We need libselinux to lie...

We need libselinux to lie...

[Daniel J Walsh]

When building packages within mock/livecd.

We really want the processes running within the chroot to not do SELinux
stuff.

We want libselinux to tell them that SELinux is disabled.

For example if we install selinux-policy package within a mock chroot or
livecd we do not want it to try to load_policy.  Other rpms try chcon or
restorecon in post installs.  These are get turned off if the tools
think SELinux is disabled.  We are not doing this for security reasons.

We have been hacking this out, but replaceing $CHROOT/proc/filesystem
with a version that does not include filesystem, but we have found this
to require large privs for mock. (mount -o bind /tmp/filesystem
$CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
labeled fixed_disk_device_t)

We have considered playing tricks with libselinux.so but those seem a
little dangerous.

Eric has come up with an idea of adding a field to
$CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.

SPECIAL_ENABLED=force_off

Then mock could just set this flag in the config file and all apps would
think SELinux is disabled.

Does this seem reasonable?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Chad Sellers]

On 6/22/10 1:06 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> When building packages within mock/livecd.
> 
> We really want the processes running within the chroot to not do SELinux
> stuff.
> 
> We want libselinux to tell them that SELinux is disabled.
> 
> For example if we install selinux-policy package within a mock chroot or
> livecd we do not want it to try to load_policy.  Other rpms try chcon or
> restorecon in post installs.  These are get turned off if the tools
> think SELinux is disabled.  We are not doing this for security reasons.
> 
> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
> with a version that does not include filesystem, but we have found this
> to require large privs for mock. (mount -o bind /tmp/filesystem
> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
> labeled fixed_disk_device_t)
> 
> We have considered playing tricks with libselinux.so but those seem a
> little dangerous.
> 
> Eric has come up with an idea of adding a field to
> $CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.
> 
> SPECIAL_ENABLED=force_off
> 
> Then mock could just set this flag in the config file and all apps would
> think SELinux is disabled.
> 
> Does this seem reasonable?
> 
Seems a bit dangerous, as there are some processes you don't want being
wrong about whether SELinux is enabled or not (e.g. login). That said, for
controlled uses like within a build chroot, it seems like it'd be ok.

So, I'd be fine with this, though please name the option something a little
more obvious. Perhaps FAKEDISABLED, with values of 0 or 1 (like SETLOCALDEFS
or REQUIRESEUSERS).

Chad


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Daniel J Walsh]

On 06/22/2010 01:34 PM, Chad Sellers wrote:
> On 6/22/10 1:06 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> 
>> When building packages within mock/livecd.
>>
>> We really want the processes running within the chroot to not do SELinux
>> stuff.
>>
>> We want libselinux to tell them that SELinux is disabled.
>>
>> For example if we install selinux-policy package within a mock chroot or
>> livecd we do not want it to try to load_policy.  Other rpms try chcon or
>> restorecon in post installs.  These are get turned off if the tools
>> think SELinux is disabled.  We are not doing this for security reasons.
>>
>> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
>> with a version that does not include filesystem, but we have found this
>> to require large privs for mock. (mount -o bind /tmp/filesystem
>> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
>> labeled fixed_disk_device_t)
>>
>> We have considered playing tricks with libselinux.so but those seem a
>> little dangerous.
>>
>> Eric has come up with an idea of adding a field to
>> $CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.
>>
>> SPECIAL_ENABLED=force_off
>>
>> Then mock could just set this flag in the config file and all apps would
>> think SELinux is disabled.
>>
>> Does this seem reasonable?
>>
> Seems a bit dangerous, as there are some processes you don't want being
> wrong about whether SELinux is enabled or not (e.g. login). That said, for
> controlled uses like within a build chroot, it seems like it'd be ok.
> 
> So, I'd be fine with this, though please name the option something a little
> more obvious. Perhaps FAKEDISABLED, with values of 0 or 1 (like SETLOCALDEFS
> or REQUIRESEUSERS).
> 
> Chad
Eric came up with the dumb name.  This would only be for the chroot
enviornments and apps are free to ignore is_selinux_enabeled() output.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Stephen Smalley]

On Tue, 2010-06-22 at 13:06 -0400, Daniel J Walsh wrote:
> When building packages within mock/livecd.
> 
> We really want the processes running within the chroot to not do SELinux
> stuff.
> 
> We want libselinux to tell them that SELinux is disabled.
> 
> For example if we install selinux-policy package within a mock chroot or
> livecd we do not want it to try to load_policy.  Other rpms try chcon or
> restorecon in post installs.  These are get turned off if the tools
> think SELinux is disabled.  We are not doing this for security reasons.

I understand not wanting to load policy.  Not so sure that you want to
suppress all labeling during the rpm installation though.

> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
> with a version that does not include filesystem, but we have found this
> to require large privs for mock. (mount -o bind /tmp/filesystem
> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
> labeled fixed_disk_device_t)

I don't quite understand this.  Why can't you simply do:
mount -o bind /dev/null /proc/filesystems
if you just want an empty /proc/filesystems?

Or you could just create an empty file and do the same.  Why
is /dev/loop involved?

> We have considered playing tricks with libselinux.so but those seem a
> little dangerous.

$ cat libnoselinux.c
int is_selinux_enabled(void)
{
	return 0;
}
$ gcc -fPIC -c libnoselinux.c 
$ ld -shared -soname libnoselinux.so -o libnoselinux.so -lc libnoselinux.o
$ LD_PRELOAD=./libnoselinux.so sestatus
SELinux status:                 disabled

> Eric has come up with an idea of adding a field to
> $CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.
> 
> SPECIAL_ENABLED=force_off
> 
> Then mock could just set this flag in the config file and all apps would
> think SELinux is disabled.
> 
> Does this seem reasonable?

Doesn't seem necessary.  Harmless though as long as it can only by set
via admin-controlled config.  What we do not want is an environment
variable or the like, whereby an untrusted caller could turn off SELinux
permission checking in passwd by making it appear that SELinux was
disabled.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Daniel J Walsh]

On 06/22/2010 03:32 PM, Stephen Smalley wrote:
> On Tue, 2010-06-22 at 13:06 -0400, Daniel J Walsh wrote:
>> When building packages within mock/livecd.
>>
>> We really want the processes running within the chroot to not do SELinux
>> stuff.
>>
>> We want libselinux to tell them that SELinux is disabled.
>>
>> For example if we install selinux-policy package within a mock chroot or
>> livecd we do not want it to try to load_policy.  Other rpms try chcon or
>> restorecon in post installs.  These are get turned off if the tools
>> think SELinux is disabled.  We are not doing this for security reasons.
> 
> I understand not wanting to load policy.  Not so sure that you want to
> suppress all labeling during the rpm installation though.
> 
>> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
>> with a version that does not include filesystem, but we have found this
>> to require large privs for mock. (mount -o bind /tmp/filesystem
>> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
>> labeled fixed_disk_device_t)
> 
> I don't quite understand this.  Why can't you simply do:
> mount -o bind /dev/null /proc/filesystems
> if you just want an empty /proc/filesystems?
> 
> Or you could just create an empty file and do the same.  Why
> is /dev/loop involved?
> 

grep -v selinuxfs /proc/filesystems  > /tmp/filesystems
strace -o /tmp/out mount -o bind /tmp/filesystems /mnt/dan
 grep loop /tmp/out
stat("/dev/loop", 0x7fff70495750)       = -1 ENOENT (No such file or
directory)
open("/dev/loop0", O_RDONLY)            = 3
open("/dev/loop0", O_RDWR)              = 4
mount("/dev/loop0", "/mnt/dan", 0x7fb82aa32474, MS_MGC_VAL|MS_BIND,
NULL) = 0
write(5, "/dev/loop0 /mnt/dan none rw,bind"..., 37) = 37

We tried this in mock, and we ended up needing

allow mock_t fixed_disk_device_t:file read;

/dev/null does not use /dev/loop but might cause other scripts to blow up.


>> We have considered playing tricks with libselinux.so but those seem a
>> little dangerous.
> 
> $ cat libnoselinux.c
> int is_selinux_enabled(void)
> {
> 	return 0;
> }
> $ gcc -fPIC -c libnoselinux.c 
> $ ld -shared -soname libnoselinux.so -o libnoselinux.so -lc libnoselinux.o
> $ LD_PRELOAD=./libnoselinux.so sestatus
> SELinux status:                 disabled
> 
We considered this also, shipping libselinux_disabled.so with libselinux
and then playing this trick.  Which is fine with me.  We had concerns
about possibly polluting rpmbuild, into adding a requires
libselinux_disabled.so


>> Eric has come up with an idea of adding a field to
>> $CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.
>>
>> SPECIAL_ENABLED=force_off
>>
>> Then mock could just set this flag in the config file and all apps would
>> think SELinux is disabled.
>>
>> Does this seem reasonable?
> 
> Doesn't seem necessary.  Harmless though as long as it can only by set
> via admin-controlled config.  What we do not want is an environment
> variable or the like, whereby an untrusted caller could turn off SELinux
> permission checking in passwd by making it appear that SELinux was
> disabled.
> 

I could go with either solution.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Stephen Smalley]

On Tue, 2010-06-22 at 16:59 -0400, Daniel J Walsh wrote:
> On 06/22/2010 03:32 PM, Stephen Smalley wrote:
> > On Tue, 2010-06-22 at 13:06 -0400, Daniel J Walsh wrote:
> >> When building packages within mock/livecd.
> >>
> >> We really want the processes running within the chroot to not do SELinux
> >> stuff.
> >>
> >> We want libselinux to tell them that SELinux is disabled.
> >>
> >> For example if we install selinux-policy package within a mock chroot or
> >> livecd we do not want it to try to load_policy.  Other rpms try chcon or
> >> restorecon in post installs.  These are get turned off if the tools
> >> think SELinux is disabled.  We are not doing this for security reasons.
> > 
> > I understand not wanting to load policy.  Not so sure that you want to
> > suppress all labeling during the rpm installation though.
> > 
> >> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
> >> with a version that does not include filesystem, but we have found this
> >> to require large privs for mock. (mount -o bind /tmp/filesystem
> >> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
> >> labeled fixed_disk_device_t)
> > 
> > I don't quite understand this.  Why can't you simply do:
> > mount -o bind /dev/null /proc/filesystems
> > if you just want an empty /proc/filesystems?
> > 
> > Or you could just create an empty file and do the same.  Why
> > is /dev/loop involved?
> > 
> 
> grep -v selinuxfs /proc/filesystems  > /tmp/filesystems
> strace -o /tmp/out mount -o bind /tmp/filesystems /mnt/dan
>  grep loop /tmp/out
> stat("/dev/loop", 0x7fff70495750)       = -1 ENOENT (No such file or
> directory)
> open("/dev/loop0", O_RDONLY)            = 3
> open("/dev/loop0", O_RDWR)              = 4
> mount("/dev/loop0", "/mnt/dan", 0x7fb82aa32474, MS_MGC_VAL|MS_BIND,
> NULL) = 0
> write(5, "/dev/loop0 /mnt/dan none rw,bind"..., 37) = 37

I did this:
# grep -v selinuxfs /proc/filesystems  > /tmp/filesystems
# strace -o /tmp/out mount -o bind /tmp/filesystems /proc/filesystems

and then I see the following in /tmp/out (no references to /dev/loop at
all):
...
stat("/tmp/filesystems", {st_mode=S_IFREG|0644, st_size=377, ...}) = 0
readlink("/tmp", 0x7fffa6a6af60, 4096)  = -1 EINVAL (Invalid argument)
readlink("/tmp/filesystems", 0x7fffa6a6af60, 4096) = -1 EINVAL (Invalid
argument
)
...
mount("/tmp/filesystems", "/proc/filesystems", 0x7f569c52fdd0,
MS_MGC_VAL|MS_BIND, NULL) = 0
...

It never even tries to access /dev/loop, nor is there any reason for it
to do so for a bind mount.

There must be something different about your setup and/or mount program.
cat /proc/mounts
rpm -q -f `which mount`

> We tried this in mock, and we ended up needing
> 
> allow mock_t fixed_disk_device_t:file read;

I'm inclined to think that /dev/loop ought to be labeled differently
anyway.

> /dev/null does not use /dev/loop but might cause other scripts to blow up.

I'd be surprised - any dependency on the host's /proc/filesystems file
is going to be unsafe since it need not match the target's kernel at
all.

> 
> >> We have considered playing tricks with libselinux.so but those seem a
> >> little dangerous.
> > 
> > $ cat libnoselinux.c
> > int is_selinux_enabled(void)
> > {
> > 	return 0;
> > }
> > $ gcc -fPIC -c libnoselinux.c 
> > $ ld -shared -soname libnoselinux.so -o libnoselinux.so -lc libnoselinux.o
> > $ LD_PRELOAD=./libnoselinux.so sestatus
> > SELinux status:                 disabled
> > 
> We considered this also, shipping libselinux_disabled.so with libselinux
> and then playing this trick.  Which is fine with me.  We had concerns
> about possibly polluting rpmbuild, into adding a requires
> libselinux_disabled.so

A little bird told me that rpm dependency filtering can solve that
problem.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need libselinux to lie...

[Paul Howarth]

On 22/06/10 18:06, Daniel J Walsh wrote:
> When building packages within mock/livecd.
>
> We really want the processes running within the chroot to not do SELinux
> stuff.
>
> We want libselinux to tell them that SELinux is disabled.
>
> For example if we install selinux-policy package within a mock chroot or
> livecd we do not want it to try to load_policy.  Other rpms try chcon or
> restorecon in post installs.  These are get turned off if the tools
> think SELinux is disabled.  We are not doing this for security reasons.
>
> We have been hacking this out, but replaceing $CHROOT/proc/filesystem
> with a version that does not include filesystem, but we have found this
> to require large privs for mock. (mount -o bind /tmp/filesystem
> $CHROOT/proc/filesystem; requires mock_t to read /dev/loop which is
> labeled fixed_disk_device_t)
>
> We have considered playing tricks with libselinux.so but those seem a
> little dangerous.
>
> Eric has come up with an idea of adding a field to
> $CHROOT/etc/selinux/config to tell is_selinux_enabled() to return false.
>
> SPECIAL_ENABLED=force_off
>
> Then mock could just set this flag in the config file and all apps would
> think SELinux is disabled.
>
> Does this seem reasonable?

I use the following in the mock config, which gets me far enough to be 
able to run openssh in mock, e.g. in the curl test suite:

config_opts['files']['selinux/enforce'] = "0"


Paul.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.