[refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates

[refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates

[Sven Vermeulen]

This is a set of updates that we apply to the Gentoo policy branch for non-contrib stuff.

Sven Vermeulen (5):
  Hide getattr denials upon sudo invocation
  Fix avc_context_to_raw assertion (avc_running) failure upon running
    groupadd or useradd
  Support /sys/devices/system/cpu/online
  The security_t file system can be at /sys/fs/selinux
  Dontaudit access on security_t file system at /sys/fs/selinux

 policy/modules/admin/sudo.if       |  1 +
 policy/modules/admin/usermanage.te |  2 ++
 policy/modules/kernel/devices.fc   |  1 +
 policy/modules/kernel/devices.if   | 61 ++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te   |  7 +++++
 policy/modules/kernel/domain.te    |  3 ++
 policy/modules/kernel/selinux.if   | 14 +++++++++
 7 files changed, 89 insertions(+)

-- 
1.8.3.2

[refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation

[Sven Vermeulen]

When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/sudo.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 0960199..d9114b3 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -110,6 +110,7 @@ template(`sudo_role_template',`
 	selinux_compute_relabel_context($1_sudo_t)
 
 	term_getattr_pty_fs($1_sudo_t)
+	term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
 	term_relabel_all_ttys($1_sudo_t)
 	term_relabel_all_ptys($1_sudo_t)
 
-- 
1.8.3.2

[refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd

[Sven Vermeulen]

When trying to create a group, the following error occurs:

~# groupadd test
groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
failed.
zsh: abort      groupadd test

In the denial logs, the following AVC denial is shown:

Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket

In permissive mode, we notice that it both creates and binds to the
netlink_selinux_socket.

Same with useradd.

Allowing the create/bind fixes the problem.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 74be7ef..8e1308c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -199,6 +199,7 @@ allow groupadd_t self:shm create_shm_perms;
 allow groupadd_t self:sem create_sem_perms;
 allow groupadd_t self:msgq create_msgq_perms;
 allow groupadd_t self:msg { send receive };
+allow groupadd_t self:netlink_selinux_socket { bind create };
 allow groupadd_t self:unix_dgram_socket create_socket_perms;
 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 allow groupadd_t self:unix_dgram_socket sendto;
@@ -459,6 +460,7 @@ allow useradd_t self:shm create_shm_perms;
 allow useradd_t self:sem create_sem_perms;
 allow useradd_t self:msgq create_msgq_perms;
 allow useradd_t self:msg { send receive };
+allow useradd_t self:netlink_selinux_socket { bind create };
 allow useradd_t self:unix_dgram_socket create_socket_perms;
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
-- 
1.8.3.2

[refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online

[Sven Vermeulen]

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  7 +++++++
 policy/modules/kernel/domain.te  |  3 +++
 4 files changed, 36 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 1884413..c2d0f08 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4854,6 +4854,31 @@ interface(`dev_create_zero_dev',`
 
 ########################################
 ## <summary>
+##	Read cpu online hardware state information
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	allow $1 cpu_online_t:file read_file_perms;
+
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 520f4ee..d34807f 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..3a55334 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)
-- 
1.8.3.2

[refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux

[Sven Vermeulen]

Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.

First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if | 10 ++++++++++
 2 files changed, 28 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c2d0f08..b887197 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##	Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6d0811d..4d654d1 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
 	# (/selinux) is already a selinuxfs
 	allow $1 security_t:filesystem getattr;
 
+	# Same for /sys/fs/selinux
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+
 	# read /proc/filesystems to see if selinuxfs is supported
 	# then read /proc/self/mount to see where selinuxfs is mounted
 	kernel_read_system_state($1)
@@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
 	')
 
 	allow $1 security_t:filesystem getattr;
+
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
@@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
 	')
 
 	dontaudit $1 security_t:filesystem getattr;
+
+	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_search_sysfs($1)
 ')
 
 ########################################
-- 
1.8.3.2

[refpolicy] [PATCH 5/5] Dontaudit access on security_t file system at /sys/fs/selinux

[Sven Vermeulen]

Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if |  4 ++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b887197..6a6d284 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs_fs',`
 
 ########################################
 ## <summary>
+##	Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access from
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 4d654d1..e76b650 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
 	# (/selinux) is already a selinuxfs
 	dontaudit $1 security_t:filesystem getattr;
 
+	# Same for /sys/fs/selinux
+	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_search_sysfs($1)
+
 	# read /proc/filesystems to see if selinuxfs is supported
 	# then read /proc/self/mount to see where selinuxfs is mounted
 	kernel_dontaudit_read_system_state($1)
-- 
1.8.3.2

[refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux

[Christopher J. PeBenito]

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> Because it is no longer a top-level file system, we need to enhance some
> of the interfaces with the appropriate rights towards sysfs_t.
> 
> First set to allow getattr rights on the file system, which now also
> means getattr on the sysfs_t file system as well as search privileges in
> sysfs_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>  policy/modules/kernel/selinux.if | 10 ++++++++++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index c2d0f08..b887197 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
>  
>  ########################################
>  ## <summary>
> +##	Get the attributes of sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_getattr_sysfs_fs',`

I think if we simplify this to dev_getattr_sysfs(), also the similar change in patch 5, it can be merged.


> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Search the sysfs directories.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6d0811d..4d654d1 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
>  	# (/selinux) is already a selinuxfs
>  	allow $1 security_t:filesystem getattr;
>  
> +	# Same for /sys/fs/selinux
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
> +
>  	# read /proc/filesystems to see if selinuxfs is supported
>  	# then read /proc/self/mount to see where selinuxfs is mounted
>  	kernel_read_system_state($1)
> @@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
>  	')
>  
>  	allow $1 security_t:filesystem getattr;
> +
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
>  ')
>  
>  ########################################
> @@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
>  	')
>  
>  	dontaudit $1 security_t:filesystem getattr;
> +
> +	dev_dontaudit_getattr_sysfs_fs($1)
> +	dev_dontaudit_search_sysfs($1)
>  ')
>  
>  ########################################
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd

[Christopher J. PeBenito]

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> When trying to create a group, the following error occurs:
> 
> ~# groupadd test
> groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
> failed.
> zsh: abort      groupadd test
> 
> In the denial logs, the following AVC denial is shown:
> 
> Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
> audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
> comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
> tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket
> 
> In permissive mode, we notice that it both creates and binds to the
> netlink_selinux_socket.
> 
> Same with useradd.
> 
> Allowing the create/bind fixes the problem.

I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC.  However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access.



> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/usermanage.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 74be7ef..8e1308c 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -199,6 +199,7 @@ allow groupadd_t self:shm create_shm_perms;
>  allow groupadd_t self:sem create_sem_perms;
>  allow groupadd_t self:msgq create_msgq_perms;
>  allow groupadd_t self:msg { send receive };
> +allow groupadd_t self:netlink_selinux_socket { bind create };
>  allow groupadd_t self:unix_dgram_socket create_socket_perms;
>  allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
>  allow groupadd_t self:unix_dgram_socket sendto;
> @@ -459,6 +460,7 @@ allow useradd_t self:shm create_shm_perms;
>  allow useradd_t self:sem create_sem_perms;
>  allow useradd_t self:msgq create_msgq_perms;
>  allow useradd_t self:msg { send receive };
> +allow useradd_t self:netlink_selinux_socket { bind create };
>  allow useradd_t self:unix_dgram_socket create_socket_perms;
>  allow useradd_t self:unix_stream_socket create_stream_socket_perms;
>  allow useradd_t self:unix_dgram_socket sendto;
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation

[Christopher J. PeBenito]

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
> related to the getattr permission against tty_device_t:chr_file for the
> *_sudo_t domain. However, no additional logging (that would hint at a
> need) by sudo, nor any functional issues come up.
> 
> Hence the dontaudit call.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/sudo.if | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 0960199..d9114b3 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -110,6 +110,7 @@ template(`sudo_role_template',`
>  	selinux_compute_relabel_context($1_sudo_t)
>  
>  	term_getattr_pty_fs($1_sudo_t)
> +	term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
>  	term_relabel_all_ttys($1_sudo_t)
>  	term_relabel_all_ptys($1_sudo_t)
>  
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online

[Christopher J. PeBenito]

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
> we need to grant most domains read access to this file. As we don't want
> them to have read access on sysfs_t by default, create a new type
> (cpu_online_t) and assign it to the file, and grant domains read access
> to the file.
> 
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep
> their context.

Merged.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
>  policy/modules/kernel/devices.te |  7 +++++++
>  policy/modules/kernel/domain.te  |  3 +++
>  4 files changed, 36 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
>  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
>  
>  /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
>  
>  ifdef(`distro_redhat',`
>  # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 1884413..c2d0f08 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4854,6 +4854,31 @@ interface(`dev_create_zero_dev',`
>  
>  ########################################
>  ## <summary>
> +##	Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to read /sys/devices/system/cpu/online
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> +	gen_require(`
> +		type cpu_online_t;
> +	')
> +
> +	allow $1 cpu_online_t:file read_file_perms;
> +
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Unconfined access to devices.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 520f4ee..d34807f 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
>  dev_node(cpu_device_t)
>  
>  #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
>  # Type for /dev/crash
>  #
>  type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..3a55334 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
>  # create child processes in the domain
>  allow domain self:process { fork sigchld };
>  
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> +
>  # Use trusted objects in /dev
>  dev_rw_null(domain)
>  dev_rw_zero(domain)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd

[Sven Vermeulen]

On Fri, Apr 04, 2014 at 04:07:25PM -0400, Christopher J. PeBenito wrote:
> On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> > When trying to create a group, the following error occurs:
> > 
> > ~# groupadd test
> > groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
> > failed.
> > zsh: abort      groupadd test
> > 
> > In the denial logs, the following AVC denial is shown:
> > 
> > Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
> > audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
> > comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
> > tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket
> > 
> > In permissive mode, we notice that it both creates and binds to the
> > netlink_selinux_socket.
> > 
> > Same with useradd.
> > 
> > Allowing the create/bind fixes the problem.
> 
> I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC.  However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access.
[...]
> > +allow groupadd_t self:netlink_selinux_socket { bind create };

Hi Chris & refpolicy folks

I'm afraid I don't follow.

I understand that netlink_selinux_socket class is related to userspace
SELinux support (netlink interface for interaction between userspace and
kernel towards the SELinux subsystem) but you lost me at "to only initialize
a userspace AVC to do context_to_sid_raw".

Do you mean that the permissions (bind + create) do not really mean that
there is any communication otherwise (as there is no send_msg/recv_msg)? If
so, does this then mean that the application shouldn't be calling
avc_context_to_sid_raw at all?

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd

[Christopher J. PeBenito]

On 04/09/2014 12:52 PM, Sven Vermeulen wrote:
> On Fri, Apr 04, 2014 at 04:07:25PM -0400, Christopher J. PeBenito wrote:
>> On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
>>> When trying to create a group, the following error occurs:
>>>
>>> ~# groupadd test
>>> groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
>>> failed.
>>> zsh: abort      groupadd test
>>>
>>> In the denial logs, the following AVC denial is shown:
>>>
>>> Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
>>> audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
>>> comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
>>> tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket
>>>
>>> In permissive mode, we notice that it both creates and binds to the
>>> netlink_selinux_socket.
>>>
>>> Same with useradd.
>>>
>>> Allowing the create/bind fixes the problem.
>>
>> I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC.  However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access.
> [...]
>>> +allow groupadd_t self:netlink_selinux_socket { bind create };
> 
> Hi Chris & refpolicy folks
> 
> I'm afraid I don't follow.
> 
> I understand that netlink_selinux_socket class is related to userspace
> SELinux support (netlink interface for interaction between userspace and
> kernel towards the SELinux subsystem) but you lost me at "to only initialize
> a userspace AVC to do context_to_sid_raw".

Well as far as I know, there aren't any reasons for groupadd to run a userspace AVC (it's not an object manager).  However, to do context_to_sid_raw, it needs to have one running (hence the assertion that failed above).  I'd like to start putting together an interface that domains that have a userspace AVC can use, which provides all the necessary access for the AVC to work.
 
> Do you mean that the permissions (bind + create) do not really mean that
> there is any communication otherwise (as there is no send_msg/recv_msg)? If

Yes, but due to no read/write perms.

> so, does this then mean that the application shouldn't be calling
> avc_context_to_sid_raw at all?

I'm not suggesting that, as I haven't looked at the code.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com