* should setfscreatecon be able to override auto type transition rules?
@ 2016-02-29 19:14 Dominick Grift
2016-02-29 20:23 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2016-02-29 19:14 UTC (permalink / raw)
To: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I encountered this today and it got me thinking. Should this be happenin
g?
I would think that a auto type transition rule should always take
precedence, and that setfscreatecon should only be honored if there is
nothing in policy overriding it.
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW1Jh2AAoJECV0jlU3+UdpRAoL/RYFDoPGp7uXHIMa0mew15aj
DcRHiT9M5V7Zzl2Cokr8YFpzR7VD8KIrxu29hVvACv7jza/oJJTGrxRh8MscOHGz
sZDGR43HoaOMMUJVZYIX7jYEfg0zr0lcZnEeBqYWQVoG/HFcyNQWZk/ncffIZmen
8u8QCTLkLk3PIcZuK13YPZ+V56OY07nYtOSH9pIJ03Gm5hy1BSZxkuz8DNhnLpKo
e24syQS91qb35sHvZOETrv7q9OY9W3O6nr5yTefGUTe98eMPgYcPDE8s0i3XBfXZ
tQQW7FdD3SKbCW440RD1V8VaWTZb+fmh2jLO4DlVS0l2IwvIFpt9Tqfz0217QWIJ
O5dUK1p9LN8DhYAfPAQSUs6dtECVxhzMYbKXP27f449B6XuBwQSODVIr9KEgm6Nm
SUkEwggWlAOoNJ/HlOuoOuJZSefXvvdUt09pXY5eoUcejx6Dj243D4eoU7ZogLVB
Y8AzY3xoBg7xhk3beEd1TXTphI3pdSyieN5Z49o2Zw==
=vgkv
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: should setfscreatecon be able to override auto type transition rules?
2016-02-29 19:14 should setfscreatecon be able to override auto type transition rules? Dominick Grift
@ 2016-02-29 20:23 ` Stephen Smalley
2016-02-29 20:31 ` Dominick Grift
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2016-02-29 20:23 UTC (permalink / raw)
To: Dominick Grift, selinux
On 02/29/2016 02:14 PM, Dominick Grift wrote:
> I encountered this today and it got me thinking. Should this be happenin
> g?
Yes.
> I would think that a auto type transition rule should always take
> precedence, and that setfscreatecon should only be honored if there is
> nothing in policy overriding it.
No. The type_transition rules are merely defaults to provide
compatibility with a non-security-aware userspace. setfscreatecon()
intentionally permits overriding type transition or default inheritance
rules. Of course, one can only use setfscreatecon() if one has the
requisite permissions, including setfscreate to even use it at all, plus
create to the specified type. However, in Android, the usage
permissions like setfscreate are tightly locked down; only a few domains
are allowed them.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: should setfscreatecon be able to override auto type transition rules?
2016-02-29 20:23 ` Stephen Smalley
@ 2016-02-29 20:31 ` Dominick Grift
2016-02-29 20:37 ` Dominick Grift
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2016-02-29 20:31 UTC (permalink / raw)
To: Stephen Smalley, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/29/2016 09:23 PM, Stephen Smalley wrote:
> On 02/29/2016 02:14 PM, Dominick Grift wrote:
>> I encountered this today and it got me thinking. Should this be
>> happenin g?
>
> Yes.
>
>> I would think that a auto type transition rule should always
>> take precedence, and that setfscreatecon should only be honored
>> if there is nothing in policy overriding it.
>
> No. The type_transition rules are merely defaults to provide
> compatibility with a non-security-aware userspace.
> setfscreatecon() intentionally permits overriding type transition
> or default inheritance rules. Of course, one can only use
> setfscreatecon() if one has the requisite permissions, including
> setfscreate to even use it at all, plus create to the specified
> type. However, in Android, the usage permissions like setfscreate
> are tightly locked down; only a few domains are allowed them.
>
So if one does not allow the requisite permissions for the
setfscreatecon, should it then "fall" back to the auto type transition?
this is one of the instances:
AVC avc: denied { create } for pid=31307 comm="useradd"
name="subuid-"
scontext=wheel.id:sysadm.role:useradd.subj:s0-s0:c0.c1023
tcontext=sys.id:sys.role:config.config_file:s0 tclass=file permissive=1
There was a rule:
type_transition useradd.subj config.config_file:file passwords.file;
But there was no file context specified for it.
Thus useradd wanted to create /etc/subuid- with type
config.config_file even though there was a type transition.
In enforcing mode, would it have created /etc/subuid- with type
passwords.file? Since it was not allowed to create /etc/suduid- with
type config.config_file?
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW1KqAAAoJECV0jlU3+UdpqzoL/jc7b2DacnIBZLMtU6sSFFly
8hJITLGj2DeGS/InlMwzEvPtey1a/uNhFyJrqoyOBp+fi1HC5Iszmp4CyeII+mHz
HakqwvlaMfulA+r91pgKAwGxtYomJQNvSJpqb/xUvEYAAczQrqSAudyX7n9DRUuz
tdGahYA9XvRh1Bx2mwv/hxJS+p6u2SDpXQk5tLG1sEdO+c1YUjPTBy7gYgGhsS7O
G2spp8C3A07mZ659tNUZe1cVVA7t3txVElE8F5KFJXKm4wuqvYNE7KLzxGZlMp5s
+aNcXsN6RnSDYkSuCZDEepq0UmAZYeQ3zNPk/sxczuE5xa2Bl/ADzvcHMbt/dkkK
RMFgTUAhNSd6g/ZvoN98ZPs7+lVTExkK1yDTsWPOqgEyp47OCVZ/6ScPGfoLIE+F
W0BINIJefqo77QCl6IEnDsOlnY6PEOZYTD4BmC4+7Men40drMnNvsW3yogfn8Cuf
FIhlDJ1l6HUjGZ6Hi+lSaoVASVK4vVa+3N1kMA7GiQ==
=IOpT
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: should setfscreatecon be able to override auto type transition rules?
2016-02-29 20:31 ` Dominick Grift
@ 2016-02-29 20:37 ` Dominick Grift
2016-02-29 21:05 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2016-02-29 20:37 UTC (permalink / raw)
To: Stephen Smalley, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/29/2016 09:31 PM, Dominick Grift wrote:
> On 02/29/2016 09:23 PM, Stephen Smalley wrote:
>> On 02/29/2016 02:14 PM, Dominick Grift wrote:
>>> I encountered this today and it got me thinking. Should this
>>> be happenin g?
>
>> Yes.
>
>>> I would think that a auto type transition rule should always
>>> take precedence, and that setfscreatecon should only be
>>> honored if there is nothing in policy overriding it.
>
>> No. The type_transition rules are merely defaults to provide
>> compatibility with a non-security-aware userspace.
>> setfscreatecon() intentionally permits overriding type
>> transition or default inheritance rules. Of course, one can only
>> use setfscreatecon() if one has the requisite permissions,
>> including setfscreate to even use it at all, plus create to the
>> specified type. However, in Android, the usage permissions like
>> setfscreate are tightly locked down; only a few domains are
>> allowed them.
>
>
> So if one does not allow the requisite permissions for the
> setfscreatecon, should it then "fall" back to the auto type
> transition?
>
> this is one of the instances:
>
> AVC avc: denied { create } for pid=31307 comm="useradd"
> name="subuid-"
> scontext=wheel.id:sysadm.role:useradd.subj:s0-s0:c0.c1023
> tcontext=sys.id:sys.role:config.config_file:s0 tclass=file
> permissive=1
>
> There was a rule:
>
> type_transition useradd.subj config.config_file:file
> passwords.file;
>
> But there was no file context specified for it.
>
> Thus useradd wanted to create /etc/subuid- with type
> config.config_file even though there was a type transition.
>
> In enforcing mode, would it have created /etc/subuid- with type
> passwords.file? Since it was not allowed to create /etc/suduid-
> with type config.config_file?
>
I think I know the answer. No it would not fall back.
I can understand that setfscreate overrides default inheritance, but I
personally think that auto type transition should take precedence.
In gnu/linux even coreutils request setfscreatecon. Sometimes that
makes perfect sense but sometimes you want to be able to override that.
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW1KwYAAoJECV0jlU3+Udpd+oL/0PF6wZrB9U6/W22y6CV2Msz
I+zI7LiRwPUO9Bq54bO15bOmiAg8fOcR+J6qYbkLJ0IyRQdamfpBHBCiwNNP0Sf9
zK8BcJm/E3kR5oAW1HbxwYmkfZvLANvHmCBkrYNW3304SflTClRwT8K5y6kj18Xt
2Ro7u5VCywB9U/ajF0kDQNXEVbFV+YRGEDEpJ+qRqaj2GqDL93VELAbMyUZA0oVx
7x91P3pzw3kcToDqVQLYRzuUreiabFA+jqHrcCSkIycrinoWRu0EHXAOmdh1tI4I
i0CD6GqmY8ygLBnOEj6mR657hCh8fYMAQDNkPnL0pXcNP4BcfQWhYkWgnIWn+nF0
zXvP7WKlJ8Cg0XCxX5G8mVmIeGGlrasRbV/6RLAZesUDhcMPgbOMXu2yKpXBM8l8
ExHfaQvBHgtu3H6KxIDh3hF3BZrmCHsr9HPN05x9G8xGnzw/2PgyGRZYNbqvD0Ve
/f8imbPQVYrxAMcTR4CSa0scfr6hI1OQ/oRnb1J2fg==
=fagI
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: should setfscreatecon be able to override auto type transition rules?
2016-02-29 20:37 ` Dominick Grift
@ 2016-02-29 21:05 ` Stephen Smalley
0 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2016-02-29 21:05 UTC (permalink / raw)
To: Dominick Grift, selinux
On 02/29/2016 03:37 PM, Dominick Grift wrote:
> On 02/29/2016 09:31 PM, Dominick Grift wrote:
>> On 02/29/2016 09:23 PM, Stephen Smalley wrote:
>>> On 02/29/2016 02:14 PM, Dominick Grift wrote:
>>>> I encountered this today and it got me thinking. Should this
>>>> be happenin g?
>
>>> Yes.
>
>>>> I would think that a auto type transition rule should always
>>>> take precedence, and that setfscreatecon should only be
>>>> honored if there is nothing in policy overriding it.
>
>>> No. The type_transition rules are merely defaults to provide
>>> compatibility with a non-security-aware userspace.
>>> setfscreatecon() intentionally permits overriding type
>>> transition or default inheritance rules. Of course, one can only
>>> use setfscreatecon() if one has the requisite permissions,
>>> including setfscreate to even use it at all, plus create to the
>>> specified type. However, in Android, the usage permissions like
>>> setfscreate are tightly locked down; only a few domains are
>>> allowed them.
>
>
>> So if one does not allow the requisite permissions for the
>> setfscreatecon, should it then "fall" back to the auto type
>> transition?
>
>> this is one of the instances:
>
>> AVC avc: denied { create } for pid=31307 comm="useradd"
>> name="subuid-"
>> scontext=wheel.id:sysadm.role:useradd.subj:s0-s0:c0.c1023
>> tcontext=sys.id:sys.role:config.config_file:s0 tclass=file
>> permissive=1
>
>> There was a rule:
>
>> type_transition useradd.subj config.config_file:file
>> passwords.file;
>
>> But there was no file context specified for it.
>
>> Thus useradd wanted to create /etc/subuid- with type
>> config.config_file even though there was a type transition.
>
>> In enforcing mode, would it have created /etc/subuid- with type
>> passwords.file? Since it was not allowed to create /etc/suduid-
>> with type config.config_file?
>
>
> I think I know the answer. No it would not fall back.
Correct; if an application used setfscreatecon() and it is not allowed
to create a file with that type, then the file creation system call
(i.e. open, mkdir, symlink, mknod, ...) will fail with errno EACCES.
>
> I can understand that setfscreate overrides default inheritance, but I
> personally think that auto type transition should take precedence.
>
> In gnu/linux even coreutils request setfscreatecon. Sometimes that
> makes perfect sense but sometimes you want to be able to override that.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-02-29 21:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-29 19:14 should setfscreatecon be able to override auto type transition rules? Dominick Grift
2016-02-29 20:23 ` Stephen Smalley
2016-02-29 20:31 ` Dominick Grift
2016-02-29 20:37 ` Dominick Grift
2016-02-29 21:05 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.