Cannot write policy to allow { relabelto }

Cannot write policy to allow { relabelto }

[Ian Pilcher]

I am having a weird problem writing a policy for a service.  The service
needs to set SELinux file contexts, so I've created a rule to allow
this:

allow acme_nss_t cert_t : file { read write create getattr setattr
relabelfrom relabelto open } ;

Despite this, I am still getting this denial:

avc:  denied  { relabelto } for  pid=3561 comm="update-mod-nss"
name="cert8.db" dev="dm-0" ino=50343845
scontext=system_u:system_r:acme_nss_t:s0
tcontext=unconfined_u:object_r:cert_t:s0 tclass=file

Any ideas?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: Cannot write policy to allow { relabelto }

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On Mon, Apr 17, 2017 at 05:02:14PM -0500, Ian Pilcher wrote:
> I am having a weird problem writing a policy for a service.  The service
> needs to set SELinux file contexts, so I've created a rule to allow
> this:
> 
> allow acme_nss_t cert_t : file { read write create getattr setattr
> relabelfrom relabelto open } ;
> 
> Despite this, I am still getting this denial:
> 
> avc:  denied  { relabelto } for  pid=3561 comm="update-mod-nss"
> name="cert8.db" dev="dm-0" ino=50343845
> scontext=system_u:system_r:acme_nss_t:s0
> tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
> 
> Any ideas?

acme_nss_t needs to be associate with "can_change_object_identity" to be able to change the object identity from system_u to unconfined_u

typeattribute acme_nss_t can_change_object_identity;

or the appropriate macro:

domain_obj_id_change_exemption(acme_nss_t)

But there is no need to change the object identity in the first place, system_u will do fine.

> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: Cannot write policy to allow { relabelto }

[Ian Pilcher]

On 04/18/2017 01:15 AM, Dominick Grift wrote:
> acme_nss_t needs to be associate with "can_change_object_identity" to
> be able to change the object identity from system_u to unconfined_u
> 
> typeattribute acme_nss_t can_change_object_identity;
> 
> or the appropriate macro:
> 
> domain_obj_id_change_exemption(acme_nss_t)

Excellent, thank you!

> 
> But there is no need to change the object identity in the first
> place, system_u will do fine.

I'll have to think about this.  I'm actually copying a directory tree
from one place to another and copying the context from the source to
destination with getfilecon() and setfilecon().

What APIs should I use if I *only* wanted to copy the type?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: Cannot write policy to allow { relabelto }

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1774 bytes --]

On Tue, Apr 18, 2017 at 07:03:23AM -0500, Ian Pilcher wrote:
> On 04/18/2017 01:15 AM, Dominick Grift wrote:
> > acme_nss_t needs to be associate with "can_change_object_identity" to
> > be able to change the object identity from system_u to unconfined_u
> > 
> > typeattribute acme_nss_t can_change_object_identity;
> > 
> > or the appropriate macro:
> > 
> > domain_obj_id_change_exemption(acme_nss_t)
> 
> Excellent, thank you!
> 
> > 
> > But there is no need to change the object identity in the first
> > place, system_u will do fine.
> 
> I'll have to think about this.  I'm actually copying a directory tree
> from one place to another and copying the context from the source to
> destination with getfilecon() and setfilecon().

If you would be using getfilecon() then you would, most likely, not end up with unconfined_u as the identity

where are you copying that object to? There should be no content with type "cert_t" in a user home directory

> 
> What APIs should I use if I *only* wanted to copy the type?
> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: Cannot write policy to allow { relabelto }

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2172 bytes --]

On Tue, Apr 18, 2017 at 02:10:16PM +0200, Dominick Grift wrote:
> On Tue, Apr 18, 2017 at 07:03:23AM -0500, Ian Pilcher wrote:
> > On 04/18/2017 01:15 AM, Dominick Grift wrote:
> > > acme_nss_t needs to be associate with "can_change_object_identity" to
> > > be able to change the object identity from system_u to unconfined_u
> > > 
> > > typeattribute acme_nss_t can_change_object_identity;
> > > 
> > > or the appropriate macro:
> > > 
> > > domain_obj_id_change_exemption(acme_nss_t)
> > 
> > Excellent, thank you!
> > 
> > > 
> > > But there is no need to change the object identity in the first
> > > place, system_u will do fine.
> > 
> > I'll have to think about this.  I'm actually copying a directory tree
> > from one place to another and copying the context from the source to
> > destination with getfilecon() and setfilecon().
> 
> If you would be using getfilecon() then you would, most likely, not end up with unconfined_u as the identity

if there is a getfilecon_default() then try that instead of getfilecon()

> 
> where are you copying that object to? There should be no content with type "cert_t" in a user home directory
> 
> > 
> > What APIs should I use if I *only* wanted to copy the type?
> > 
> > -- 
> > ========================================================================
> > Ian Pilcher                                         arequipeno@gmail.com
> > -------- "I grew up before Mark Zuckerberg invented friendship" --------
> > ========================================================================
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: Cannot write policy to allow { relabelto }

[Ian Pilcher]

On 04/18/2017 07:10 AM, Dominick Grift wrote:
> where are you copying that object to? There should be no content with
> type "cert_t" in a user home directory

I'm copying the mod_nss NSS database directory (/etc/httpd/alias).  The
program is intended to update Let's Encrypt certificates in mod_nss.

I've moved the actual mod_nss database into a directory named something
like /etc/httpd/alias-20170218081357 and /etc/httpd/alias is now a
symbolic link to that directory.

My program does this following:

  * Create a new directory with a current timestamp:
    /etc/httpd/alias-20170408143539 for example.

  * Copy the NSS database files (cert8.db, key3.db, and secmod.db) from
    the "old" directory to the new directory.  I can get away with this,
    because mod_nss always opens the database read-only.

  * Open the NSS database in the new directory, delete any existing
    certificates with the matching nickname (hostname), and import the
    new certificate.

  * Recursively copy any other content (files, symlinks, subdirectories)
    from the old directory to the new directory.  This step also copies
    the ownership, permissions, and SELinux context of *all* objects,
    including the NSS database files.  (This is where I hit the relabelto
    denial.)

  * Create a new symbolic link, /etc/httpd/alias.new, that points to the
    new directory.

  * Rename the /etc/httpd/alias.new symbolic link to /etc/httpd/alias.

  * Recursively delete the old directory.

  * Reload (SIGUSR1) httpd, so it will start using the new certificate.
    (Actually, systemd does this in an ExecStartPost.)

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: Cannot write policy to allow { relabelto }

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2921 bytes --]

On Tue, Apr 18, 2017 at 08:26:50AM -0500, Ian Pilcher wrote:
> On 04/18/2017 07:10 AM, Dominick Grift wrote:
> > where are you copying that object to? There should be no content with
> > type "cert_t" in a user home directory
> 
> I'm copying the mod_nss NSS database directory (/etc/httpd/alias).  The
> program is intended to update Let's Encrypt certificates in mod_nss.
> 
> I've moved the actual mod_nss database into a directory named something
> like /etc/httpd/alias-20170218081357 and /etc/httpd/alias is now a
> symbolic link to that directory.
> 
> My program does this following:
> 
>  * Create a new directory with a current timestamp:
>    /etc/httpd/alias-20170408143539 for example.
> 
>  * Copy the NSS database files (cert8.db, key3.db, and secmod.db) from
>    the "old" directory to the new directory.  I can get away with this,
>    because mod_nss always opens the database read-only.
> 
>  * Open the NSS database in the new directory, delete any existing
>    certificates with the matching nickname (hostname), and import the
>    new certificate.
> 
>  * Recursively copy any other content (files, symlinks, subdirectories)
>    from the old directory to the new directory.  This step also copies
>    the ownership, permissions, and SELinux context of *all* objects,
>    including the NSS database files.  (This is where I hit the relabelto
>    denial.)

Okay so i suppose that behaves like `cp -a`. That copies the file context as well.

I think then you are stuck with the object id change exemption solution because AFAIK there is no `cp -a-minus-selinux-context` or equivalent

This is also an issue with dracut, where it cp -a a bunch of files from / to /var/tmp/dracut to create the initramfs forcing us the me to allow dracut to manage and relabel a lot of files

> 
>  * Create a new symbolic link, /etc/httpd/alias.new, that points to the
>    new directory.
> 
>  * Rename the /etc/httpd/alias.new symbolic link to /etc/httpd/alias.
> 
>  * Recursively delete the old directory.
> 
>  * Reload (SIGUSR1) httpd, so it will start using the new certificate.
>    (Actually, systemd does this in an ExecStartPost.)
> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]