Elimination of disable_trans boolean ramifications

Elimination of disable_trans boolean ramifications

[Daniel J Walsh]

I have removed the disable_trans booleans from Rawhide, and FC7 Test3.  
I wanted to remove these booleans because they cause as many problems as 
they solve.    If you turn off certain domains, it can change the 
labeling on the system and cause other confined domains to blow up.

If you syslog_disable_trans, the devlog_t context is wrong and any 
confined app that tries to syslog will no longer work.

The best thing to do when confronted with an AVC would be to figure out 
if this is expected behavior, if yes then report it as a bug to upstream 
or to the distribution and create a loadable policy module that handles 
the problem.

If there are so many problems or a user just does not want to deal with 
it I figured we could just load a policy that sets the domain as an 
unconfined_domain.

If you wanted to run samba as an unconfined domain  you would build a 
policy module

policy_module(mysamba, 1.0)

require {
        type smbd_t;
}

unconfined_domain(smbd_t)


Compile it

make -f /usr/share/selinux/devel/Makefile

And load it

semodule -i mysamba.pp

Only problem...

semodule -i mysamba.pp
libsepol.permission_copy_callback: Module mysamba depends on permission 
* in class capability, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

But once we fix the interface this should work.

I think this is a better solution, we could even instrument 
system-config-selinux or audit2allow to  generate this policy module on 
the fly.  I think this is better than disable_trans or setting up a 
boolean for all confined domains to go to unconfined.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Elimination of disable_trans boolean ramifications

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2084 bytes --]

Daniel J Walsh wrote:
> I have removed the disable_trans booleans from Rawhide, and FC7 
> Test3.  I wanted to remove these booleans because they cause as many 
> problems as they solve.    If you turn off certain domains, it can 
> change the labeling on the system and cause other confined domains to 
> blow up.
>
> If you syslog_disable_trans, the devlog_t context is wrong and any 
> confined app that tries to syslog will no longer work.
>
> The best thing to do when confronted with an AVC would be to figure 
> out if this is expected behavior, if yes then report it as a bug to 
> upstream or to the distribution and create a loadable policy module 
> that handles the problem.
>
> If there are so many problems or a user just does not want to deal 
> with it I figured we could just load a policy that sets the domain as 
> an unconfined_domain.
>
> If you wanted to run samba as an unconfined domain  you would build a 
> policy module
>
> policy_module(mysamba, 1.0)
>
> require {
>        type smbd_t;
> }
>
> unconfined_domain(smbd_t)
>
>
> Compile it
>
> make -f /usr/share/selinux/devel/Makefile
>
> And load it
>
> semodule -i mysamba.pp
>
> Only problem...
>
> semodule -i mysamba.pp
> libsepol.permission_copy_callback: Module mysamba depends on 
> permission * in class capability, not satisfied
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
>
> But once we fix the interface this should work.
>
> I think this is a better solution, we could even instrument 
> system-config-selinux or audit2allow to  generate this policy module 
> on the fly.  I think this is better than disable_trans or setting up a 
> boolean for all confined domains to go to unconfined.
>
>
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Attached patch fixes the semodule problem although it makes changing the 
policy to add editing access_vectors more complicated. 






[-- Attachment #2: unconfined_diff --]
[-- Type: text/plain, Size: 2341 bytes --]

--- nsaserefpolicy/policy/modules/system/unconfined.if	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/unconfined.if	2007-03-23 14:33:51.000000000 -0400
@@ -18,7 +18,7 @@
 	')
 
 	# Use any Linux capability.
-	allow $1 self:capability *;
+	allow $1 self:capability all_capabilities;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
@@ -28,10 +28,10 @@
 	allow $1 self:file rw_file_perms;
 
 	# Userland object managers
-	allow $1 self:nscd *;
-	allow $1 self:dbus *;
-	allow $1 self:passwd *;
-	allow $1 self:association *;
+	allow $1 self:nscd all_nscd;
+	allow $1 self:dbus all_dbus;
+	allow $1 self:passwd all_passwd;
+	allow $1 self:association all_association;
 
 	kernel_unconfined($1)
 	corenet_unconfined($1)
--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.10/policy/support/obj_perm_sets.spt	2007-03-23 14:34:29.000000000 -0400
@@ -215,7 +215,7 @@
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
 define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
 define(`append_file_perms',`{ getattr append lock ioctl }')
 define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -324,3 +324,13 @@
 #
 define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
+define(`all_dbus', `{ acquire_svc send_msg } ')
+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+

Re: Elimination of disable_trans boolean ramifications

[Christopher J. PeBenito]

On Fri, 2007-03-23 at 14:52 -0400, Daniel J Walsh wrote:
> Daniel J Walsh wrote:
> > If you wanted to run samba as an unconfined domain  you would build
> a
> > policy module
> >
> > policy_module(mysamba, 1.0)
> >
> > require {
> >        type smbd_t;
> > }
> >
> > unconfined_domain(smbd_t)
> >
> >
> > Compile it
> >
> > make -f /usr/share/selinux/devel/Makefile
> >
> > And load it
> >
> > semodule -i mysamba.pp
> >
> > Only problem...
> >
> > semodule -i mysamba.pp
> > libsepol.permission_copy_callback: Module mysamba depends on
> > permission * in class capability, not satisfied
> > libsemanage.semanage_link_sandbox: Link packages failed
> > semodule:  Failed!
> >
> > But once we fix the interface this should work.

I'm not sure why you are hitting this.  The policy_module statement
already requires all kernel object classes and their perms.  It might be
interesting to look at the final source file to see whats going on.

> 
> plain text document attachment (unconfined_diff), "unconfined_diff"
> --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.10/policy/modules/system/unconfined.if	2007-03-23 14:33:51.000000000 -0400
> @@ -18,7 +18,7 @@
>  	')
>  
>  	# Use any Linux capability.
> -	allow $1 self:capability *;
> +	allow $1 self:capability all_capabilities;
>  	allow $1 self:fifo_file manage_fifo_file_perms;
>  
>  	# Transition to myself, to make get_ordered_context_list happy.
> @@ -28,10 +28,10 @@
>  	allow $1 self:file rw_file_perms;
>  
>  	# Userland object managers
> -	allow $1 self:nscd *;
> -	allow $1 self:dbus *;
> -	allow $1 self:passwd *;
> -	allow $1 self:association *;
> +	allow $1 self:nscd all_nscd;
> +	allow $1 self:dbus all_dbus;
> +	allow $1 self:passwd all_passwd;
> +	allow $1 self:association all_association;
>  
>  	kernel_unconfined($1)
>  	corenet_unconfined($1)
> --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-01-02 12:57:51.000000000 -0500
> +++ serefpolicy-2.5.10/policy/support/obj_perm_sets.spt	2007-03-23 14:34:29.000000000 -0400
> @@ -215,7 +215,7 @@
>  define(`getattr_file_perms',`{ getattr }')
>  define(`setattr_file_perms',`{ setattr }')
>  define(`read_file_perms',`{ getattr read lock ioctl }')
> -define(`mmap_file_perms',`{ getattr read execute }')
> +define(`mmap_file_perms',`{ getattr read execute ioctl }')
>  define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
>  define(`append_file_perms',`{ getattr append lock ioctl }')
>  define(`write_file_perms',`{ getattr write append lock ioctl }')
> @@ -324,3 +324,13 @@
>  #
>  define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
>  define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
> +
> +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
> +')
> +
> +define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
> +define(`all_dbus', `{ acquire_svc send_msg } ')
> +define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
> +define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
> +
> +
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Elimination of disable_trans boolean ramifications

[Karl MacMillan]

On Fri, 2007-03-23 at 13:41 -0400, Daniel J Walsh wrote:
> I have removed the disable_trans booleans from Rawhide, and FC7 Test3.  
> I wanted to remove these booleans because they cause as many problems as 
> they solve.    If you turn off certain domains, it can change the 
> labeling on the system and cause other confined domains to blow up.
> 
> If you syslog_disable_trans, the devlog_t context is wrong and any 
> confined app that tries to syslog will no longer work.
> 
> The best thing to do when confronted with an AVC would be to figure out 
> if this is expected behavior, if yes then report it as a bug to upstream 
> or to the distribution and create a loadable policy module that handles 
> the problem.
> 
> If there are so many problems or a user just does not want to deal with 
> it I figured we could just load a policy that sets the domain as an 
> unconfined_domain.
> 
> If you wanted to run samba as an unconfined domain  you would build a 
> policy module
> 
> policy_module(mysamba, 1.0)
> 
> require {
>         type smbd_t;
> }
> 
> unconfined_domain(smbd_t)
> 
> 

So - I like this idea from a technical point-of-view. The only concern
is that users are used to looking for a booleans for this type of thing.
There is some hope that they would discover the changed booleans poking
around a gui tool or using g/setsebool. I don't think most users would
never think to create a module to make a domain unconfined. Plus, the
directions on how to do this go from a single command to several.

I've heard concern that the number of booleans is growing too large. I
would suggest that if that is your motivation for avoiding booleans that
we find a way to organize them instead.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Elimination of disable_trans boolean ramifications

[Daniel J Walsh]

Karl MacMillan wrote:
> On Fri, 2007-03-23 at 13:41 -0400, Daniel J Walsh wrote:
>   
>> I have removed the disable_trans booleans from Rawhide, and FC7 Test3.  
>> I wanted to remove these booleans because they cause as many problems as 
>> they solve.    If you turn off certain domains, it can change the 
>> labeling on the system and cause other confined domains to blow up.
>>
>> If you syslog_disable_trans, the devlog_t context is wrong and any 
>> confined app that tries to syslog will no longer work.
>>
>> The best thing to do when confronted with an AVC would be to figure out 
>> if this is expected behavior, if yes then report it as a bug to upstream 
>> or to the distribution and create a loadable policy module that handles 
>> the problem.
>>
>> If there are so many problems or a user just does not want to deal with 
>> it I figured we could just load a policy that sets the domain as an 
>> unconfined_domain.
>>
>> If you wanted to run samba as an unconfined domain  you would build a 
>> policy module
>>
>> policy_module(mysamba, 1.0)
>>
>> require {
>>         type smbd_t;
>> }
>>
>> unconfined_domain(smbd_t)
>>
>>
>>     
>
> So - I like this idea from a technical point-of-view. The only concern
> is that users are used to looking for a booleans for this type of thing.
> There is some hope that they would discover the changed booleans poking
> around a gui tool or using g/setsebool. I don't think most users would
> never think to create a module to make a domain unconfined. Plus, the
> directions on how to do this go from a single command to several.
>
> I've heard concern that the number of booleans is growing too large. I
> would suggest that if that is your motivation for avoiding booleans that
> we find a way to organize them instead.
>
> Karl
>   
I think turning a domain unconfined_domain should be the last resort.  
(Or I guess better then chcon -t bin_t EXEC)

I think adding a boolean makes it too easy for them.

The response to an AVC would be best if it involved the following:

1. Ignore AVC if the app works. Reporting a bugzilla against the package 
that created it.  Leaked file descriptor or daemons trying to talk to 
terminals are classic examples of this.
2. If setroubleshoot suggests a boolean or file_context to set then set 
it and see if the app works.
3. audit2allow -M myEXEC -i /var/log/audit/audit.log  to "fix" the 
policy for the app  (BUGZILLA)
4. New tool to create unconfined_domain policy package for running 
daemon unconfined (BUGZILLA)
5. chcon -t bin_t EXEC (BUGZILLA)
6. setenforce 0 (BUGZILLA)
7. selinux=0 (BUGZILLA)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Elimination of disable_trans boolean ramifications

[Karl MacMillan]

On Mon, 2007-03-26 at 15:11 -0400, Daniel J Walsh wrote:
> Karl MacMillan wrote:

<snip>

> >
> > So - I like this idea from a technical point-of-view. The only concern
> > is that users are used to looking for a booleans for this type of thing.
> > There is some hope that they would discover the changed booleans poking
> > around a gui tool or using g/setsebool. I don't think most users would
> > never think to create a module to make a domain unconfined. Plus, the
> > directions on how to do this go from a single command to several.
> >
> > I've heard concern that the number of booleans is growing too large. I
> > would suggest that if that is your motivation for avoiding booleans that
> > we find a way to organize them instead.
> >
> > Karl
> >   
> I think turning a domain unconfined_domain should be the last resort.  
> (Or I guess better then chcon -t bin_t EXEC)
> 
> I think adding a boolean makes it too easy for them.
> 

I'm afraid that turning off selinux will be easier. I would rather a
user have a few unconfined domains than no selinux at all. 

> The response to an AVC would be best if it involved the following:
> 
> 1. Ignore AVC if the app works. Reporting a bugzilla against the package 
> that created it.  Leaked file descriptor or daemons trying to talk to 
> terminals are classic examples of this.
> 2. If setroubleshoot suggests a boolean or file_context to set then set 
> it and see if the app works.
> 3. audit2allow -M myEXEC -i /var/log/audit/audit.log  to "fix" the 
> policy for the app  (BUGZILLA)
> 4. New tool to create unconfined_domain policy package for running 
> daemon unconfined (BUGZILLA)
> 5. chcon -t bin_t EXEC (BUGZILLA)
> 6. setenforce 0 (BUGZILLA)
> 7. selinux=0 (BUGZILLA)
> 

I agree up until 4, which I'm afraid will become goto 6 instead. Both 4
and 5 require that the user have some idea of what to do and there are
no "bread crumbs" for them to follow to get there. Considering how long
we have been pushing the disable_trans booleans I hesitate to change
that process radically.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.