From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2DDqtBE012027 for ; Fri, 13 Mar 2015 09:52:55 -0400 From: "Higgs, Stephen" To: "selinux@tycho.nsa.gov" Subject: selinux category relabel (puppet) Date: Fri, 13 Mar 2015 13:52:17 +0000 Message-ID: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: multipart/alternative; boundary="_000_2409d98630af4bc39108524e04557017VNUCITEX02ICFIicfconsul_" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --_000_2409d98630af4bc39108524e04557017VNUCITEX02ICFIicfconsul_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all, If there is a more appropriate forum for this question please let me know: I have a system that uses confined users by default and some files are mana= ged by a puppet server. When I run (via run_init) the puppet startup scrip= t, I get the following avc log: avc: denied { relabelto } for pid=3D30707 comm=3D"puppet" name=3D"crl.pem" = dev=3Ddm-1 ino=3D527257 scontext=3Dsystem_u:system_r:puppet_t:s0 tcontext= =3Dsystem_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=3Dfile I added "typeattribute puppet_t can_change_object_identity" and appropriate= "allow" statements to the puppet_t type after reading the constraints in t= he targeted policy. However, it was the category "s0:c0.c1023" that was als= o preventing puppet from relabeling the crl.pem file. I was able to fix this by manually relabeling the file to "s0" instead of "= s0:c0.c1023". My question is, how *should* I handle this so puppet can hand= le the relabel of the category? Stephen Higgs ICF International --_000_2409d98630af4bc39108524e04557017VNUCITEX02ICFIicfconsul_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello all,

If there is a more appropriate forum for this questi= on please let me know:

I have a system that uses confined users by default = and some files are managed by a puppet server. When I run (via run_init) the puppet s= tartup script, I get the following avc log:

avc: denied { relabelto } for pid=3D30707 comm=3D"puppet" name=3D"crl.pe= m" dev=3Ddm-1 ino=3D527257 scontext=3Dsystem_u:system_r:puppet_t:s0 tcontext=3Dsystem_u:object_r:puppet_var_lib_t= :s0:c0.c1023 tclass=3Dfile

I added "typeattribute puppet_t can_change_object_identity" and appropri= ate "allow" statements to the puppet_t type after reading the constraints i= n the targeted policy. However, it was the category “s0:c0.c1023̶= 1; that was also preventing puppet from relabeling the crl.pem file.

I was able to fix this by manually relabeling the file to "s0" in= stead of "s0:c0.c1023". My question is, how *should* I handle thi= s so puppet can handle the relabel of the category?

Stephen Higgs=

ICF International

--_000_2409d98630af4bc39108524e04557017VNUCITEX02ICFIicfconsul_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <55032105.1030903@tycho.nsa.gov> Date: Fri, 13 Mar 2015 13:40:21 -0400 From: Stephen Smalley MIME-Version: 1.0 To: "Higgs, Stephen" , "selinux@tycho.nsa.gov" Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> In-Reply-To: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > Hello all, > > > > If there is a more appropriate forum for this question please let me know: > > > > I have a system that uses confined users by default and some files are > managed by a puppet server. When I run (via run_init) the puppet > startup script, I get the following avc log: > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > I added "typeattribute puppet_t can_change_object_identity" and > appropriate "allow" statements to the puppet_t type after reading the > constraints in the targeted policy. However, it was the category > �s0:c0.c1023� that was also preventing puppet from relabeling the > crl.pem file. > > I was able to fix this by manually relabeling the file to "s0" instead > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > can handle the relabel of the category? It requires an appropriate attribute for the mcs or mls constraint that is blocking access. Which attribute depends on your policy; MCS in particular has changed a lot over time in Fedora and RHEL. What distro & version? From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Higgs, Stephen" To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Fri, 13 Mar 2015 17:52:37 +0000 Message-ID: <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> In-Reply-To: <55032105.1030903@tycho.nsa.gov> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > > Hello all, > > > > > > > > If there is a more appropriate forum for this question please let me know: > > > > > > > > I have a system that uses confined users by default and some files are > > managed by a puppet server. When I run (via run_init) the puppet > > startup script, I get the following avc log: > > > > > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > > > I added "typeattribute puppet_t can_change_object_identity" and > > appropriate "allow" statements to the puppet_t type after reading the > > constraints in the targeted policy. However, it was the category > > "s0:c0.c1023" that was also preventing puppet from relabeling the > > crl.pem file. > > > > I was able to fix this by manually relabeling the file to "s0" instead > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > > can handle the relabel of the category? > > It requires an appropriate attribute for the mcs or mls constraint that is > blocking access. Which attribute depends on your policy; MCS in particular has > changed a lot over time in Fedora and RHEL. What distro & version? > I'm using CentOS / RedHat 6.6, targeted reference policy 24. From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <55032472.6070800@tycho.nsa.gov> Date: Fri, 13 Mar 2015 13:54:58 -0400 From: Stephen Smalley MIME-Version: 1.0 To: "Higgs, Stephen" , "selinux@tycho.nsa.gov" Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> In-Reply-To: <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/13/2015 01:52 PM, Higgs, Stephen wrote: >> On 03/13/2015 09:52 AM, Higgs, Stephen wrote: >>> Hello all, >>> >>> >>> >>> If there is a more appropriate forum for this question please let me know: >>> >>> >>> >>> I have a system that uses confined users by default and some files are >>> managed by a puppet server. When I run (via run_init) the puppet >>> startup script, I get the following avc log: >>> >>> >>> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>> >>> I added "typeattribute puppet_t can_change_object_identity" and >>> appropriate "allow" statements to the puppet_t type after reading the >>> constraints in the targeted policy. However, it was the category >>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>> crl.pem file. >>> >>> I was able to fix this by manually relabeling the file to "s0" instead >>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet >>> can handle the relabel of the category? >> >> It requires an appropriate attribute for the mcs or mls constraint that is >> blocking access. Which attribute depends on your policy; MCS in particular has >> changed a lot over time in Fedora and RHEL. What distro & version? >> > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. So, selinux-policy-3.7.19-260.el6 or thereabouts? From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Higgs, Stephen" To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Fri, 13 Mar 2015 17:58:43 +0000 Message-ID: <1e8e511b945c4136afbafc1f1e68d953@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <55032472.6070800@tycho.nsa.gov> In-Reply-To: <55032472.6070800@tycho.nsa.gov> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > >>> Hello all, > >>> > >>> > >>> > >>> If there is a more appropriate forum for this question please let me know: > >>> > >>> > >>> > >>> I have a system that uses confined users by default and some files > >>> are managed by a puppet server. When I run (via run_init) the > >>> puppet startup script, I get the following avc log: > >>> > >>> > >>> > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > >>> > >>> I added "typeattribute puppet_t can_change_object_identity" and > >>> appropriate "allow" statements to the puppet_t type after reading > >>> the constraints in the targeted policy. However, it was the category > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > >>> crl.pem file. > >>> > >>> I was able to fix this by manually relabeling the file to "s0" > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > >>> so puppet can handle the relabel of the category? > >> > >> It requires an appropriate attribute for the mcs or mls constraint > >> that is blocking access. Which attribute depends on your policy; MCS > >> in particular has changed a lot over time in Fedora and RHEL. What distro & > version? > >> > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > So, selinux-policy-3.7.19-260.el6 or thereabouts? > Yes, exactly selinux-policy- 3.7.19-260.el6_6.2 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2DI2h7x031926 for ; Fri, 13 Mar 2015 14:02:43 -0400 Received: by wesp10 with SMTP id p10so24944556wes.11 for ; Fri, 13 Mar 2015 11:02:40 -0700 (PDT) Received: from linksys-wireless-usb.network2 (84-245-31-108.dsl.cambrium.nl. [84.245.31.108]) by mx.google.com with ESMTPSA id r14sm3781597wiv.13.2015.03.13.11.02.39 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Mar 2015 11:02:39 -0700 (PDT) Date: Fri, 13 Mar 2015 19:02:38 +0100 From: Dominick Grift To: selinux@tycho.nsa.gov Subject: Re: selinux category relabel (puppet) Message-ID: <20150313180237.GA9437@linksys-wireless-usb.network2> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed In-Reply-To: <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Mar 13, 2015 at 05:52:37PM +0000, Higgs, Stephen wrote: > > On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > > > Hello all, > > > > > > > > > > > > If there is a more appropriate forum for this question please let me know: > > > > > > > > > > > > I have a system that uses confined users by default and some files are > > > managed by a puppet server. When I run (via run_init) the puppet > > > startup script, I get the following avc log: > > > > > > > > > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > > > > > I added "typeattribute puppet_t can_change_object_identity" and > > > appropriate "allow" statements to the puppet_t type after reading the > > > constraints in the targeted policy. However, it was the category > > > "s0:c0.c1023" that was also preventing puppet from relabeling the > > > crl.pem file. > > > > > > I was able to fix this by manually relabeling the file to "s0" instead > > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > > > can handle the relabel of the category? > > > > It requires an appropriate attribute for the mcs or mls constraint that is > > blocking access. Which attribute depends on your policy; MCS in particular has > > changed a lot over time in Fedora and RHEL. What distro & version? > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. I do not see how it makes sense in the first place to relabelto s0:c0.c1023, might as well keep it s0. Any idea why puppet is trying to relabelto s0:c0.c1023? Is that specified in your puppet configuration? Also it may not even be constraint issue in the first place ( i doubt that puppet is mcs constrained ). maybe you just need a rule like allow puppet_t puppet_var_lib_t:file relabelto; what does audit2hy tell you when you pipe the avc denial into it's input stream? > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJVAyY5AAoJENAR6kfG5xmcQQ4MAMw2osxY36pxWmoDyu7PD6YK NPjYB9bSU0fErvgVTVsCcjVmTemfSzJO4LitapfZMvzK0Ppe1ArwxQcSrOC+52qf BvMmiKVnqgwDYmsqEDJBhQqB3iQqqrdKWC0LzyjzTV9Tbop9Aarad7NXJJg3Js9u btI0AKeaZ8vP9Sn0pJflzqaX+BjEhl0bJjYN9X6CQAWA8AsVopkZcfgpxYAuHw99 NQQxTsXABzH9aqDFdkD+EdgOBz46y9DebOePAW8w+uXuHU8S2abkPx2sVBj4YQO6 /R0kaNx1ltD/7Iq59xgig1Xq1pv1WhYCQkx8LmzAuip9UMl1b6wiBQtGjZFVMFoJ E/CdA95GF7q3w+NcVhdrDLrKAldmRCsc3Y4j7wA4nQFna7Yys2HzOmn0yeQa224s 55/KyCN0hF39o3mo4zYlEf52wi+0cfNzTvwDpui0uR0uZwkggps8nc/Bno7ZZBLD QSuu63MTbLCGtb1IKGZLRQAehoPBIYqeg0w6R0M1Lw== =QarR -----END PGP SIGNATURE----- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <550326BD.10207@tycho.nsa.gov> Date: Fri, 13 Mar 2015 14:04:45 -0400 From: Stephen Smalley MIME-Version: 1.0 To: "Higgs, Stephen" , "selinux@tycho.nsa.gov" Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> In-Reply-To: <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/13/2015 01:52 PM, Higgs, Stephen wrote: >> On 03/13/2015 09:52 AM, Higgs, Stephen wrote: >>> Hello all, >>> >>> >>> >>> If there is a more appropriate forum for this question please let me know: >>> >>> >>> >>> I have a system that uses confined users by default and some files are >>> managed by a puppet server. When I run (via run_init) the puppet >>> startup script, I get the following avc log: >>> >>> >>> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>> >>> I added "typeattribute puppet_t can_change_object_identity" and >>> appropriate "allow" statements to the puppet_t type after reading the >>> constraints in the targeted policy. However, it was the category >>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>> crl.pem file. >>> >>> I was able to fix this by manually relabeling the file to "s0" instead >>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet >>> can handle the relabel of the category? >> >> It requires an appropriate attribute for the mcs or mls constraint that is >> blocking access. Which attribute depends on your policy; MCS in particular has >> changed a lot over time in Fedora and RHEL. What distro & version? >> > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, serefpolicy-3.719/policy/mcs has this: # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); So no attributes are exempted from that constraint; your only option is to run puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) so that its high level dominates any potential file level. You should be able to do that with a range_transition rule, e.g. range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming that the puppet entrypoint is labeled with puppet_exec_t). From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Higgs, Stephen" To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Fri, 13 Mar 2015 21:17:36 +0000 Message-ID: <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> In-Reply-To: <550326BD.10207@tycho.nsa.gov> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > >>> Hello all, > >>> > >>> > >>> > >>> If there is a more appropriate forum for this question please let me know: > >>> > >>> > >>> > >>> I have a system that uses confined users by default and some files > >>> are managed by a puppet server. When I run (via run_init) the > >>> puppet startup script, I get the following avc log: > >>> > >>> > >>> > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > >>> > >>> I added "typeattribute puppet_t can_change_object_identity" and > >>> appropriate "allow" statements to the puppet_t type after reading > >>> the constraints in the targeted policy. However, it was the category > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > >>> crl.pem file. > >>> > >>> I was able to fix this by manually relabeling the file to "s0" > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > >>> so puppet can handle the relabel of the category? > >> > >> It requires an appropriate attribute for the mcs or mls constraint > >> that is blocking access. Which attribute depends on your policy; MCS > >> in particular has changed a lot over time in Fedora and RHEL. What distro & > version? > >> > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > serefpolicy-3.719/policy/mcs has this: > > # New filesystem object labels must be dominated by the relabeling subject # > clearance, also the objects are single-level. > mlsconstrain file { create relabelto } > (( h1 dom h2 ) and ( l2 eq h2 )); > > So no attributes are exempted from that constraint; your only option is to run > puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) > so that its high level dominates any potential file level. > > You should be able to do that with a range_transition rule, e.g. > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming > that the puppet entrypoint is labeled with puppet_exec_t). Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: Compiling targeted puppet module /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/puppet.mod] Error 1 I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: module puppet 1.2; require { type puppet_t; type puppet_exec_t; type initrc_t; attribute can_change_object_identity; class process { transition }; } typeattribute puppet_t can_change_object_identity; #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; I feel like I'm close, but perhaps I'm missing how to import the level definitions? From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2DLVlbj015529 for ; Fri, 13 Mar 2015 17:31:47 -0400 Received: by wghl18 with SMTP id l18so25879945wgh.5 for ; Fri, 13 Mar 2015 14:31:45 -0700 (PDT) Received: from linksys-wireless-usb.network2 (84-245-31-108.dsl.cambrium.nl. [84.245.31.108]) by mx.google.com with ESMTPSA id r14sm4410397wiv.13.2015.03.13.14.31.44 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Mar 2015 14:31:44 -0700 (PDT) Date: Fri, 13 Mar 2015 22:31:38 +0100 From: Dominick Grift To: selinux@tycho.nsa.gov Subject: Re: selinux category relabel (puppet) Message-ID: <20150313213137.GE9437@linksys-wireless-usb.network2> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="H+4ONPRPur6+Ovig" In-Reply-To: <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --H+4ONPRPur6+Ovig Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote: > > >>> Hello all, > > >>> > > >>> > > >>> > > >>> If there is a more appropriate forum for this question please let m= e know: > > >>> > > >>> > > >>> > > >>> I have a system that uses confined users by default and some files > > >>> are managed by a puppet server. When I run (via run_init) the > > >>> puppet startup script, I get the following avc log: > > >>> > > >>> > > >>> > > >>> avc: denied { relabelto } for pid=3D30707 comm=3D"puppet" name=3D"c= rl.pem" > > >>> dev=3Ddm-1 ino=3D527257 scontext=3Dsystem_u:system_r:puppet_t:s0 > > >>> tcontext=3Dsystem_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=3D= file > > >>> > > >>> I added "typeattribute puppet_t can_change_object_identity" and > > >>> appropriate "allow" statements to the puppet_t type after reading > > >>> the constraints in the targeted policy. However, it was the category > > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > > >>> crl.pem file. > > >>> > > >>> I was able to fix this by manually relabeling the file to "s0" > > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > > >>> so puppet can handle the relabel of the category? > > >> > > >> It requires an appropriate attribute for the mcs or mls constraint > > >> that is blocking access. Which attribute depends on your policy; MCS > > >> in particular has changed a lot over time in Fedora and RHEL. What = distro & > > version? > > >> > > > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > >=20 > > Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > serefpolicy-3.719/policy/mcs has this: > >=20 > > # New filesystem object labels must be dominated by the relabeling subj= ect # > > clearance, also the objects are single-level. > > mlsconstrain file { create relabelto } > > (( h1 dom h2 ) and ( l2 eq h2 )); > >=20 > > So no attributes are exempted from that constraint; your only option is= to run > > puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) > > so that its high level dominates any potential file level. > >=20 > > You should be able to do that with a range_transition rule, e.g. > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assu= ming > > that the puppet entrypoint is labeled with puppet_exec_t). >=20 > Thanks Stephen, this makes sense to me, but I can't get that statement to= compile in my policy module: >=20 > Compiling targeted puppet module > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition defi= nition' at token ';' on line 1041: > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/puppet.mod] Error 1 >=20 > I did try checkmodule as well, and I tried using the init_ranged_daemon_d= omain macro. Here is the policy module that I am trying to compile: >=20 > module puppet 1.2; > require { > type puppet_t; > type puppet_exec_t; > type initrc_t; > attribute can_change_object_identity; > class process { transition };=20 > } > typeattribute puppet_t can_change_object_identity; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);=20 > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_ex= ec_t:process s0 - s0:c0.c1023; >=20 > I feel like I'm close, but perhaps I'm missing how to import the level d= efinitions? >=20 >=20 > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa= =2Egov. --=20 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=3Dvindex&search=3D0x314883A202DFF788 Dominick Grift --H+4ONPRPur6+Ovig Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJVA1c1AAoJENAR6kfG5xmcEbAMALntR3fjG+Lh8j2ms2nh+gEK TtXfPqssseCB3gTj6B2M8rAsdUqBOb34XWeRjlJDWShCzzx0rnvFk4uFayutvN6l 9w78nRL3u+dtSb3ktn/Itn5Bzp4FW4iJpmYedVBn+qe5zBqzBxzK7zsdCxEyyj6A PAT/p1d6tNfBaeNf//1+Ory+xlcSpD3uM5iy08j/OmUoWsGlJKHSusRtJWf7ArQ7 D2EbdZl8fioVvp6ZCq0fqSZTdda+fYiA8HDOz2giF/5cCW6JWnWXnCIltvW2KKXz UazcY6gNxEZsv9q3Pnnej4d4cC30345bV1zQdU7s/AzNlunj0TF/Xzg93G05qBky y0iZjmCiia0GJsl3dBobEEjeeW8IGInVgLgARiUQnxyDuMMy/zUWt2BRCaL1a0h6 9GPH9HtLu/bnw51X+QCBWmuamZoPCKIhskh0OtmbudeB4H+V5Mt92gsx+/V/Uxge 8oDXxiCU/tXSygfnTPFZqFdawkJOo8cOCIgZCoXTzA== =ts/6 -----END PGP SIGNATURE----- --H+4ONPRPur6+Ovig-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2GChYd6010871 for ; Mon, 16 Mar 2015 08:43:35 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t2GChUX4026692 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 16 Mar 2015 08:43:30 -0400 Received: from dhcp-2-191.brq.redhat.com (dhcp-2-145.brq.redhat.com [10.34.2.145]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2GChT2F027940 for ; Mon, 16 Mar 2015 08:43:30 -0400 Message-ID: <5506CFF0.1040003@redhat.com> Date: Mon, 16 Mar 2015 13:43:28 +0100 From: Miroslav Grepl Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_Boundary-2884-1426509815-0001-2" To: selinux@tycho.nsa.gov Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <20150313213137.GE9437@linksys-wireless-usb.network2> In-Reply-To: <20150313213137.GE9437@linksys-wireless-usb.network2> List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_Boundary-2884-1426509815-0001-2 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 03/13/2015 10:31 PM, Dominick Grift wrote: > On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote: >>>>>> Hello all, >>>>>> >>>>>> >>>>>> >>>>>> If there is a more appropriate forum for this question please let me know: >>>>>> >>>>>> >>>>>> >>>>>> I have a system that uses confined users by default and some files >>>>>> are managed by a puppet server. When I run (via run_init) the >>>>>> puppet startup script, I get the following avc log: >>>>>> >>>>>> >>>>>> >>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>>>>> >>>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>>> appropriate "allow" statements to the puppet_t type after reading >>>>>> the constraints in the targeted policy. However, it was the category >>>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>>>>> crl.pem file. >>>>>> >>>>>> I was able to fix this by manually relabeling the file to "s0" >>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this >>>>>> so puppet can handle the relabel of the category? >>>>> It requires an appropriate attribute for the mcs or mls constraint >>>>> that is blocking access. Which attribute depends on your policy; MCS >>>>> in particular has changed a lot over time in Fedora and RHEL. What distro & >>> version? >>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >>> serefpolicy-3.719/policy/mcs has this: >>> >>> # New filesystem object labels must be dominated by the relabeling subject # >>> clearance, also the objects are single-level. >>> mlsconstrain file { create relabelto } >>> (( h1 dom h2 ) and ( l2 eq h2 )); >>> >>> So no attributes are exempted from that constraint; your only option is to run >>> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) >>> so that its high level dominates any potential file level. Yes, there is no attribute on RHEL6. >>> >>> You should be able to do that with a range_transition rule, e.g. >>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming >>> that the puppet entrypoint is labeled with puppet_exec_t). >> Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: >> >> Compiling targeted puppet module >> /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp >> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: >> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> make: *** [tmp/puppet.mod] Error 1 >> >> I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: >> >> module puppet 1.2; >> require { >> type puppet_t; >> type puppet_exec_t; >> type initrc_t; >> attribute can_change_object_identity; >> class process { transition }; >> } >> typeattribute puppet_t can_change_object_identity; >> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023; > >> I feel like I'm close, but perhaps I'm missing how to import the level definitions? Try this one policy_module(mypol,1.0) require{ type puppet_t; type puppet_exec_t; } ifdef(`enable_mcs',` init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) ') >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. --=_Boundary-2884-1426509815-0001-2 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Mime-Autoconverted: from 8bit to quoted-printable by mime827

On 03/13/2015 10:31 PM, Dominick Grif= t wrote:

On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, St=
ephen wrote:

Hello all,



If there is a more appropriate forum for this question please let me kno=
w:



I have a system that uses confined users by default and some files
are managed by a puppet server.  When I run (via run_init) the
puppet startup script, I get the following avc log:



avc: denied { relabelto } for pid=3D30707 comm=3D"puppet" name=3D"crl.pe=
m"
dev=3Ddm-1 ino=3D527257 scontext=3Dsystem_u:system_r:puppet_t:s0
tcontext=3Dsystem_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=3Dfile

I added "typeattribute puppet_t can_change_object_identity" and
appropriate "allow" statements to the puppet_t type after reading
the constraints in the targeted policy. However, it was the category
"s0:c0.c1023" that was also preventing puppet from relabeling the
crl.pem file.

I was able to fix this by manually relabeling the file to "s0"
instead of "s0:c0.c1023". My question is, how *should* I handle this
so puppet can handle the relabel of the category?

It requires an appropriate attribute for the mcs or mls constraint
that is blocking access.  Which attribute depends on your policy; MCS
in particular has changed a lot over time in Fedora and RHEL.  What dist=
ro &

version?

I'm using CentOS / RedHat 6.6, targeted reference policy 24.

Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
serefpolicy-3.719/policy/mcs has this:

# New filesystem object labels must be dominated by the relabeling subje=
ct #
clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
        (( h1 dom h2 ) and ( l2 eq h2 ));

So no attributes are exempted from that constraint; your only option is =
to run
puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
so that its high level dominates any potential file level.

Yes, there is no attribute on RHEL6.


You should be able to do that with a range_transition rule, e.g.
range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assum=
ing
that the puppet entrypoint is labeled with puppet_exec_t).

Thanks Stephen, this makes sense to me, but I can't get that statement t=
o compile in my policy module:

   Compiling targeted puppet module
   /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.t=
mp
   puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition def=
inition' at token ';' on line 1041:
   range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
   #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
   /usr/bin/checkmodule:  error(s) encountered while parsing configurati=
on
   make: *** [tmp/puppet.mod] Error 1

I did try checkmodule as well, and I tried using the init_ranged_daemon_=
domain macro.  Here is the policy module that I am trying to compile:

   module puppet 1.2;
   require {
           type puppet_t;
           type puppet_exec_t;
           type initrc_t;
           attribute can_change_object_identity;
           class process { transition }; 
   }
   typeattribute puppet_t can_change_object_identity;
   #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); 
   range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;

Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet=
_exec_t:process s0 - s0:c0.c1023;

I feel like I'm close, but perhaps I'm missing how to import  the level =
definitions?

Try this one

policy_module(mypol,1.0)

require{
=A0type puppet_t;
=A0type puppet_exec_t;
}

ifdef(`enable_mcs',`
=A0=A0=A0 init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023)
')
=A0=A0=A0



_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-requ=
est@tycho.nsa.gov.

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-requ=
est@tycho.nsa.gov.

--=_Boundary-2884-1426509815-0001-2-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5506D2C7.7040400@tycho.nsa.gov> Date: Mon, 16 Mar 2015 08:55:35 -0400 From: Stephen Smalley MIME-Version: 1.0 To: "Higgs, Stephen" , "selinux@tycho.nsa.gov" Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> In-Reply-To: <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/13/2015 05:17 PM, Higgs, Stephen wrote: >>>>> Hello all, >>>>> >>>>> >>>>> >>>>> If there is a more appropriate forum for this question please let me know: >>>>> >>>>> >>>>> >>>>> I have a system that uses confined users by default and some files >>>>> are managed by a puppet server. When I run (via run_init) the >>>>> puppet startup script, I get the following avc log: >>>>> >>>>> >>>>> >>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>>>> >>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>> appropriate "allow" statements to the puppet_t type after reading >>>>> the constraints in the targeted policy. However, it was the category >>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>>>> crl.pem file. >>>>> >>>>> I was able to fix this by manually relabeling the file to "s0" >>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this >>>>> so puppet can handle the relabel of the category? >>>> >>>> It requires an appropriate attribute for the mcs or mls constraint >>>> that is blocking access. Which attribute depends on your policy; MCS >>>> in particular has changed a lot over time in Fedora and RHEL. What distro & >> version? >>>> >>> >>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >> >> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >> serefpolicy-3.719/policy/mcs has this: >> >> # New filesystem object labels must be dominated by the relabeling subject # >> clearance, also the objects are single-level. >> mlsconstrain file { create relabelto } >> (( h1 dom h2 ) and ( l2 eq h2 )); >> >> So no attributes are exempted from that constraint; your only option is to run >> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) >> so that its high level dominates any potential file level. >> >> You should be able to do that with a range_transition rule, e.g. >> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming >> that the puppet entrypoint is labeled with puppet_exec_t). > > Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: > > Compiling targeted puppet module > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/puppet.mod] Error 1 > > I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: > > module puppet 1.2; > require { > type puppet_t; > type puppet_exec_t; > type initrc_t; > attribute can_change_object_identity; > class process { transition }; > } > typeattribute puppet_t can_change_object_identity; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > I feel like I'm close, but perhaps I'm missing how to import the level definitions? As Dominick suggested, whitespace unfortunately matters for the MLS range specification - you need whitespace around the - (dash). checkpolicy scanner issue introduced when IDENTIFIER was expanded to include dash characters to support usage in filesystem type names and user names IIRC. Should probably refactor that. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Higgs, Stephen" To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Mon, 16 Mar 2015 15:20:34 +0000 Message-ID: <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <5506D2C7.7040400@tycho.nsa.gov> In-Reply-To: <5506D2C7.7040400@tycho.nsa.gov> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > >>>>> Hello all, > >>>>> > >>>>> > >>>>> > >>>>> If there is a more appropriate forum for this question please let me > know: > >>>>> > >>>>> > >>>>> > >>>>> I have a system that uses confined users by default and some files > >>>>> are managed by a puppet server. When I run (via run_init) the > >>>>> puppet startup script, I get the following avc log: > >>>>> > >>>>> > >>>>> > >>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > >>>>> tclass=file > >>>>> > >>>>> I added "typeattribute puppet_t can_change_object_identity" and > >>>>> appropriate "allow" statements to the puppet_t type after reading > >>>>> the constraints in the targeted policy. However, it was the > >>>>> category "s0:c0.c1023" that was also preventing puppet from > >>>>> relabeling the crl.pem file. > >>>>> > >>>>> I was able to fix this by manually relabeling the file to "s0" > >>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > >>>>> this so puppet can handle the relabel of the category? > >>>> > >>>> It requires an appropriate attribute for the mcs or mls constraint > >>>> that is blocking access. Which attribute depends on your policy; > >>>> MCS in particular has changed a lot over time in Fedora and RHEL. > >>>> What distro & > >> version? > >>>> > >>> > >>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > >> > >> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > >> serefpolicy-3.719/policy/mcs has this: > >> > >> # New filesystem object labels must be dominated by the relabeling > >> subject # clearance, also the objects are single-level. > >> mlsconstrain file { create relabelto } > >> (( h1 dom h2 ) and ( l2 eq h2 )); > >> > >> So no attributes are exempted from that constraint; your only option > >> is to run puppet ranged (i.e. as > >> system_u:system_r:puppet_t:s0-s0:c0.c1023) > >> so that its high level dominates any potential file level. > >> > >> You should be able to do that with a range_transition rule, e.g. > >> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > >> (assuming that the puppet entrypoint is labeled with puppet_exec_t). > > > > Thanks Stephen, this makes sense to me, but I can't get that statement to > compile in my policy module: > > > > Compiling targeted puppet module > > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > definition' at token ';' on line 1041: > > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/puppet.mod] Error 1 > > > > I did try checkmodule as well, and I tried using the > init_ranged_daemon_domain macro. Here is the policy module that I am > trying to compile: > > > > module puppet 1.2; > > require { > > type puppet_t; > > type puppet_exec_t; > > type initrc_t; > > attribute can_change_object_identity; > > class process { transition }; > > } > > typeattribute puppet_t can_change_object_identity; > > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > > > I feel like I'm close, but perhaps I'm missing how to import the level > definitions? > > As Dominick suggested, whitespace unfortunately matters for the MLS range > specification - you need whitespace around the - (dash). > checkpolicy scanner issue introduced when IDENTIFIER was expanded to include > dash characters to support usage in filesystem type names and user names > IIRC. Should probably refactor that. > Thanks everybody for your input, the format ifdef(`enable_mcs',` init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) ') did the trick, and compiled with the devel makefile. For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required. Thanks again, Stephen From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5506FD0D.1000106@tycho.nsa.gov> Date: Mon, 16 Mar 2015 11:55:57 -0400 From: Stephen Smalley MIME-Version: 1.0 To: "Higgs, Stephen" , "selinux@tycho.nsa.gov" Subject: Re: selinux category relabel (puppet) References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <5506D2C7.7040400@tycho.nsa.gov> <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> In-Reply-To: <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/16/2015 11:20 AM, Higgs, Stephen wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> >>>>>>> >>>>>>> If there is a more appropriate forum for this question please let me >> know: >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have a system that uses confined users by default and some files >>>>>>> are managed by a puppet server. When I run (via run_init) the >>>>>>> puppet startup script, I get the following avc log: >>>>>>> >>>>>>> >>>>>>> >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 >>>>>>> tclass=file >>>>>>> >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>>>> appropriate "allow" statements to the puppet_t type after reading >>>>>>> the constraints in the targeted policy. However, it was the >>>>>>> category "s0:c0.c1023" that was also preventing puppet from >>>>>>> relabeling the crl.pem file. >>>>>>> >>>>>>> I was able to fix this by manually relabeling the file to "s0" >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle >>>>>>> this so puppet can handle the relabel of the category? >>>>>> >>>>>> It requires an appropriate attribute for the mcs or mls constraint >>>>>> that is blocking access. Which attribute depends on your policy; >>>>>> MCS in particular has changed a lot over time in Fedora and RHEL. >>>>>> What distro & >>>> version? >>>>>> >>>>> >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >>>> >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >>>> serefpolicy-3.719/policy/mcs has this: >>>> >>>> # New filesystem object labels must be dominated by the relabeling >>>> subject # clearance, also the objects are single-level. >>>> mlsconstrain file { create relabelto } >>>> (( h1 dom h2 ) and ( l2 eq h2 )); >>>> >>>> So no attributes are exempted from that constraint; your only option >>>> is to run puppet ranged (i.e. as >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) >>>> so that its high level dominates any potential file level. >>>> >>>> You should be able to do that with a range_transition rule, e.g. >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t). >>> >>> Thanks Stephen, this makes sense to me, but I can't get that statement to >> compile in my policy module: >>> >>> Compiling targeted puppet module >>> /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition >> definition' at token ';' on line 1041: >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration >>> make: *** [tmp/puppet.mod] Error 1 >>> >>> I did try checkmodule as well, and I tried using the >> init_ranged_daemon_domain macro. Here is the policy module that I am >> trying to compile: >>> >>> module puppet 1.2; >>> require { >>> type puppet_t; >>> type puppet_exec_t; >>> type initrc_t; >>> attribute can_change_object_identity; >>> class process { transition }; >>> } >>> typeattribute puppet_t can_change_object_identity; >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >>> >>> I feel like I'm close, but perhaps I'm missing how to import the level >> definitions? >> >> As Dominick suggested, whitespace unfortunately matters for the MLS range >> specification - you need whitespace around the - (dash). >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to include >> dash characters to support usage in filesystem type names and user names >> IIRC. Should probably refactor that. >> > > Thanks everybody for your input, the format > > ifdef(`enable_mcs',` > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) > ') > > did the trick, and compiled with the devel makefile. For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required. > > Thanks again, If you used the original range_transition rule I specified, including the whitespace, then it should have compiled with checkmodule, but to use the macroized version suggested by Miroslav, you have to build with the devel Makefile which applies m4 and includes the interface files that define the macros. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Higgs, Stephen" To: Stephen Smalley , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Mon, 16 Mar 2015 16:17:57 +0000 Message-ID: <86fba4e5686b44869753689ad401e21a@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <5506D2C7.7040400@tycho.nsa.gov> <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> <5506FD0D.1000106@tycho.nsa.gov> In-Reply-To: <5506FD0D.1000106@tycho.nsa.gov> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > >>>>>>> Hello all, > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> If there is a more appropriate forum for this question please > >>>>>>> let me > >> know: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> I have a system that uses confined users by default and some > >>>>>>> files are managed by a puppet server. When I run (via run_init) > >>>>>>> the puppet startup script, I get the following avc log: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" > name="crl.pem" > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > >>>>>>> tclass=file > >>>>>>> > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and > >>>>>>> appropriate "allow" statements to the puppet_t type after > >>>>>>> reading the constraints in the targeted policy. However, it was > >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from > >>>>>>> relabeling the crl.pem file. > >>>>>>> > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > >>>>>>> this so puppet can handle the relabel of the category? > >>>>>> > >>>>>> It requires an appropriate attribute for the mcs or mls > >>>>>> constraint that is blocking access. Which attribute depends on > >>>>>> your policy; MCS in particular has changed a lot over time in Fedora > and RHEL. > >>>>>> What distro & > >>>> version? > >>>>>> > >>>>> > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > >>>> > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > >>>> serefpolicy-3.719/policy/mcs has this: > >>>> > >>>> # New filesystem object labels must be dominated by the relabeling > >>>> subject # clearance, also the objects are single-level. > >>>> mlsconstrain file { create relabelto } > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > >>>> > >>>> So no attributes are exempted from that constraint; your only > >>>> option is to run puppet ranged (i.e. as > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > >>>> so that its high level dominates any potential file level. > >>>> > >>>> You should be able to do that with a range_transition rule, e.g. > >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t). > >>> > >>> Thanks Stephen, this makes sense to me, but I can't get that > >>> statement to > >> compile in my policy module: > >>> > >>> Compiling targeted puppet module > >>> /usr/bin/checkmodule: loading policy configuration from > tmp/puppet.tmp > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > >> definition' at token ';' on line 1041: > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration > >>> make: *** [tmp/puppet.mod] Error 1 > >>> > >>> I did try checkmodule as well, and I tried using the > >> init_ranged_daemon_domain macro. Here is the policy module that I am > >> trying to compile: > >>> > >>> module puppet 1.2; > >>> require { > >>> type puppet_t; > >>> type puppet_exec_t; > >>> type initrc_t; > >>> attribute can_change_object_identity; > >>> class process { transition }; > >>> } > >>> typeattribute puppet_t can_change_object_identity; > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > >>> > >>> I feel like I'm close, but perhaps I'm missing how to import the > >>> level > >> definitions? > >> > >> As Dominick suggested, whitespace unfortunately matters for the MLS > >> range specification - you need whitespace around the - (dash). > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to > >> include dash characters to support usage in filesystem type names and > >> user names IIRC. Should probably refactor that. > >> > > > > Thanks everybody for your input, the format > > > > ifdef(`enable_mcs',` > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > s0:c0.c1023) > > ') > > > > did the trick, and compiled with the devel makefile. For posterity, note that it > did not compile with checkmodule, the spaces around the dash in the range > level was required, and the ifdef format was also required. > > > > Thanks again, > > If you used the original range_transition rule I specified, including the > whitespace, then it should have compiled with checkmodule, but to use the > macroized version suggested by Miroslav, you have to build with the devel > Makefile which applies m4 and includes the interface files that define the > macros. > Sorry, I should have mentioned that I did try that, and I could not get it to work (please let me know if I am doing something wrong!): module my_puppet_test 1.0; require { type initrc_t; type puppet_t; type puppet_exec_t; class process { siginh noatsecure rlimitinh }; } range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod checkmodule: loading policy configuration from my_puppet_test.te my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition definition' at token ';' on line 10: range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; checkmodule: error(s) encountered while parsing configuration From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2GH9SxJ031908 for ; Mon, 16 Mar 2015 13:09:29 -0400 Received: by wetk59 with SMTP id k59so43169171wet.3 for ; Mon, 16 Mar 2015 10:09:17 -0700 (PDT) Received: from linksys-wireless-usb.network2 (84-245-31-108.dsl.cambrium.nl. [84.245.31.108]) by mx.google.com with ESMTPSA id cn10sm16175902wib.15.2015.03.16.10.09.16 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2015 10:09:16 -0700 (PDT) Date: Mon, 16 Mar 2015 18:09:15 +0100 From: Dominick Grift To: selinux@tycho.nsa.gov Subject: Re: selinux category relabel (puppet) Message-ID: <20150316170915.GA15575@linksys-wireless-usb.network2> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <5506D2C7.7040400@tycho.nsa.gov> <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> <5506FD0D.1000106@tycho.nsa.gov> <86fba4e5686b44869753689ad401e21a@VNUCITEX02.ICFI.icfconsulting.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" In-Reply-To: <86fba4e5686b44869753689ad401e21a@VNUCITEX02.ICFI.icfconsulting.com> List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 16, 2015 at 04:17:57PM +0000, Higgs, Stephen wrote: > > >>>>>>> Hello all, > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> If there is a more appropriate forum for this question please > > >>>>>>> let me > > >> know: > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> I have a system that uses confined users by default and some > > >>>>>>> files are managed by a puppet server. When I run (via run_init) > > >>>>>>> the puppet startup script, I get the following avc log: > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> avc: denied { relabelto } for pid=3D30707 comm=3D"puppet" > > name=3D"crl.pem" > > >>>>>>> dev=3Ddm-1 ino=3D527257 scontext=3Dsystem_u:system_r:puppet_t:s0 > > >>>>>>> tcontext=3Dsystem_u:object_r:puppet_var_lib_t:s0:c0.c1023 > > >>>>>>> tclass=3Dfile > > >>>>>>> > > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and > > >>>>>>> appropriate "allow" statements to the puppet_t type after > > >>>>>>> reading the constraints in the targeted policy. However, it was > > >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from > > >>>>>>> relabeling the crl.pem file. > > >>>>>>> > > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > > >>>>>>> this so puppet can handle the relabel of the category? > > >>>>>> > > >>>>>> It requires an appropriate attribute for the mcs or mls > > >>>>>> constraint that is blocking access. Which attribute depends on > > >>>>>> your policy; MCS in particular has changed a lot over time in Fe= dora > > and RHEL. > > >>>>>> What distro & > > >>>> version? > > >>>>>> > > >>>>> > > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > >>>> > > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > >>>> serefpolicy-3.719/policy/mcs has this: > > >>>> > > >>>> # New filesystem object labels must be dominated by the relabeling > > >>>> subject # clearance, also the objects are single-level. > > >>>> mlsconstrain file { create relabelto } > > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > > >>>> > > >>>> So no attributes are exempted from that constraint; your only > > >>>> option is to run puppet ranged (i.e. as > > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > > >>>> so that its high level dominates any potential file level. > > >>>> > > >>>> You should be able to do that with a range_transition rule, e.g. > > >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t= ). > > >>> > > >>> Thanks Stephen, this makes sense to me, but I can't get that > > >>> statement to > > >> compile in my policy module: > > >>> > > >>> Compiling targeted puppet module > > >>> /usr/bin/checkmodule: loading policy configuration from > > tmp/puppet.tmp > > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > > >> definition' at token ';' on line 1041: > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023= ); > > >>> /usr/bin/checkmodule: error(s) encountered while parsing config= uration > > >>> make: *** [tmp/puppet.mod] Error 1 > > >>> > > >>> I did try checkmodule as well, and I tried using the > > >> init_ranged_daemon_domain macro. Here is the policy module that I am > > >> trying to compile: > > >>> > > >>> module puppet 1.2; > > >>> require { > > >>> type puppet_t; > > >>> type puppet_exec_t; > > >>> type initrc_t; > > >>> attribute can_change_object_identity; > > >>> class process { transition }; > > >>> } > > >>> typeattribute puppet_t can_change_object_identity; > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023= ); > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > >>> > > >>> I feel like I'm close, but perhaps I'm missing how to import the > > >>> level > > >> definitions? > > >> > > >> As Dominick suggested, whitespace unfortunately matters for the MLS > > >> range specification - you need whitespace around the - (dash). > > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to > > >> include dash characters to support usage in filesystem type names and > > >> user names IIRC. Should probably refactor that. > > >> > > > > > > Thanks everybody for your input, the format > > > > > > ifdef(`enable_mcs',` > > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > > s0:c0.c1023) > > > ') > > > > > > did the trick, and compiled with the devel makefile. For posterity, = note that it > > did not compile with checkmodule, the spaces around the dash in the ran= ge > > level was required, and the ifdef format was also required. > > > > > > Thanks again, > >=20 > > If you used the original range_transition rule I specified, including t= he > > whitespace, then it should have compiled with checkmodule, but to use t= he > > macroized version suggested by Miroslav, you have to build with the dev= el > > Makefile which applies m4 and includes the interface files that define = the > > macros. > >=20 >=20 > Sorry, I should have mentioned that I did try that, and I could not get i= t to work (please let me know if I am doing something wrong!): >=20 > module my_puppet_test 1.0; > require { > type initrc_t; > type puppet_t; > type puppet_exec_t; > class process { siginh noatsecure rlimitinh }; > } > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; >=20 > checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod > checkmodule: loading policy configuration from my_puppet_test.te > my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition def= inition' at token ';' on line 10: I suppose you also need to require the mls identifiers. That is alway's som= ething to get used to. Reference policy hidden that in their macros. secilc also deals with this f= or you. > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > checkmodule: error(s) encountered while parsing configuration >=20 >=20 > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa= =2Egov. --=20 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=3Dvindex&search=3D0x314883A202DFF788 Dominick Grift --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJVBw42AAoJENAR6kfG5xmcoCYL/0E8PDlFkzTEmexbPN20dcju DraJv5Lv7e6SrPJ6sURb3+Z0l2JjILhB/b/8TFTsR32uyzw4VOs6G2aRPghNrr3l PzgW4HR+va5hiRxkqVuMy4BsVW890OtbynDqW8OFg34I00CX6XUlsvU07jRR92/n 5kVXWpZAxhpsHzhh1iqpO4eXR63Lxpqro2Wa1t/0dNUcN/fdwSgEr1FroqUTRglY 0Bj+jn2NbtD1xJhZmD79Gn+gQM4x2jwg5u/vsTQxig2SWa2LsYkXtKf8aMHr3V9u 9blvpZuWtOOkiglwgxZzTW24GnhLujAx0htpMiUYCrM5D8Cninwjy9pBusfBl1lX RxnXiHGU7yeuZAvfP9bzcjvfvF3hnKhAZJYBVUQrLhpLtdOBJf4+13V3ftHIdvty H+mNgr7RXYA9IUni8ZOw0yXJM1sSQQrpiqB2i1zYjaiY1pfg3Bd2fwPDGLsR1ReZ Gcba+bS/jUkZth8tGH75OZs8IwS018sTcbYzYnoI1A== =pnho -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t2HF1Zj6016301 for ; Tue, 17 Mar 2015 11:01:37 -0400 From: "Higgs, Stephen" To: Dominick Grift , "selinux@tycho.nsa.gov" Subject: RE: selinux category relabel (puppet) Date: Tue, 17 Mar 2015 15:00:55 +0000 Message-ID: <2d23b58eca4a444aaeae7ace7b46e25c@VNUCITEX02.ICFI.icfconsulting.com> References: <2409d98630af4bc39108524e04557017@VNUCITEX02.ICFI.icfconsulting.com> <55032105.1030903@tycho.nsa.gov> <103dc46dd5b34fa5a752edce40d20e01@VNUCITEX02.ICFI.icfconsulting.com> <550326BD.10207@tycho.nsa.gov> <6d80ec39a885492792f446972fb5facc@VNUCITEX02.ICFI.icfconsulting.com> <5506D2C7.7040400@tycho.nsa.gov> <6473200d15b34130bb3645269013c9e2@VNUCITEX02.ICFI.icfconsulting.com> <5506FD0D.1000106@tycho.nsa.gov> <86fba4e5686b44869753689ad401e21a@VNUCITEX02.ICFI.icfconsulting.com> <20150316170915.GA15575@linksys-wireless-usb.network2> In-Reply-To: <20150316170915.GA15575@linksys-wireless-usb.network2> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: > > > >>>>>>> Hello all, > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> If there is a more appropriate forum for this question > > > >>>>>>> please let me > > > >> know: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> I have a system that uses confined users by default and some > > > >>>>>>> files are managed by a puppet server. When I run (via > > > >>>>>>> run_init) the puppet startup script, I get the following avc log: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" > > > name="crl.pem" > > > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > > > >>>>>>> tclass=file > > > >>>>>>> > > > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" > > > >>>>>>> and appropriate "allow" statements to the puppet_t type > > > >>>>>>> after reading the constraints in the targeted policy. > > > >>>>>>> However, it was the category "s0:c0.c1023" that was also > > > >>>>>>> preventing puppet from relabeling the crl.pem file. > > > >>>>>>> > > > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > > > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I > > > >>>>>>> handle this so puppet can handle the relabel of the category? > > > >>>>>> > > > >>>>>> It requires an appropriate attribute for the mcs or mls > > > >>>>>> constraint that is blocking access. Which attribute depends > > > >>>>>> on your policy; MCS in particular has changed a lot over time > > > >>>>>> in Fedora > > > and RHEL. > > > >>>>>> What distro & > > > >>>> version? > > > >>>>>> > > > >>>>> > > > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > > >>>> > > > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > > >>>> serefpolicy-3.719/policy/mcs has this: > > > >>>> > > > >>>> # New filesystem object labels must be dominated by the > > > >>>> relabeling subject # clearance, also the objects are single-level. > > > >>>> mlsconstrain file { create relabelto } > > > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > > > >>>> > > > >>>> So no attributes are exempted from that constraint; your only > > > >>>> option is to run puppet ranged (i.e. as > > > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > > > >>>> so that its high level dominates any potential file level. > > > >>>> > > > >>>> You should be able to do that with a range_transition rule, e.g. > > > >>>> range_transition initrc_t puppet_exec_t:process s0 - > > > >>>> s0:c0.c0123; (assuming that the puppet entrypoint is labeled with > puppet_exec_t). > > > >>> > > > >>> Thanks Stephen, this makes sense to me, but I can't get that > > > >>> statement to > > > >> compile in my policy module: > > > >>> > > > >>> Compiling targeted puppet module > > > >>> /usr/bin/checkmodule: loading policy configuration from > > > tmp/puppet.tmp > > > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in > > > >>> range_transition > > > >> definition' at token ';' on line 1041: > > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0- > s0:c0.c1023); > > > >>> /usr/bin/checkmodule: error(s) encountered while parsing > configuration > > > >>> make: *** [tmp/puppet.mod] Error 1 > > > >>> > > > >>> I did try checkmodule as well, and I tried using the > > > >> init_ranged_daemon_domain macro. Here is the policy module that > > > >> I am trying to compile: > > > >>> > > > >>> module puppet 1.2; > > > >>> require { > > > >>> type puppet_t; > > > >>> type puppet_exec_t; > > > >>> type initrc_t; > > > >>> attribute can_change_object_identity; > > > >>> class process { transition }; > > > >>> } > > > >>> typeattribute puppet_t can_change_object_identity; > > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0- > s0:c0.c1023); > > > >>> range_transition initrc_t puppet_exec_t:process > > > >>> s0-s0:c0.c1023; > > > >>> > > > >>> I feel like I'm close, but perhaps I'm missing how to import > > > >>> the level > > > >> definitions? > > > >> > > > >> As Dominick suggested, whitespace unfortunately matters for the > > > >> MLS range specification - you need whitespace around the - (dash). > > > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded > > > >> to include dash characters to support usage in filesystem type > > > >> names and user names IIRC. Should probably refactor that. > > > >> > > > > > > > > Thanks everybody for your input, the format > > > > > > > > ifdef(`enable_mcs',` > > > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > > > s0:c0.c1023) > > > > ') > > > > > > > > did the trick, and compiled with the devel makefile. For > > > > posterity, note that it > > > did not compile with checkmodule, the spaces around the dash in the > > > range level was required, and the ifdef format was also required. > > > > > > > > Thanks again, > > > > > > If you used the original range_transition rule I specified, > > > including the whitespace, then it should have compiled with > > > checkmodule, but to use the macroized version suggested by Miroslav, > > > you have to build with the devel Makefile which applies m4 and > > > includes the interface files that define the macros. > > > > > > > Sorry, I should have mentioned that I did try that, and I could not get it to > work (please let me know if I am doing something wrong!): > > > > module my_puppet_test 1.0; > > require { > > type initrc_t; > > type puppet_t; > > type puppet_exec_t; > > class process { siginh noatsecure rlimitinh }; } > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > > > checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod > > checkmodule: loading policy configuration from my_puppet_test.te > > my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition > definition' at token ';' on line 10: > > I suppose you also need to require the mls identifiers. That is alway's something > to get used to. > > Reference policy hidden that in their macros. secilc also deals with this for you. > > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > checkmodule: error(s) encountered while parsing configuration > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to Selinux- > request@tycho.nsa.gov. > > -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 > Dominick Grift Thanks! You are right, the following compiles with checkmodule: module my_puppet_test 1.0; require { type initrc_t; type puppet_t; type puppet_exec_t; sensitivity s0; class process { siginh }; sensitivity s0; category c0; category c1023; } range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023;