[PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[James Carter]

Upstart spawns a shell during boot and, without this patch, it will
transition to the sysadm_t domain, but remain in the system_r role.
Services started by that shell will fail to start, even in permissive
mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
We really don't want to be starting services from the sysadm_t domain
during boot.


Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te	(revision 2631)
+++ policy/modules/system/init.te	(working copy)
@@ -164,10 +164,12 @@
 ')
 
 ifndef(`distro_ubuntu',`
+ifndef(`distro_redhat',`
 	# Run the shell in the sysadm role for single-user mode.
 	# causes problems with upstart
 	userdom_shell_domtrans_sysadm(init_t)
 ')
+')
 
 optional_policy(`
 	auth_rw_login_records(init_t)

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Stephen Smalley]

On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
> Upstart spawns a shell during boot and, without this patch, it will
> transition to the sysadm_t domain, but remain in the system_r role.
> Services started by that shell will fail to start, even in permissive
> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
> We really don't want to be starting services from the sysadm_t domain
> during boot.

So what happens if one does a single user boot under upstart?
That's the motivation for the original transition there.

Also, I guess we need to distinguish Fedora 9 and later from older
distros here.

> 
> Index: policy/modules/system/init.te
> ===================================================================
> --- policy/modules/system/init.te	(revision 2631)
> +++ policy/modules/system/init.te	(working copy)
> @@ -164,10 +164,12 @@
>  ')
>  
>  ifndef(`distro_ubuntu',`
> +ifndef(`distro_redhat',`
>  	# Run the shell in the sysadm role for single-user mode.
>  	# causes problems with upstart
>  	userdom_shell_domtrans_sysadm(init_t)
>  ')
> +')
>  
>  optional_policy(`
>  	auth_rw_login_records(init_t)
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
>> Upstart spawns a shell during boot and, without this patch, it will
>> transition to the sysadm_t domain, but remain in the system_r role.
>> Services started by that shell will fail to start, even in permissive
>> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
>> We really don't want to be starting services from the sysadm_t domain
>> during boot.
> 
So it should probably transition to initrc_t, so apps started this way
would have a chance of transitioning properly.
> So what happens if one does a single user boot under upstart?
> That's the motivation for the original transition there.
> 
> Also, I guess we need to distinguish Fedora 9 and later from older
> distros here.
> 
>> Index: policy/modules/system/init.te
>> ===================================================================
>> --- policy/modules/system/init.te	(revision 2631)
>> +++ policy/modules/system/init.te	(working copy)
>> @@ -164,10 +164,12 @@
>>  ')
>>  
>>  ifndef(`distro_ubuntu',`
>> +ifndef(`distro_redhat',`
>>  	# Run the shell in the sysadm role for single-user mode.
>>  	# causes problems with upstart
>>  	userdom_shell_domtrans_sysadm(init_t)
>>  ')
>> +')
>>  
>>  optional_policy(`
>>  	auth_rw_login_records(init_t)
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfQZd0ACgkQrlYvE4MpobM98ACeMb7nBCkEgkE7o3Ecdvogd9HN
/psAoNvtz6DVIJL7NRlEm8t986iDRrMa
=qHme
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Christopher J. PeBenito]

On Thu, 2008-03-06 at 16:45 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
> >> Upstart spawns a shell during boot and, without this patch, it will
> >> transition to the sysadm_t domain, but remain in the system_r role.
> >> Services started by that shell will fail to start, even in permissive
> >> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
> >> We really don't want to be starting services from the sysadm_t domain
> >> during boot.
> > 
> So it should probably transition to initrc_t, so apps started this way
> would have a chance of transitioning properly.

No, the shell will execute /etc/rc.d/rc to start processing the init
scripts, and thats when it'll transition to initrc_t.  If we do it on
shell execution, it may cause problems for things executed directly out
of init, like getty.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Thu, 2008-03-06 at 16:45 -0500, Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
>>>> Upstart spawns a shell during boot and, without this patch, it will
>>>> transition to the sysadm_t domain, but remain in the system_r role.
>>>> Services started by that shell will fail to start, even in permissive
>>>> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
>>>> We really don't want to be starting services from the sysadm_t domain
>>>> during boot.
>> So it should probably transition to initrc_t, so apps started this way
>> would have a chance of transitioning properly.
> 
> No, the shell will execute /etc/rc.d/rc to start processing the init
> scripts, and thats when it'll transition to initrc_t.  If we do it on
> shell execution, it may cause problems for things executed directly out
> of init, like getty.
> 
Ok corecmd_exec_shell then.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfRrq8ACgkQrlYvE4MpobPtnQCgohT2MZsmSBR4xqflB2UPLTw1
mm0AoJV1PFk+ZAHiI+EPCG0jPAEqO2pL
=G+EA
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Joe Nall]

[-- Attachment #1: Type: text/plain, Size: 1178 bytes --]


On Mar 7, 2008, at 3:08 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Christopher J. PeBenito wrote:
>> On Thu, 2008-03-06 at 16:45 -0500, Daniel J Walsh wrote:
>>> Stephen Smalley wrote:
>>>> On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
>>>>> Upstart spawns a shell during boot and, without this patch, it  
>>>>> will
>>>>> transition to the sysadm_t domain, but remain in the system_r  
>>>>> role.
>>>>> Services started by that shell will fail to start, even in  
>>>>> permissive
>>>>> mode, if system_u:system_r:sysadm_someservice_t is an invalid  
>>>>> context.
>>>>> We really don't want to be starting services from the sysadm_t  
>>>>> domain
>>>>> during boot.
>>> So it should probably transition to initrc_t, so apps started this  
>>> way
>>> would have a chance of transitioning properly.
>>
>> No, the shell will execute /etc/rc.d/rc to start processing the init
>> scripts, and thats when it'll transition to initrc_t.  If we do it on
>> shell execution, it may cause problems for things executed directly  
>> out
>> of init, like getty.
>>
> Ok corecmd_exec_shell then.

The attached patch works for me.

joe



[-- Attachment #2: init.te.patch --]
[-- Type: application/octet-stream, Size: 526 bytes --]

--- serefpolicy-3.3.1/policy/modules/system/init.te.orig	2008-03-07 16:04:28.000000000 -0600
+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-07 16:04:46.000000000 -0600
@@ -212,7 +212,8 @@ optional_policy(`
 ifndef(`distro_ubuntu',`
 # Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
 ifdef(`enable_mls',`
-	userdom_shell_domtrans_sysadm(init_t)
+	corecmd_shell_domtrans(init_t,initrc_t)
+	corecmd_shell_entry_type(initrc_t)
 ',`
 	optional_policy(`
 		unconfined_shell_domtrans(init_t)

[-- Attachment #3: Type: text/plain, Size: 2 bytes --]

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Christopher J. PeBenito]

On Fri, 2008-03-07 at 14:03 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-03-06 at 16:45 -0500, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
> > >> Upstart spawns a shell during boot and, without this patch, it will
> > >> transition to the sysadm_t domain, but remain in the system_r role.
> > >> Services started by that shell will fail to start, even in permissive
> > >> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
> > >> We really don't want to be starting services from the sysadm_t domain
> > >> during boot.
> > > 
> > So it should probably transition to initrc_t, so apps started this way
> > would have a chance of transitioning properly.
> 
> No, the shell will execute /etc/rc.d/rc to start processing the init
> scripts, and thats when it'll transition to initrc_t.  If we do it on
> shell execution, it may cause problems for things executed directly out
> of init, like getty.

Turns out I was wrong, and upstart has separate stanzas in the config
files (/etc/event.d/*), one for directly executing programs like getty,
and one for scripting.  As also confirmed by Joe, the transition to
initrc_t makes sense, so I went with this in the init_upstart tunable.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Joe Nall]

On Mar 6, 2008, at 3:11 PM, James Carter wrote:

> Upstart spawns a shell during boot and, without this patch, it will
> transition to the sysadm_t domain, but remain in the system_r role.

Is that the cause of these mls avcs I'm seeing in /var/log/messages  
from selinux-policy-mls-3.3.1-12.fc9?

[root@rawhide ~]# grep sysadm_t /var/log/messages
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3):  
avc:  denied  { read write } for  pid=502 comm="sh" path="/dev/ 
console" dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023  
tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4):  
avc:  denied  { ioctl } for  pid=502 comm="sh" path="/dev/console"  
dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5):  
avc:  denied  { signal } for  pid=502 comm="rc.sysinit"  
scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6):  
avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tty1-"  
dev=tmpfs ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7):  
avc:  denied  { create } for  pid=542 comm="MAKEDEV" name="loop0-"  
scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
tclass=blk_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8):  
avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="loop0-"  
dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
tclass=blk_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9):  
avc:  denied  { rename } for  pid=542 comm="MAKEDEV" name="loop0-"  
dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
tclass=blk_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10):  
avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="parport0-"  
dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11):  
avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tun-"  
dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30):  
avc:  denied  { unlink } for  pid=785 comm="udevd" name=".tmp-8-0"  
dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:device_t:s0 tclass=blk_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52):  
avc:  denied  { write } for  pid=1395 comm="rc.sysinit" name="urandom"  
dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55):  
avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955  
scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket

joe

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Stephen Smalley]

On Fri, 2008-03-07 at 07:42 -0600, Joe Nall wrote:
> On Mar 6, 2008, at 3:11 PM, James Carter wrote:
> 
> > Upstart spawns a shell during boot and, without this patch, it will
> > transition to the sysadm_t domain, but remain in the system_r role.
> 
> Is that the cause of these mls avcs I'm seeing in /var/log/messages  
> from selinux-policy-mls-3.3.1-12.fc9?

Likely, yes - the rawhide policy already has a patch that disables the
transition to sysadm_t, but that isn't in upstream refpolicy yet.
upstream refpolicy disables it if built with the distro set to ubuntu so
they must have encountered the same problem there (as they originally
used upstart).

Not sure what this means though for single user mode.  That's why we had
the transition, so that init spawning a shell for single user mode would
put you into sysadm_t.  Of course if you use sulogin, that should handle
the transition for you, but that isn't the default.

> 
> [root@rawhide ~]# grep sysadm_t /var/log/messages
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3):  
> avc:  denied  { read write } for  pid=502 comm="sh" path="/dev/ 
> console" dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0- 
> s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023  
> tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4):  
> avc:  denied  { ioctl } for  pid=502 comm="sh" path="/dev/console"  
> dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5):  
> avc:  denied  { signal } for  pid=502 comm="rc.sysinit"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tty1-"  
> dev=tmpfs ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7):  
> avc:  denied  { create } for  pid=542 comm="MAKEDEV" name="loop0-"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9):  
> avc:  denied  { rename } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="parport0-"  
> dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tun-"  
> dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30):  
> avc:  denied  { unlink } for  pid=785 comm="udevd" name=".tmp-8-0"  
> dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:device_t:s0 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52):  
> avc:  denied  { write } for  pid=1395 comm="rc.sysinit" name="urandom"  
> dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55):  
> avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket
> 
> joe
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> 
> On Mar 6, 2008, at 3:11 PM, James Carter wrote:
> 
>> Upstart spawns a shell during boot and, without this patch, it will
>> transition to the sysadm_t domain, but remain in the system_r role.
> 
> Is that the cause of these mls avcs I'm seeing in /var/log/messages from
> selinux-policy-mls-3.3.1-12.fc9?
> 
> [root@rawhide ~]# grep sysadm_t /var/log/messages
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3): avc: 
> denied  { read write } for  pid=502 comm="sh" path="/dev/console"
> dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4): avc: 
> denied  { ioctl } for  pid=502 comm="sh" path="/dev/console" dev=tmpfs
> ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5): avc: 
> denied  { signal } for  pid=502 comm="rc.sysinit"
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6): avc: 
> denied  { setattr } for  pid=542 comm="MAKEDEV" name="tty1-" dev=tmpfs
> ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7): avc: 
> denied  { create } for  pid=542 comm="MAKEDEV" name="loop0-"
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8): avc: 
> denied  { setattr } for  pid=542 comm="MAKEDEV" name="loop0-" dev=tmpfs
> ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9): avc: 
> denied  { rename } for  pid=542 comm="MAKEDEV" name="loop0-" dev=tmpfs
> ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10):
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="parport0-"
> dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11):
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tun-"
> dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30):
> avc:  denied  { unlink } for  pid=785 comm="udevd" name=".tmp-8-0"
> dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:device_t:s0 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52):
> avc:  denied  { write } for  pid=1395 comm="rc.sysinit" name="urandom"
> dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55):
> avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket
> 
> joe
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Looks like it.  I think leaving making it initrc_t would fix most of
your avc messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfRSKoACgkQrlYvE4MpobM71gCgvA3E19iSjZf4Fgz9WpIXk3ed
TVgAnRPxSuyLZXGqqEpOGnR1mGN1HTDE
=dhOT
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Joe Nall]

On Mar 7, 2008, at 7:52 AM, Daniel J Walsh wrote:

>>
> Looks like it.  I think leaving making it initrc_t would fix most of
> your avc messages.

It certainly changed them. Here is the of the changing init_t to  
initrc_t


#============= init_t ==============
allow init_t self:unix_dgram_socket sendto;
allow init_t shell_exec_t:file { read execute execute_no_trans };

#============= initrc_t ==============
allow initrc_t lvm_control_t:chr_file write;

#============= insmod_t ==============
allow insmod_t kernel_t:process setsched;

#============= sysadm_t ==============
allow sysadm_t cpu_device_t:chr_file write;
allow sysadm_t self:udp_socket listen;
allow sysadm_t var_log_t:file append;

and the denials

[root@rawhide ~]# grep denied /var/log/messages
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925519.436:3):  
avc:  denied  { execute } for  pid=502 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925519.437:4):  
avc:  denied  { read } for  pid=502 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925519.437:5):  
avc:  denied  { execute_no_trans } for  pid=502 comm="init" path="/bin/ 
bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925522.258:6):  
avc:  denied  { setsched } for  pid=616 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925527.696:7):  
avc:  denied  { write } for  pid=1307 comm="multipath.stati"  
name="control" dev=tmpfs ino=5337  
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.532:8):  
avc:  denied  { execute } for  pid=1445 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.532:9):  
avc:  denied  { read } for  pid=1445 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.532:10):  
avc:  denied  { execute_no_trans } for  pid=1445 comm="init" path="/ 
bin/bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.612:11):  
avc:  denied  { sendto } for  pid=1445 comm="telinit"  
path=002F636F6D2F7562756E74752F75707374617274  
scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tclass=unix_dgram_socket
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.798:12):  
avc:  denied  { setsched } for  pid=1474 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925529.975:13):  
avc:  denied  { write } for  pid=1491 comm="microcode_ctl"  
name="microcode" dev=tmpfs ino=5796  
scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925540.061:16):  
avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955  
scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket
Mar  7 15:32:21 rawhide kernel: type=1400 audit(1204925541.097:17):  
avc:  denied  { append } for  pid=2152 comm="rsyslogd" name="secure"  
dev=sda2 ino=2621494 scontext=system_u:system_r:sysadm_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:var_log_t:s15:c0.c1023  
tclass=file

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Joe Nall]

On Mar 7, 2008, at 9:49 AM, Joe Nall wrote:

>
> On Mar 7, 2008, at 7:52 AM, Daniel J Walsh wrote:
>
>>>
>> Looks like it.  I think leaving making it initrc_t would fix most of
>> your avc messages.
>
> It certainly changed them. Here is the of the changing init_t to  
> initrc_t

and the result of deleting the transition entirely (Jame's patch)

#============= init_t ==============
allow init_t self:unix_dgram_socket sendto;
allow init_t shell_exec_t:file { read execute execute_no_trans };

#============= initrc_t ==============
allow initrc_t etc_t:file write;
allow initrc_t lvm_control_t:chr_file write;
allow initrc_t var_run_t:sock_file create;

#============= insmod_t ==============
allow insmod_t kernel_t:process setsched;

#============= setrans_t ==============
allow setrans_t initrc_t:fd use;


Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:3):  
avc:  denied  { execute } for  pid=502 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:4):  
avc:  denied  { read } for  pid=502 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.922:5):  
avc:  denied  { execute_no_trans } for  pid=502 comm="init" path="/bin/ 
bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926628.114:6):  
avc:  denied  { setsched } for  pid=612 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926633.712:7):  
avc:  denied  { write } for  pid=1310 comm="multipath.stati"  
name="control" dev=tmpfs ino=5407  
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:8):  
avc:  denied  { execute } for  pid=1448 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:9):  
avc:  denied  { read } for  pid=1448 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:10):  
avc:  denied  { execute_no_trans } for  pid=1448 comm="init" path="/ 
bin/bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.837:11):  
avc:  denied  { sendto } for  pid=1448 comm="telinit"  
path=002F636F6D2F7562756E74752F75707374617274  
scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tclass=unix_dgram_socket
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926636.048:12):  
avc:  denied  { setsched } for  pid=1477 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926638.005:13):  
avc:  denied  { write } for  pid=1732 comm="ifup-eth" name="dhclient- 
eth0.conf" dev=sda2 ino=20055551  
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:etc_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926644.913:15):  
avc:  denied  { use } for  pid=2031 comm="mcstransd" path="/lib/ 
ld-2.7.90.so" dev=sda2 ino=12125240  
scontext=system_u:system_r:setrans_t:s15:c0.c1023  
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926645.074:16):  
avc:  denied  { create } for  pid=2041 comm="rpcbind"  
name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> 
> On Mar 7, 2008, at 9:49 AM, Joe Nall wrote:
> 
>>
>> On Mar 7, 2008, at 7:52 AM, Daniel J Walsh wrote:
>>
>>>>
>>> Looks like it.  I think leaving making it initrc_t would fix most of
>>> your avc messages.
>>
>> It certainly changed them. Here is the of the changing init_t to initrc_t
> 
> and the result of deleting the transition entirely (Jame's patch)
> 
> #============= init_t ==============
> allow init_t self:unix_dgram_socket sendto;
> allow init_t shell_exec_t:file { read execute execute_no_trans };
> 
> #============= initrc_t ==============
> allow initrc_t etc_t:file write;
> allow initrc_t lvm_control_t:chr_file write;
> allow initrc_t var_run_t:sock_file create;
> 
> #============= insmod_t ==============
> allow insmod_t kernel_t:process setsched;
This looks like an MLS constraint, since the allow rule is in policy
> 
> #============= setrans_t ==============
> allow setrans_t initrc_t:fd use;
> 
> 
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:3): avc: 
> denied  { execute } for  pid=502 comm="init" name="bash" dev=sda2
> ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:4): avc: 
> denied  { read } for  pid=502 comm="init" name="bash" dev=sda2
> ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.922:5): avc: 
> denied  { execute_no_trans } for  pid=502 comm="init" path="/bin/bash"
> dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926628.114:6): avc: 
> denied  { setsched } for  pid=612 comm="modprobe"
> scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926633.712:7): avc: 
> denied  { write } for  pid=1310 comm="multipath.stati" name="control"
> dev=tmpfs ino=5407 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:8): avc: 
> denied  { execute } for  pid=1448 comm="init" name="bash" dev=sda2
> ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:9): avc: 
> denied  { read } for  pid=1448 comm="init" name="bash" dev=sda2
> ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:10):
> avc:  denied  { execute_no_trans } for  pid=1448 comm="init"
> path="/bin/bash" dev=sda2 ino=24084497
> scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.837:11):
> avc:  denied  { sendto } for  pid=1448 comm="telinit"
> path=002F636F6D2F7562756E74752F75707374617274
> scontext=system_u:system_r:init_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_dgram_socket
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926636.048:12):
> avc:  denied  { setsched } for  pid=1477 comm="modprobe"
> scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926638.005:13):
> avc:  denied  { write } for  pid=1732 comm="ifup-eth"
> name="dhclient-eth0.conf" dev=sda2 ino=20055551
> scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926644.913:15):
> avc:  denied  { use } for  pid=2031 comm="mcstransd"
> path="/lib/ld-2.7.90.so" dev=sda2 ino=12125240
> scontext=system_u:system_r:setrans_t:s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
> Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926645.074:16):
> avc:  denied  { create } for  pid=2041 comm="rpcbind"
> name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> 
> joe
> 

Looks like some transitions are not happening.  rpcbind should have
transitioned is it labeled correctly?  ifup-eth/dhclient should have
transitioned also.

init execing shell might need to transition to initrc_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfRhnUACgkQrlYvE4MpobMxKACgw3jaZ/8HBNFcVC0rPrDuObB5
7zMAn2ja2138cDpcreJ4ZcSv6OWCKxtb
=1p5I
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Joe Nall]

[-- Attachment #1: Type: text/plain, Size: 271 bytes --]


On Mar 7, 2008, at 12:16 PM, Daniel J Walsh wrote:
>> #============= insmod_t ==============
>> allow insmod_t kernel_t:process setsched;
> This looks like an MLS constraint, since the allow rule is in policy

Correct. The attached patch fixes the problem for me.

joe


[-- Attachment #2: modutils.te.patch --]
[-- Type: application/octet-stream, Size: 415 bytes --]

--- serefpolicy-3.3.1/policy/modules/system/modutils.te.orig	2008-03-07 18:57:53.000000000 -0600
+++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-03-07 18:58:34.000000000 -0600
@@ -22,6 +22,7 @@ type insmod_t;
 type insmod_exec_t;
 application_domain(insmod_t,insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
+mls_process_write_to_clearance(insmod_t)
 role system_r types insmod_t;
 
 type depmod_t;

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[James Carter]

On Fri, 2008-03-07 at 07:42 -0600, Joe Nall wrote:
> On Mar 6, 2008, at 3:11 PM, James Carter wrote:
> 
> > Upstart spawns a shell during boot and, without this patch, it will
> > transition to the sysadm_t domain, but remain in the system_r role.
> 
> Is that the cause of these mls avcs I'm seeing in /var/log/messages  
> from selinux-policy-mls-3.3.1-12.fc9?

Yes, for the first two.

> [root@rawhide ~]# grep sysadm_t /var/log/messages
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3):  
> avc:  denied  { read write } for  pid=502 comm="sh" path="/dev/ 
> console" dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0- 
> s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023  
> tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4):  
> avc:  denied  { ioctl } for  pid=502 comm="sh" path="/dev/console"  
> dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file

I can't say that I saw the rest of these, but I was using refpolicy, not
the fedora mls policy.

> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5):  
> avc:  denied  { signal } for  pid=502 comm="rc.sysinit"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tty1-"  
> dev=tmpfs ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7):  
> avc:  denied  { create } for  pid=542 comm="MAKEDEV" name="loop0-"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9):  
> avc:  denied  { rename } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="parport0-"  
> dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tun-"  
> dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30):  
> avc:  denied  { unlink } for  pid=785 comm="udevd" name=".tmp-8-0"  
> dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:device_t:s0 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52):  
> avc:  denied  { write } for  pid=1395 comm="rc.sysinit" name="urandom"  
> dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55):  
> avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket
> 
> joe
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Christopher J. PeBenito]

On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
> Upstart spawns a shell during boot and, without this patch, it will
> transition to the sysadm_t domain, but remain in the system_r role.
> Services started by that shell will fail to start, even in permissive
> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
> We really don't want to be starting services from the sysadm_t domain
> during boot.

Instead of doing this, perhaps we should switch it to positive logic?
Its much more verbose, but its significantly clearer.  Though we're
going to have to add a distro_rhel5 in that case.  Another option might
be to make an init_sysvinit or init_upstart tunable.

> @@ -164,10 +164,12 @@
>  ')
>  
>  ifndef(`distro_ubuntu',`
> +ifndef(`distro_redhat',`
>  	# Run the shell in the sysadm role for single-user mode.
>  	# causes problems with upstart
>  	userdom_shell_domtrans_sysadm(init_t)
>  ')
> +')

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[James Carter]

On Fri, 2008-03-07 at 14:13 -0500, Christopher J. PeBenito wrote:
> On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
> > Upstart spawns a shell during boot and, without this patch, it will
> > transition to the sysadm_t domain, but remain in the system_r role.
> > Services started by that shell will fail to start, even in permissive
> > mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
> > We really don't want to be starting services from the sysadm_t domain
> > during boot.
> 
> Instead of doing this, perhaps we should switch it to positive logic?
> Its much more verbose, but its significantly clearer.  Though we're
> going to have to add a distro_rhel5 in that case.  Another option might
> be to make an init_sysvinit or init_upstart tunable.

An init_upstart tunable seems better to me.  I imagine that in the
future the use of upstart will diverge more and more from SysV and this
won't be the only difference.

> 
> > @@ -164,10 +164,12 @@
> >  ')
> >  
> >  ifndef(`distro_ubuntu',`
> > +ifndef(`distro_redhat',`
> >  	# Run the shell in the sysadm role for single-user mode.
> >  	# causes problems with upstart
> >  	userdom_shell_domtrans_sysadm(init_t)
> >  ')
> > +')
> 
-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Eamon Walsh]

James Carter wrote:
> On Fri, 2008-03-07 at 14:13 -0500, Christopher J. PeBenito wrote:
>   
>> On Thu, 2008-03-06 at 16:11 -0500, James Carter wrote:
>>     
>>> Upstart spawns a shell during boot and, without this patch, it will
>>> transition to the sysadm_t domain, but remain in the system_r role.
>>> Services started by that shell will fail to start, even in permissive
>>> mode, if system_u:system_r:sysadm_someservice_t is an invalid context.
>>> We really don't want to be starting services from the sysadm_t domain
>>> during boot.
>>>       
>>

In case the severity of this problem isn't clear:

Rawhide + refpolicy trunk + enforcing mode = lockup at boot:

<permission denials from system_u:system_r:sysadm_t accessing tmpfs>
init: rc-default main program terminated with status 1


Rawhide + refpolicy trunk + permissive mode = dbus "permission denials" 
resulting from invalid contexts:

Mar  5 15:48:11 moss-charon kernel: security:  context 
system_u:system_r:sysadm_dbusd_t:s0 is invalid
Mar  5 15:48:11 moss-charon avahi-daemon[2158]: dbus_bus_get_private(): 
An SELinux policy prevents this sender from sending this message to this 
recipient (rejected message had interface "org.freedesktop.DBus" member 
"Hello" error name "(unset)" destination "org.freedesktop.DBus")
Mar  5 15:48:11 moss-charon avahi-daemon[2158]: WARNING: Failed to 
contact D-Bus daemon.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.