Re: Policy module to allow a domain transition

[Dominick Grift <dac.override@gmail.com>]

peter enderborg <peter.enderborg@sony.com> writes:

> On 3/16/20 5:04 PM, Alan Stern wrote:
>> If this is not the the right forum for this discussion, please redirect
>> me to some place more appropriate.  Where to go for good advice on the
>> trickier details of selinux is not obvious.
>>
>> The setting is CentOS 8.1.  I'm running tcpserver as a systemd service.  
>> tcpserver is a general-purpose Internet (actually TCP) service 
>> dispatcher, rather like inetd.
>>
>> In this case, I'm trying to use tcpserver as an entryway to sshd.  It 
>> works fine when selinux is in permissive mode but fails in enforcing 
>> mode.  According to audit.log, the error is:
>>
>> type=AVC msg=audit(1584123331.011:167): avc:  denied  { dyntransition } for  pid=2002 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
>>
>> I take this to mean that tcpserver runs in the unconfined_service_t 
>> domain (confirmed by ps -Z), that when it execs the sshd program it 
>> doesn't make the transition to the sshd_t domain, and consequently sshd 
>> is prevented from doing what it wants.
>>
>> audit2allow's recommendation is:
>>
>> 	allow unconfined_service_t unconfined_t:process dyntransition;
>>
>> which probably would work, but it seems like treating the symptom
>> rather than the disease, not to mention opening up a fairly large
>> security hole.  I'd like something a little more specific, particularly
>> since I want to run one or two other services under tcpserver in
>> addition to sshd.
>>
>> Probably the best approach would be to create a new tcpserver_t type
>> with all the appropriate policies, but that's beyond my current skill.  
>> Would it make sense to create a policy module that would simply allow
>> unconfined_service_t to transition to sshd_t?
>>
>> And what would the source for such a policy module look like?  The 
>> impression I get is something like:
>>
>> 	allow unconfined_service_t sshd_exec_t:file { execute
>> 		execute_no_trans getattr ioctl map open read };
>>
>> basically just a copy an existing policy for inetd_t and 
>> sshd_exec_t.  Is that the right way to go about this?  Is there 
>> something better?
>
> The hole idea with MAC is that you should explicit declare what is allowed.

I do not agree with that. The idea of MAC is Mandatory (centralized) Access
Control. The idea of SELinux is "Flexible MAC". Least privilege is an option.

>
> Starting with anything unconfined is a bad idea for anything that is seen
> from the internet. If you do it for the security your tcpserver should have it's own
> domain that is not unconfined. And then you can give rules on what it is allowed
> to start.  So you need to create a tcpservice_service_t, so your rule should be

Op made it clear that this is not an option right now. Also keep in mind
that tcp server listens on behalf of sshd which will be confined once
SELinux transitions tcpserver from unconfined_service_t to sshd_t as per
my example earlier.

It is not ideal, granted, but there are subtile details to
consider. Things are either black or white.

>
> allow tcpservice_service_t sshd_exec_t:file { execute
> 		execute_no_trans getattr ioctl map open read };
>
> /* execute_no_trans is probably not what you want */
>
>  But you do NOT want
>
> allow tcpservice_service_t unconfined_t:process dyntransition;
>
>
> On fedora it would be like:
>
> allow tcpservice_service_t sshd_t:process dyntransition;
>
> and sshd is then allowed to create unconfined shell or what ever.
>  
>
>> Thank you,
>>
>> Alan Stern
>>
>>
>

-- 
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift