Re: question about selinux_restore_tty() in sudo's selinux.c

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dac.override@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org
Subject: Re: question about selinux_restore_tty() in sudo's selinux.c
Date: Fri, 27 Sep 2019 15:57:45 +0200	[thread overview]
Message-ID: <20190927135745.GC22281@seamus.lan> (raw)
In-Reply-To: <caf2c1c0-682b-1ff6-aee9-cc91dd6ad8a6@tycho.nsa.gov>

[-- Attachment #1: Type: text/plain, Size: 4199 bytes --]

On Fri, Sep 27, 2019 at 09:51:26AM -0400, Stephen Smalley wrote:
> On 9/27/19 9:49 AM, Dominick Grift wrote:
> > On Fri, Sep 27, 2019 at 09:33:06AM -0400, Stephen Smalley wrote:
> > > On 9/27/19 9:08 AM, Dominick Grift wrote:
> > > > On Fri, Sep 27, 2019 at 08:59:26AM -0400, Stephen Smalley wrote:
> > > > > On 9/27/19 3:55 AM, Dominick Grift wrote:
> > > > > > sudo does not reset the role of my tty properly [1], and i was wondering if anyone is able to determine what is causing this [2]
> > > > > > 
> > > > > > [1] https://bugzilla.sudo.ws/show_bug.cgi?id=898
> > > > > > [2] https://www.sudo.ws/repos/sudo/file/tip/src/selinux.c
> > > > > 
> > > > > Are you sure sudo is calling selinux_restore_tty()?
> > > > > 
> > > > > 
> > > > 
> > > > running sudo with:
> > > > 
> > > > Debug sudo /var/log/sudo_debug all@debug
> > > > Debug sudoers.so /var/log/sudo_debug all@debug
> > > > 
> > > > Yields:
> > > > 
> > > > grep selinux /var/log/sudo_debug
> > > > Sep 27 15:06:29 sudo[3417] <- sudo_new_key_val_v1 @ ../../../lib/util/key_val.c:61 := selinux_role=sysadm.role
> > > > Sep 27 15:06:29 sudo[3417]     7: selinux_role=sysadm.role
> > > > Sep 27 15:06:29 sudo[3447] -> selinux_setup @ ../../src/selinux.c:349
> > > > Sep 27 15:06:29 sudo[3447] -> get_exec_context @ ../../src/selinux.c:274
> > > > Sep 27 15:06:29 sudo[3447] <- get_exec_context @ ../../src/selinux.c:328 := 0x564eed3621b0
> > > > Sep 27 15:06:29 sudo[3447] -> relabel_tty @ ../../src/selinux.c:160
> > > > Sep 27 15:06:29 sudo[3447] <- relabel_tty @ ../../src/selinux.c:253 := 0
> > > > Sep 27 15:06:29 sudo[3447] -> audit_role_change @ ../../src/selinux.c:76
> > > > Sep 27 15:06:29 sudo[3447] <- audit_role_change @ ../../src/selinux.c:98 := 6
> > > > Sep 27 15:06:29 sudo[3447] <- selinux_setup @ ../../src/selinux.c:395 := 0
> > > > Sep 27 15:06:29 sudo[3447] -> selinux_execve @ ../../src/selinux.c:405
> > > > Sep 27 15:06:29 sudo[3417] -> selinux_restore_tty @ ../../src/selinux.c:114
> > > > Sep 27 15:06:29 sudo[3417] <- selinux_restore_tty @ ../../src/selinux.c:142 := 0
> > > 
> > > Ok, so you entered and exited selinux_restore_tty() without error. No
> > > warning messages of any kind in any of the sudo logs? Not sure where
> > > sudo_warn() and sudo_warnx() messages go.
> > 
> > No warnings or any other clues. I guess it must be this then:
> > 
> >      if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
> > 	goto skip_relabel;
> 
> That should only occur if there was no tty or security_compute_relabel()
> didn't provide a new context to set in the first place. Not if it actually
> relabeled the tty earlier.
> 
> Does newrole work correctly with your policy?

Yes:

kcinimod@seamus:~$ id -Z
wheel.id:wheel.role:wheel.subj:s0
kcinimod@seamus:~$ ls -alZ `tty`
crw--w----. 1 kcinimod tty wheel.id:wheel.role:users.terminals.pty.pty_file:s0 136, 10 Sep 27 15:55 /dev/pts/10
kcinimod@seamus:~$ newrole -r sysadm.role
Password: 
newrole: incorrect password for kcinimod
kcinimod@seamus:~$ ls -alZ `tty`
crw--w----. 1 kcinimod tty wheel.id:wheel.role:users.terminals.pty.pty_file:s0 136, 10 Sep 27 15:56 /dev/pts/10
kcinimod@seamus:~$ newrole -r sysadm.role
Password: 
kcinimod@seamus:~$ id -Z
wheel.id:sysadm.role:sysadm.subj:s0
kcinimod@seamus:~$ ls -alZ `tty`
crw--w----. 1 kcinimod tty wheel.id:sysadm.role:users.terminals.pty.pty_file:s0 136, 10 Sep 27 15:56 /dev/pts/10
kcinimod@seamus:~$ exit
logout
kcinimod@seamus:~$ ls -alZ `tty`
crw--w----. 1 kcinimod tty wheel.id:wheel.role:users.terminals.pty.pty_file:s0 136, 10 Sep 27 15:56 /dev/pts/10

> 
> > 
> > > 
> > > selinux_restore_tty() does a goto skip_relabel in multiple cases:
> > > - if there was no tty (ttyfd == -1),
> > > - if we didn't set a new tty context (new_tty_context),
> > > - if the context on the tty was changed from the value set by sudo
> > > (strcmp...) e.g. some other process changed it in the interim, but this
> > > should have logged a warning,
> > > 
> 
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

next prev parent reply	other threads:[~2019-09-27 13:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-27  7:55 question about selinux_restore_tty() in sudo's selinux.c Dominick Grift
2019-09-27  8:24 ` Dominick Grift
2019-09-27 13:02   ` Stephen Smalley
2019-09-27 12:59 ` Stephen Smalley
2019-09-27 13:08   ` Dominick Grift
2019-09-27 13:33     ` Stephen Smalley
2019-09-27 13:49       ` Dominick Grift
2019-09-27 13:51         ` Stephen Smalley
2019-09-27 13:57           ` Dominick Grift [this message]
2019-09-27 14:01             ` Stephen Smalley
2019-09-27 14:17               ` Stephen Smalley
2019-09-27 14:28                 ` Dominick Grift
2019-09-27 14:32                   ` Dominick Grift
2019-09-27 14:49                   ` Stephen Smalley
2019-09-27 14:53                     ` Stephen Smalley
2019-09-27 14:57                     ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190927135745.GC22281@seamus.lan \
    --to=dac.override@gmail.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.