Process Transition

Process Transition

[Chad Hanson]

We found a piece of process transition code that should be updated to work
as expected.

In ss/services.c context_struct_compute_av() the following should be
changed:

	if (tclass == SECCLASS_PROCESS &&
bug >>	    avd->allowed && PROCESS__TRANSITION &&
	    scontext->role != tcontext->role) {
		for (ra = policydb.role_allow; ra; ra = ra->next) {
			if (scontext->role == ra->role &&
			    tcontext->role == ra->new_role)
				break;
		}
		if (!ra)
			avd->allowed = (avd->allowed) &
~(PROCESS__TRANSITION);
	}

it should be

	if (tclass == SECCLASS_PROCESS &&
	    avd->allowed & PROCESS__TRANSITION &&
	    scontext->role != tcontext->role) {

-Chad
_______________________________________________________________
Chad Hanson				mailto:chanson@tcs-sec.com
Trusted Computer Solutions		Phone: 217-384-0028 x12
121 W Goose Alley			Fax: 217-384-0288
Urbana IL 61801



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Process Transition

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]

On Thu, 2004-03-11 at 15:49, Chad Hanson wrote:
> We found a piece of process transition code that should be updated to work
> as expected.
> 
> In ss/services.c context_struct_compute_av() the following should be
> changed:
> 
> 	if (tclass == SECCLASS_PROCESS &&
> bug >>	    avd->allowed && PROCESS__TRANSITION &&
> 	    scontext->role != tcontext->role) {
> 		for (ra = policydb.role_allow; ra; ra = ra->next) {
> 			if (scontext->role == ra->role &&
> 			    tcontext->role == ra->new_role)
> 				break;
> 		}
> 		if (!ra)
> 			avd->allowed = (avd->allowed) &
> ~(PROCESS__TRANSITION);
> 	}
> 
> it should be
> 
> 	if (tclass == SECCLASS_PROCESS &&
> 	    avd->allowed & PROCESS__TRANSITION &&
> 	    scontext->role != tcontext->role) {

Thanks; patch attached.  The existing buggy code will still produce the
right access computation; it just causes unnecessary processing to occur
when the transition permission wasn't granted in the first place by the
TE configuration.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: selinux-fixtrans.patch --]
[-- Type: text/x-patch, Size: 685 bytes --]

Index: linux-2.6/security/selinux/ss/services.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/ss/services.c,v
retrieving revision 1.34
diff -u -r1.34 services.c
--- linux-2.6/security/selinux/ss/services.c	18 Feb 2004 14:26:06 -0000	1.34
+++ linux-2.6/security/selinux/ss/services.c	12 Mar 2004 13:37:44 -0000
@@ -262,7 +262,7 @@
 	 * pair.
 	 */
 	if (tclass == SECCLASS_PROCESS &&
-	    avd->allowed && PROCESS__TRANSITION &&
+	    (avd->allowed & PROCESS__TRANSITION) &&
 	    scontext->role != tcontext->role) {
 		for (ra = policydb.role_allow; ra; ra = ra->next) {
 			if (scontext->role == ra->role &&

Re: Process Transition

[David Caplan]

Luckily it doesn't have any effect on the computation of the access 
vector.  If the transition permission bit was _not_ set (and some other 
permission was set to make avd->allowed evaluate to non zero, i.e. the 
bug case), and the other conditions were true, the net effect is no 
different than if the code were correct.  A little extra code is run, 
but no access is granted or illegal transition permitted.

Nice find!  (It's also present in checkpolicy's version of services.c, 
where it also has no net effect).

Chad Hanson wrote:
> We found a piece of process transition code that should be updated to work
> as expected.
> 
> In ss/services.c context_struct_compute_av() the following should be
> changed:
> 
> 	if (tclass == SECCLASS_PROCESS &&
> bug >>	    avd->allowed && PROCESS__TRANSITION &&
> 	    scontext->role != tcontext->role) {
> 		for (ra = policydb.role_allow; ra; ra = ra->next) {
> 			if (scontext->role == ra->role &&
> 			    tcontext->role == ra->new_role)
> 				break;
> 		}
> 		if (!ra)
> 			avd->allowed = (avd->allowed) &
> ~(PROCESS__TRANSITION);
> 	}
> 
> it should be
> 
> 	if (tclass == SECCLASS_PROCESS &&
> 	    avd->allowed & PROCESS__TRANSITION &&
> 	    scontext->role != tcontext->role) {
> 
> -Chad
> _______________________________________________________________
> Chad Hanson				mailto:chanson@tcs-sec.com
> Trusted Computer Solutions		Phone: 217-384-0028 x12
> 121 W Goose Alley			Fax: 217-384-0288
> Urbana IL 61801
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Process Transition

[selinux]

I am having an issue with policy configuration.  On a default install of 
redhat, I compiled and installed the selinux kernel and associated tools.  
I've probably spent about 5 hours familiarizing myself with the policy 
language and the logic of type enforcement.  I browsed through the archive 
for a bit, and didn't find a clear solution to my issue.

Upon booting the LSM kernel in permissive mode, I get many access denied 
messages as the init process runs (as well as some other processes that 
run at boot).  I am sure that once I have an understanding as to why one 
of these occur, I should be able to rectify the remaining problems, so I 
will post the first denied process transition.

avc:  denied  { transition } for  pid=1 comm=swapper path=/sbin/init /
dev=08 :01 ino=229436 scontext=system_u:system_r:kernel_t /
tcontext=system_u:system_r:init_t tclass=process

I have the following line in the policy.conf (post make install-src 
install, of course):

allow kernel_t init_t:process transition;

In Frank Mayer's post about domain transitions,

http://www.nsa.gov/selinux/list-archive/3984.html

he states that program entry and program execute rules are also required.  
I have the following rules:

allow init_t init_exec_t:file entrypoint;
allow init_t init_exec_t:file { read getattr lock execute ioctl };

Obviously, what I have is not sufficient (or perhaps wrong/irrelevant).  
What else is required to allow the transition to occur?  I realize this a 
developer's list, not a help-me spam list, but I haven't found any 
other good sources.  

Please advise me if this is inappropriate and where else I might look
for some assistance.

Much thanks,

Jared


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Process Transition

[Frank Mayer]

> avc:  denied  { transition } for  pid=1 comm=swapper path=/sbin/init /
> dev=08 :01 ino=229436 scontext=system_u:system_r:kernel_t /
> tcontext=system_u:system_r:init_t tclass=process
> 
> I have the following line in the policy.conf (post make install-src
> install, of course): 
> 
> allow kernel_t init_t:process transition;

The deny audit message seems to indicate that the above rule is indeed
*not* in the running policy???  Are you sure?  Perhaps there's a problem
with role allow and/or user definitions, but I thought they just
indicated an invalid context.

> 
> In Frank Mayer's post about domain transitions,
> 
> http://www.nsa.gov/selinux/list-archive/3984.html
>
> he states that program entry and program execute rules are also
> required. I have the following rules:

> allow init_t init_exec_t:file entrypoint;
> allow init_t init_exec_t:file { read getattr lock execute ioctl };

I think you have a slight misunderstanding.  For a domain transition:

1. OLD domain has "file execute" access to entry type (i.e.,
init_exec_t)
2. NEW domain has "file entrypoint" access to entry type.

in addition to the process transition permission above.

Frank 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Process Transition

[Frank Mayer]

> avc:  denied  { transition } for  pid=1 comm=swapper path=/sbin/init /
> dev=08 :01 ino=229436 scontext=system_u:system_r:kernel_t /
> tcontext=system_u:system_r:init_t tclass=process
> 
> I have the following line in the policy.conf (post make install-src
> install, of course): 
> 
> allow kernel_t init_t:process transition;

The deny audit message seems to indicate that the above rule is indeed
*not* in the running policy???  Are you sure?  Perhaps there's a problem
with role allow and/or user definitions, but I thought they just
indicated an invalid context not a transition permission denied.

> 
> In Frank Mayer's post about domain transitions,
> 
> http://www.nsa.gov/selinux/list-archive/3984.html
>
> he states that program entry and program execute rules are also
> required. I have the following rules:

> allow init_t init_exec_t:file entrypoint;
> allow init_t init_exec_t:file { read getattr lock execute ioctl };

I think you have a slight misunderstanding.  For a domain transition:

1. OLD domain has "file execute" access to entry type (i.e.,
init_exec_t)
2. NEW domain has "file entrypoint" access to entry type.

in addition to the process transition permission above.

Frank 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Process Transition

[Stephen Smalley]

On Wed, 2003-05-14 at 16:06, selinux@netgps.net wrote:
> Upon booting the LSM kernel in permissive mode, I get many access denied 
> messages as the init process runs (as well as some other processes that 
> run at boot).

Which LSM kernel are you using?  The one from the NSA SELinux web site? 
Or the sourceforge CVS tree?  Or Russell Coker or Brian May's packages
for Debian?  Or from the public LSM BitKeeper trees?

Does your "LSM kernel" also include the separate SELinux-specific
patch?  Does lsm-2.4/init/main.c include the call to selinux_init()?

> avc:  denied  { transition } for  pid=1 comm=swapper path=/sbin/init /
> dev=08 :01 ino=229436 scontext=system_u:system_r:kernel_t /
> tcontext=system_u:system_r:init_t tclass=process
> 
> I have the following line in the policy.conf (post make install-src 
> install, of course):
> 
> allow kernel_t init_t:process transition;

I don't see why this permission would fail, given that the above rule is
included.  There is no change in user identity or role on this
transition, so neither the constraints nor the role allow rules are
relevant, just the TE rule.

Make sure that your binary policy corresponds to your policy.conf, i.e.
recompile it with checkpolicy.  You can also run checkpolicy -d -b on
the binary policy file and query it to see whether a given permission is
included in it.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.