From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: let's revert e3cab998b48ab293a9962faf9779d70ca339c65d
Date: Fri, 14 Apr 2017 20:49:46 +0200 [thread overview]
Message-ID: <20170414184946.GB16153@markus> (raw)
In-Reply-To: <1492192590.26072.5.camel@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 4328 bytes --]
On Fri, Apr 14, 2017 at 01:56:30PM -0400, Stephen Smalley wrote:
> On Fri, 2017-04-14 at 13:47 -0400, Daniel Walsh wrote:
> > On 04/14/2017 11:33 AM, Stephen Smalley wrote:
> > > On Fri, 2017-04-14 at 16:57 +0200, Dominick Grift wrote:
> > > > Bear with me please, because i might not fully grasp the issue (i
> > > > received help with diagnosing this issue):
> > > >
> > > > This commit causes issues (and is, i think, a lousy hack):
> > > > e3cab998b48ab293a9962faf9779d70ca339c65d
> > > >
> > > > The commit causes entities to "think" that SELinux is disabled
> > > > after
> > > > "mount -o remount,ro /sys/fs/selinux
> > > >
> > > > It is "neat" to be able to make processes "think" that selinux is
> > > > disabled on a selinux enabled system but not if it break anything
> > > >
> > > > The above results in the following:
> > > >
> > > > Systemd services that have ProtectKernelTunables=yes set in their
> > > > respective service units, think that SELinux is disabled.
> > > >
> > > > However we have found that some of these services actually rely
> > > > on
> > > > SELinux to ensure proper labeling.
> > > >
> > > > So we have the option to make people aware that if you set
> > > > ProtectKernelTunables=yes that then the process cannot be
> > > > SELinux-
> > > > aware properly, or we can just get rid of the commit above and
> > > > just
> > > > accept that process know that SELinux is enabled.
> > > >
> > > > Actual bug that caused me to look into this: systemd-localed
> > > > selinux
> > > > awareness is broken due it having ProtectKernelTunables=yes in
> > > > its
> > > > service unit
> > >
> > > If selinuxfs is mounted read-only, then they can't use most of the
> > > selinuxfs interfaces, including even the ability to validate or
> > > canonicalize security contexts. That will break most SELinux-aware
> > > services if we tell them that SELinux is enabled. Are you sure
> > > systemd-localed would actually work if you told it SELinux was
> > > enabled
> > > when selinuxfs was mounted read-only? What SELinux interfaces is
> > > it
> > > using?
> > >
> > > The other question is whether ProtectKernelTunables ought to be
> > > mounting selinuxfs read-only. SELinux already controls the ability
> > > to
> > > use its interfaces, including limiting even root, so it is unclear
> > > what
> > > benefit we derive from having systemd add a further restriction on
> > > top.
> > >
> >
> > Why is selinuxfs mounted readonly in this case?
>
> I don't actually see this in upstream systemd unless I am just missing
> it.
>
> systemd/src/core/namespace.c:
> /* ProtectKernelTunables= option and the related filesystem APIs */
> static const MountEntry protect_kernel_tunables_table[] = {
> { "/proc/sys", READONLY, false },
> { "/proc/sysrq-trigger", READONLY, true },
> { "/proc/latency_stats", READONLY, true },
> { "/proc/mtrr", READONLY, true },
> { "/proc/apm", READONLY, true }, /* Obsolete
> API, there's no point in permitting access to this, ever */
> { "/proc/acpi", READONLY, true },
> { "/proc/timer_stats", READONLY, true },
> { "/proc/asound", READONLY, true },
> { "/proc/bus", READONLY, true },
> { "/proc/fs", READONLY, true },
> { "/proc/irq", READONLY, true },
> { "/sys", READONLY, false },
> { "/sys/kernel/debug", READONLY, true },
> { "/sys/kernel/tracing", READONLY, true },
> { "/sys/fs/cgroup", READWRITE, false }, /* READONLY is
> set by ProtectControlGroups= option */
> };
>
> No mention of selinuxfs at all. Maybe it is a Fedora patch?
>
> > The reason we want this is so that processes inside of containers do
> > not
> > attempt to do SELinux stuff.
> >
> > http://danwalsh.livejournal.com/73099.html
Before one dismisses my concern (8 minute proof):
https://www.youtube.com/watch?v=YqiM1MlOG0w
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2017-04-14 18:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-14 14:57 let's revert e3cab998b48ab293a9962faf9779d70ca339c65d Dominick Grift
2017-04-14 15:33 ` Stephen Smalley
2017-04-14 15:45 ` Dominick Grift
2017-04-14 17:47 ` Daniel Walsh
2017-04-14 17:56 ` Stephen Smalley
2017-04-14 18:07 ` Dominick Grift
2017-04-14 18:49 ` Dominick Grift [this message]
2017-04-14 19:43 ` Nicolas Iooss
2017-04-14 20:41 ` Stephen Smalley
2017-04-15 10:23 ` Daniel Walsh
2017-04-15 14:10 ` Nicolas Iooss
2017-04-17 13:34 ` Stephen Smalley
2017-04-17 14:40 ` Daniel Walsh
2017-04-17 14:49 ` Stephen Smalley
2017-04-17 15:08 ` Daniel Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170414184946.GB16153@markus \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.