Trouble with setexeccon/setcon

Trouble with setexeccon/setcon

[Mario Fanelli]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

Hello, my name is Mario and I have a trouble with selinux's api. My goal is
to modify the suPhp apache module, but the function setcon and function
setexeccon don't work. 

My apache process runs in dummy_t domain and suPhp file has a security
context "user_u:object_r:dummy_exec_t"; in the policy file I write:

"domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"

"domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"

And before calling apr_create_process in mod_suphp, I use
setexeccon("user_u:object_r:dummy_change_context_t") but the function return
always -1 


[-- Attachment #2: Type: text/html, Size: 2515 bytes --]

Re: Trouble with setexeccon/setcon

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

* Mario Fanelli <mario.fanelli@gmail.com> [2006-05-12 10:10]:
> Hello, my name is Mario and I have a trouble with selinux's api. My goal is
> to modify the suPhp apache module, but the function setcon and function
> setexeccon don't work. 
> 
> My apache process runs in dummy_t domain and suPhp file has a security
> context "user_u:object_r:dummy_exec_t"; in the policy file I write:
> 
> "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"
> 
> "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"
> 
> And before calling apr_create_process in mod_suphp, I use
> setexeccon("user_u:object_r:dummy_change_context_t") but the function return
                     ^^^^^^^^
> always -1 

You need user_r instead of object_r. I've never used this api so I can't
comment further, but at least you need to change this.

Thomas


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: Trouble with setexeccon/setcon

[Stephen Smalley]

On Fri, 2006-05-12 at 12:11 +0200, Thomas Bleher wrote:
> * Mario Fanelli <mario.fanelli@gmail.com> [2006-05-12 10:10]:
> > Hello, my name is Mario and I have a trouble with selinux's api. My goal is
> > to modify the suPhp apache module, but the function setcon and function
> > setexeccon don't work. 
> > 
> > My apache process runs in dummy_t domain and suPhp file has a security
> > context "user_u:object_r:dummy_exec_t"; in the policy file I write:
> > 
> > "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"
> > 
> > "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"
> > 
> > And before calling apr_create_process in mod_suphp, I use
> > setexeccon("user_u:object_r:dummy_change_context_t") but the function return
>                      ^^^^^^^^
> > always -1 
> 
> You need user_r instead of object_r. I've never used this api so I can't
> comment further, but at least you need to change this.

Yes, and please don't hardcode security contexts in your program.  Make
sure that they are configurable so that your code can adapt to other
policies.  Note that you likely just want to configure the type, and let
the rest be inherited from the caller's context.  See newrole (in
policycoreutils) or runcon (in coreutils) for examples of how to
construct a context by taking an existing context and then just mutating
a particular field, like the type.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Trouble with setexeccon/setcon

[Mario Fanelli]

[-- Attachment #1: Type: text/plain, Size: 1975 bytes --]

 

> > * Mario Fanelli <mario.fanelli@gmail.com> [2006-05-12 10:10]:

> > > Hello, my name is Mario and I have a trouble with selinux's api. My 

> > > goal is to modify the suPhp apache module, but the function setcon 

> > > and function setexeccon don't work.

> > > 

> > > My apache process runs in dummy_t domain and suPhp file has a 

> > > security context "user_u:object_r:dummy_exec_t"; in the policy file I
write:

> > > 

> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"

> > > 

> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"

> > > 

> > > And before calling apr_create_process in mod_suphp, I use

> > > setexeccon("user_u:object_r:dummy_change_context_t") but the 

> > > function return

> >                      ^^^^^^^^

> > > always -1

> > 

> > You need user_r instead of object_r. I've never used this api so I 

> > can't comment further, but at least you need to change this.

 

> Yes, and please don't hardcode security contexts in your program.  Make
sure that they are configurable so that your code > can adapt to other
policies.  Note that you likely just want to configure the type, and let the
rest be inherited from the > caller's context.  See newrole (in

> policycoreutils) or runcon (in coreutils) for examples of how to construct
a context by taking an existing context and 

> then just mutating a particular field, like the type.

 

> --

> Stephen Smalley

> National Security Agency

 

Yes, but runcon and newrole are user-space command. 

I have to modify the SuPhp C source code because I want that the process
SuPhp has different security context depending of an environment variable
that mod_suphp set. I try to use setexecon in mod_suphp beforce executing
SuPhp but the security context don't change..setexeccon return -1.so I try
to modify the suPhp exec with a calling to setcon but another setcon don't
work.

If I use runcon all works, but I need to modify the source code.

 

 

 


[-- Attachment #2: Type: text/html, Size: 9619 bytes --]

Re: Trouble with setexeccon/setcon

[Stephen Smalley]

On Fri, 2006-05-12 at 15:40 +0200, Mario Fanelli wrote:

> Yes, but runcon and newrole are user-space command. 
> 
> I have to modify the SuPhp C source code because I want that the
> process SuPhp has different security context depending of an
> environment variable that mod_suphp set. I try to use setexecon in
> mod_suphp beforce executing SuPhp but the security context don’t
> change..setexeccon return -1…so I try to modify the suPhp exec with a
> calling to setcon but another setcon don’t work.
> 
> If I use runcon all works, but I need to modify the source code…

Right, I meant to look at the runcon.c or newrole.c source code as
examples of how to use setexeccon() as well as how to create a context
in the first place from a combination of the caller's context and some
new type.  What errno do you get after the failed setexeccon() call?  In
addition to replacing object_r with a legitimate process role, you also
need to ensure that the role is authorized for the type/domain.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Trouble with setexeccon/setcon

[Mario Fanelli]

[-- Attachment #1: Type: text/plain, Size: 2018 bytes --]

> -----Messaggio originale-----
> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> Inviato: Friday, May 12, 2006 4:17 PM
> A: Mario Fanelli
> Cc: SeLinux Mailing List
> Oggetto: Re: Trouble with setexeccon/setcon

> 

> On Fri, 2006-05-12 at 15:40 +0200, Mario Fanelli wrote: 

> 

> > Yes, but runcon and newrole are user-space command. 

> >  

> > I have to modify the SuPhp C source code because I want that the

> > process SuPhp has different security context depending of an

> > environment variable that mod_suphp set. I try to use setexecon in

> > mod_suphp beforce executing SuPhp but the security context don't

> > change..setexeccon return -1.so I try to modify the suPhp exec with a

> > calling to setcon but another setcon don't work.

> > 

> > If I use runcon all works, but I need to modify the source code.

> 

> Right, I meant to look at the runcon.c or newrole.c source code as

> examples of how to use setexeccon() as well as how to create a context

> in the first place from a combination of the caller's context and some

> new type.  What errno do you get after the failed setexeccon() call?  In

> addition to replacing object_r with a legitimate process role, you also

> need to ensure that the role is authorized for the type/domain.

> 

> -- 

> Stephen Smalley

>  National Security Agency

 

I think that there is a problem with setcon/setexecon .. 

Perhaps now I try to write a wrapper program that execute the command
"runcon -t dummy_change_context_t  /path/of/suphp"..the program only use an
enviroment variable "SUPHP_SELINUX_DOMAIN" and call execve() with same
environment, but the result doesn't change

Now I have written a policy for suPhp with a domain_auto_trans macro.when
apache executes suphp, the context changes.but if I use a domain_trans and a
setcon in suPhp, I obtain an error and I don't find any error message in
/var/log/messages.I'm using a targetd policy and I put apache2 in
unconfined_t domain.

Where can I find the runcon/newrole source code?

 


[-- Attachment #2: Type: text/html, Size: 7677 bytes --]

Re: Trouble with setexeccon/setcon

[Stephen Smalley]

On Sat, 2006-05-13 at 12:53 +0200, Mario Fanelli wrote:

> I think that there is a problem with setcon/setexecon …. 

Please disable HTML mail in your mail client.

> Perhaps now I try to write a wrapper program that execute the command
> “runcon –t dummy_change_context_t  /path/of/suphp”..the program only
> use an enviroment variable “SUPHP_SELINUX_DOMAIN” and call execve()
> with same environment, but the result doesn’t change

I'm not certain as to what you mean by the above statement.  Does it
fail?   Does running that same command by hand succeed?  What is the
output?  What is logged in /var/log/messages
or /var/log/audit/audit.log?

> Now I have written a policy for suPhp with a domain_auto_trans macro…
> when apache executes suphp, the context changes…but if I use a
> domain_trans and a setcon in suPhp, I obtain an error and I don’t find
> any error message in /var/log/messages…I’m using a targetd policy and
> I put apache2 in unconfined_t domain…

Point of clarification:  domain_trans is for authorizing transitions via
execve.  It does not authorize a dynamic context transition.  So if you
want to transition upon execve (as in runcon), then you want to use
setexeccon() prior to the execve, and you need to allow process setexec
permission as well as the domain transition (in the example policy, this
is done by the can_setexec() macro).  If you want to transition within
the current process without performing an execve via setcon(), then you
need to separately allow process dyntransition permission.

Did you also check for a /var/log/audit/audit.log?  That is where
messages are logged if running auditd (as in FC4).

> Where can I find the runcon/newrole source code?

runcon is part of coreutils, so it would be in the coreutils SRPM, or
you can just grab coreutils-selinux.patch.

newrole is part of policycoreutils, so you can grab that SRPM or
upstream tar ball. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.