid context'.

BTW, the exact number seems 194. 194 types associated with one 
role works. 195 and it's broken.

I'm doing this on Ubuntu 12.04, so it could be the crappily 
maintained selinux userland here.

Ole

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Possible bug in finding default context?

[Stephen Smalley]

On Thu, 2012-08-09 at 19:45 +0200, Ole Kliemann wrote:
> Sometime ago I posted about a problem I had when building a 
> monolithic policy. Login programs were unable to determine the 
> default context of users when logging in, although i was pretty 
> sure I did everything right. I never resolved that but didn't 
> bother either since I started writing a new modular policy from 
> scratch.
> 
> Everything worked flawlessly, including logins, until suddenly 
> now logins started to fail again with the login programs unable 
> to determine the context of the user.
>  
> Oh, what fresh hell is this?! So I started rolling back changes, 
> and it turns out if there are too many types associated with one 
> role and that role and one of its types is set as default context 
> for a user, /bin/login gives 'Unable to get valid context'.
> 
> BTW, the exact number seems 194. 194 types associated with one 
> role works. 195 and it's broken.
> 
> I'm doing this on Ubuntu 12.04, so it could be the crappily 
> maintained selinux userland here.

We'd like to rip out all usage of security_compute_user()
aka /sys/fs/selinux/user and everything that calls it.  Previously
discussed on the list, although not your specific problem (presumably
we're hitting the selinuxfs limit on size of response for /selinux/user
transactions).  Take all of that logic to userspace and greatly simplify
it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Possible bug in finding default context?

[Ole Kliemann]

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

On Thu, Aug 09, 2012 at 01:48:32PM -0400, Stephen Smalley wrote:
> On Thu, 2012-08-09 at 19:45 +0200, Ole Kliemann wrote:
> > BTW, the exact number seems 194. 194 types associated with one 
> > role works. 195 and it's broken.
> > 
> > I'm doing this on Ubuntu 12.04, so it could be the crappily 
> > maintained selinux userland here.
> 
> We'd like to rip out all usage of security_compute_user()
> aka /sys/fs/selinux/user and everything that calls it.  Previously
> discussed on the list, although not your specific problem (presumably
> we're hitting the selinuxfs limit on size of response for /selinux/user
> transactions).  Take all of that logic to userspace and greatly simplify
> it.

Since I seem to be inclined to do strange things noone really did 
before, I have to ask this:

This is strictly a problem only for the userspace, right? The LSM 
can handled what ever I throw at it and will always enforce the 
policy by the letter, no matter how many types/roles/user or 
other strange constructs whatsoever I use?

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Possible bug in finding default context?

[Russell Coker]

On Fri, 10 Aug 2012, Ole Kliemann <ole@plastictree.net> wrote:
> I'm doing this on Ubuntu 12.04, so it could be the crappily 
> maintained selinux userland here.

What are the problems in Ubuntu SE Linux?

I've idly considered joining the Ubuntu project to help maintain SE Linux 
there.  Doing it for two Debian-based distros can't be much more work than 
doing it for one.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Possible bug in finding default context?

[Ole Kliemann]

[-- Attachment #1: Type: text/plain, Size: 2226 bytes --]

On Fri, Aug 10, 2012 at 07:13:03PM +1000, Russell Coker wrote:
> On Fri, 10 Aug 2012, Ole Kliemann <ole@plastictree.net> wrote:
> > I'm doing this on Ubuntu 12.04, so it could be the crappily 
> > maintained selinux userland here.
> 
> What are the problems in Ubuntu SE Linux?
> 
> I've idly considered joining the Ubuntu project to help maintain SE Linux 
> there.  Doing it for two Debian-based distros can't be much more work than 
> doing it for one.

Admittedly that statement contains a lot of prejudice. When I 
started with SELinux I expectedly had problems finding my way 
around. Documentation is often hard to find. The only good 
reference I found so far is Richard Haines' SELinux Notebook.

But that's, like most SELinux documentation, quite abstract. If 
you want more concrete information you always end up on the 
websites of either Red Hat or Fedora. If you google for Ubuntu 
and SELinux you won't find much.

Running a strict SELinux policy is a rather delicate affair. My 
overall feeling regarding Ubuntu policy was: I shouldn't be 
surprised if something suddenly stops working. But TBH I never 
really tested it. When I tryed installing the ubuntu policy on my 
test system right now, it failed due to some error, but normally 
installing works. (I probably messed something up.)

There are a few problems I ran into that I remember off the top 
of my head:

Reference policy sources can be installed and compiled but not 
inserted due to missing dependencies.

There's an null pointer dereference in libsemanage, something 
with genhomedircon, when trying to build a non-mcs policy. That's 
a know issue but unpatched in Ubuntu.

The reference policy ubuntu's policy is based on is something 
from 2009. It doesn't have the

    bool mmap_low_allowed false;

As far as my limited understanding goes that isn't a problem 
unless you do something stupid anyways. (Like installing wine...  
vm.mmap_min_addr is set to 65536 by default on Ubuntu.)


So bottom line: Things aren't neccessarily bad. But they do look 
old. And I just lack the trust that the policy is maintained in a 
way that I can do updates without worries. Hence my prejudice.

Ole

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Possible bug in finding default context?

[Ole Kliemann]

[-- Attachment #1: Type: text/plain, Size: 1211 bytes --]

On Thu, Aug 09, 2012 at 07:45:19PM +0200, Ole Kliemann wrote:
> Sometime ago I posted about a problem I had when building a 
> monolithic policy. Login programs were unable to determine the 
> default context of users when logging in, although i was pretty 
> sure I did everything right. I never resolved that but didn't 
> bother either since I started writing a new modular policy from 
> scratch.
> 
> Everything worked flawlessly, including logins, until suddenly 
> now logins started to fail again with the login programs unable 
> to determine the context of the user.
>  
> Oh, what fresh hell is this?! So I started rolling back changes, 
> and it turns out if there are too many types associated with one 
> role and that role and one of its types is set as default context 
> for a user, /bin/login gives 'Unable to get valid context'.
> 
> BTW, the exact number seems 194. 194 types associated with one 
> role works. 195 and it's broken.
> 
> I'm doing this on Ubuntu 12.04, so it could be the crappily 
> maintained selinux userland here.
> 
> Ole

Workaround is to give each type his own role and then associate 
all the roles with the user. This way around it works.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Possible bug in finding default context?

[Stephen Smalley]

On Fri, 2012-08-10 at 10:58 +0200, Ole Kliemann wrote:
> On Thu, Aug 09, 2012 at 01:48:32PM -0400, Stephen Smalley wrote:
> > On Thu, 2012-08-09 at 19:45 +0200, Ole Kliemann wrote:
> > > BTW, the exact number seems 194. 194 types associated with one 
> > > role works. 195 and it's broken.
> > > 
> > > I'm doing this on Ubuntu 12.04, so it could be the crappily 
> > > maintained selinux userland here.
> > 
> > We'd like to rip out all usage of security_compute_user()
> > aka /sys/fs/selinux/user and everything that calls it.  Previously
> > discussed on the list, although not your specific problem (presumably
> > we're hitting the selinuxfs limit on size of response for /selinux/user
> > transactions).  Take all of that logic to userspace and greatly simplify
> > it.
> 
> Since I seem to be inclined to do strange things noone really did 
> before, I have to ask this:
> 
> This is strictly a problem only for the userspace, right? The LSM 
> can handled what ever I throw at it and will always enforce the 
> policy by the letter, no matter how many types/roles/user or 
> other strange constructs whatsoever I use?

Correct.  It is a limitation of the selinuxfs API, imposing a max size
on the response payload.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Possible bug in finding default context?

[Ole Kliemann]

[-- Attachment #1: Type: text/plain, Size: 912 bytes --]

On Fri, Aug 10, 2012 at 12:37:04PM +0200, Ole Kliemann wrote:
> There are a few problems I ran into that I remember off the top 
> of my head:
> 
> Reference policy sources can be installed and compiled but not 
> inserted due to missing dependencies.
> 
> There's an null pointer dereference in libsemanage, something 
> with genhomedircon, when trying to build a non-mcs policy. That's 
> a know issue but unpatched in Ubuntu.
> 
> The reference policy ubuntu's policy is based on is something 
> from 2009. It doesn't have the
> 
>     bool mmap_low_allowed false;
> 
> As far as my limited understanding goes that isn't a problem 
> unless you do something stupid anyways. (Like installing wine...  
> vm.mmap_min_addr is set to 65536 by default on Ubuntu.)

To add to the this list:

There seem to be less utilities. I don't have 'seinfo' and don't 
know any package to get it from.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]