* [refpolicy] [PATCH] fstools: add in filetrans for /run dir
@ 2015-04-13 15:41 Jason Zaman
2015-04-13 16:10 ` Dominick Grift
0 siblings, 1 reply; 5+ messages in thread
From: Jason Zaman @ 2015-04-13 15:41 UTC (permalink / raw)
To: refpolicy
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.
type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for
pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656
scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t
tclass=dir permissive=0
In permissive:
avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid.tab"
dev="tmpfs" ino=5441676 scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=file permissive=1
avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid"
dev="tmpfs" ino=370936 scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=dir permissive=1
avc: denied { add_name } for pid=18595 comm="mkfs.ext4"
name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=dir permissive=1
avc: denied { create } for pid=18595 comm="mkfs.ext4"
name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=file permissive=1
---
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/fstools.te | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index d10368d..cba4184 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -62,3 +62,5 @@
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+
+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a0cfb1d..cbaa18b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
+type fsadm_run_t;
+files_pid_file(fsadm_run_t)
+
type swapfile_t; # customizable
files_type(swapfile_t)
@@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+allow fsadm_t fsadm_run_t:dir manage_dir_perms;
+allow fsadm_t fsadm_run_t:file manage_file_perms;
+files_pid_filetrans(fsadm_t, fsadm_run_t, { file dir })
+
# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
--
2.0.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] fstools: add in filetrans for /run dir
2015-04-13 15:41 [refpolicy] [PATCH] fstools: add in filetrans for /run dir Jason Zaman
@ 2015-04-13 16:10 ` Dominick Grift
2015-04-13 16:20 ` Dominick Grift
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2015-04-13 16:10 UTC (permalink / raw)
To: refpolicy
On Mon, Apr 13, 2015 at 07:41:35PM +0400, Jason Zaman wrote:
> the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
> type an allows the transition in /run.
>
> type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for
> pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656
> scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t
> tclass=dir permissive=0
>
> In permissive:
> avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid.tab"
> dev="tmpfs" ino=5441676 scontext=root:sysadm_r:fsadm_t
> tcontext=root:object_r:var_run_t tclass=file permissive=1
> avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid"
> dev="tmpfs" ino=370936 scontext=root:sysadm_r:fsadm_t
> tcontext=root:object_r:var_run_t tclass=dir permissive=1
> avc: denied { add_name } for pid=18595 comm="mkfs.ext4"
> name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
> tcontext=root:object_r:var_run_t tclass=dir permissive=1
> avc: denied { create } for pid=18595 comm="mkfs.ext4"
> name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
> tcontext=root:object_r:var_run_t tclass=file permissive=1
> ---
> policy/modules/system/fstools.fc | 2 ++
> policy/modules/system/fstools.te | 7 +++++++
> 2 files changed, 9 insertions(+)
>
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index d10368d..cba4184 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -62,3 +62,5 @@
> /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>
> /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
> +
> +/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
Should probably also cover /var/run/fsck
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index a0cfb1d..cbaa18b 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
> type fsadm_tmp_t;
> files_tmp_file(fsadm_tmp_t)
>
> +type fsadm_run_t;
> +files_pid_file(fsadm_run_t)
> +
> type swapfile_t; # customizable
> files_type(swapfile_t)
>
> @@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
> allow fsadm_t fsadm_tmp_t:file manage_file_perms;
> files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
>
> +allow fsadm_t fsadm_run_t:dir manage_dir_perms;
> +allow fsadm_t fsadm_run_t:file manage_file_perms;
> +files_pid_filetrans(fsadm_t, fsadm_run_t, { file dir })
> +
The transition should only be needed on "dir" (/var/run/blkid and /var/run/fsck)
files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
I think it is important do this properly since it makes it sensible. Adding rules that do not make
sense only make it harder to understand what is going on and it needlessly inflates the policy.
> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/c86bab71/attachment.bin
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] fstools: add in filetrans for /run dir
2015-04-13 16:10 ` Dominick Grift
@ 2015-04-13 16:20 ` Dominick Grift
0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2015-04-13 16:20 UTC (permalink / raw)
To: refpolicy
On Mon, Apr 13, 2015 at 06:09:59PM +0200, Dominick Grift wrote:
>
> The transition should only be needed on "dir" (/var/run/blkid and /var/run/fsck)
>
> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>
> I think it is important do this properly since it makes it sensible. Adding rules that do not make
> sense only make it harder to understand what is going on and it needlessly inflates the policy.
>
But i think i know what is going on here since you have no avc denials of the event where /var/run/blkid dir is created.
blkid is probably run by some process that is allowed to run all executable files and that has permissions to create generic var_run_t dirs
I would probably instead identity what creates /var/run/blkid dir and why it creates it with the generic var_run_t type
then act accordingly by either making it run blkid with a domain transition or by making it create /var/run/blkid with a object type transition
What you have currently is inconsistent and is bound be cause issues later on.
Because in some instances /var/run/blkid may be created with var_run_t and in other instances with fsadm_var_run_t.
Then youll end up allowing processes that need to manage fsadm_var_run_t files to write/del_entry/add_entry of both var_run_t as well as fsadm_var_run_t dirs
Add a rule: auditallow domain var_run_t:dir create; then keep an eye on any event showing up where /var/run/blkid is created
then deal with it accordingly
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/0e607140/attachment.bin
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] fstools: add in filetrans for /run dir
@ 2015-04-13 18:13 Jason Zaman
2015-04-15 17:29 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Jason Zaman @ 2015-04-13 18:13 UTC (permalink / raw)
To: refpolicy
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.
type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
In permissive:
type=AVC msg=audit(1428948565.919:160149): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149): cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { write open } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc: denied { getattr } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
---
policy/modules/system/fstools.fc | 3 +++
policy/modules/system/fstools.te | 7 +++++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index d10368d..22996d5 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -62,3 +62,6 @@
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+
+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
+/var/run/fsck(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a0cfb1d..868cf31 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
+type fsadm_run_t;
+files_pid_file(fsadm_run_t)
+
type swapfile_t; # customizable
files_type(swapfile_t)
@@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+allow fsadm_t fsadm_run_t:dir manage_dir_perms;
+allow fsadm_t fsadm_run_t:file manage_file_perms;
+files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
+
# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
--
2.0.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] fstools: add in filetrans for /run dir
2015-04-13 18:13 Jason Zaman
@ 2015-04-15 17:29 ` Christopher J. PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2015-04-15 17:29 UTC (permalink / raw)
To: refpolicy
On 4/13/2015 2:13 PM, Jason Zaman wrote:
> the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
> type an allows the transition in /run.
Merged.
> type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
>
> In permissive:
> type=AVC msg=audit(1428948565.919:160149): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
> type=AVC msg=audit(1428948565.919:160149): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
> type=AVC msg=audit(1428948565.919:160149): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
> type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
> type=CWD msg=audit(1428948565.919:160149): cwd="/root/selinux"
> type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
> type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
> type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
> type=AVC msg=audit(1428948565.919:160150): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
> type=AVC msg=audit(1428948565.919:160150): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
> type=AVC msg=audit(1428948565.919:160150): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
> type=AVC msg=audit(1428948565.919:160150): avc: denied { write open } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
> type=AVC msg=audit(1428948565.919:160151): avc: denied { getattr } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
>
> Changes from v1:
> - only transition on dir, not file.
> - add fcontext for /run/fsck too.
> - the audit log in the previous version was missing some lines.
> ---
> policy/modules/system/fstools.fc | 3 +++
> policy/modules/system/fstools.te | 7 +++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index d10368d..22996d5 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -62,3 +62,6 @@
> /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>
> /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
> +
> +/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
> +/var/run/fsck(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index a0cfb1d..868cf31 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
> type fsadm_tmp_t;
> files_tmp_file(fsadm_tmp_t)
>
> +type fsadm_run_t;
> +files_pid_file(fsadm_run_t)
> +
> type swapfile_t; # customizable
> files_type(swapfile_t)
>
> @@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
> allow fsadm_t fsadm_tmp_t:file manage_file_perms;
> files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
>
> +allow fsadm_t fsadm_run_t:dir manage_dir_perms;
> +allow fsadm_t fsadm_run_t:file manage_file_perms;
> +files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
> +
> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-04-15 17:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-13 15:41 [refpolicy] [PATCH] fstools: add in filetrans for /run dir Jason Zaman
2015-04-13 16:10 ` Dominick Grift
2015-04-13 16:20 ` Dominick Grift
-- strict thread matches above, loose matches on Subject: below --
2015-04-13 18:13 Jason Zaman
2015-04-15 17:29 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.