Re: Selinux context type is same for root & normal user both

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dominick.grift@defensec.nl>
To: Ashish Mishra <ashishm@mvista.com>
Cc: SElinux list <selinux@vger.kernel.org>, Paul Moore <paul@paul-moore.com>
Subject: Re: Selinux context type is same for root & normal user both
Date: Wed, 06 Jan 2021 14:52:37 +0100	[thread overview]
Message-ID: <ypjla6tmgoka.fsf@defensec.nl> (raw)
In-Reply-To: <CAP2Ojch8tfxeYwep2LmouBF7RgUctfJ5Xh_MxvnKZ3fd82Bogw@mail.gmail.com> (Ashish Mishra's message of "Wed, 6 Jan 2021 19:05:53 +0530")

Ashish Mishra <ashishm@mvista.com> writes:

> Hi Dominick ,
>
> Thanks for the inputs above.
>
> 1) w.r.t Monolithic , i am trying refpolicy with monolithic design as suggested.
>
> 2) I am debugging on the lines you suggested , and prima facie looks like the
>     busybox login is being executed here which takes
> system_u:object_r:root_t as context

I do not understand what you mean by that. Context
"system_u:object_r:root_t" is a "file" context and I do not understand
where you get that from.

Busybox is a shell with built-in modules AFAIK. It should be labeled
"u:object_r:shell_exec_t" IMHO

>
> 3) Can you please let me know which stable source code for
>     a) policycoreutils-python    ( to get semanage on target )
>     b) setools-console              ( to get seinfo / sesearch on target )
>     Please note that we have integrated userland libraries and tools
> projects from https://github.com/SELinuxProject/selinux
>     But the above mentioned binaries are not present on target.

https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
https://github.com/SELinuxProject/setools/releases/download/4.3.0/setools-4.3.0.tar.bz2

>
> Request to please let me know input / feedback if i am missing any
> obvious things here

Its hard to say. There are quite a few variables and I am not sure
exactly what the current state of your work is and where you want to go
(ie what your goals and requirements are)

I guess you should determine what the login programs used are and then
to address those to ensure that login user shells are labeled the way
you want them labeled.

It is probably best to enclose avc denials for any challenge you face.


>
> Thanks ,
> Ashish
>
>
>
>
>
>
>
> On Mon, Jan 4, 2021 at 6:21 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> Ashish Mishra <ashishm@mvista.com> writes:
>>
>> > Hi Dominick ,
>> >
>> > Thanks for inputs .
>> >
>> > a) This is an embedded board which logs in by default as a ROOT user.
>> >      Any pointers as to where can i look to debug the cause due to
>> > which context is "system_u"
>>
>> Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
>> be present in the appropriate PAM stacks)
>>
>> >
>> > b) Apologies , but can you please help method / approach / debug
>> > points by which
>> >     -> I can evaluate the expected contexts for root & testuser
>> >     -> I can see that the labels are created using ls -alZ .
>> >         Is there any other method / debug point to check filesystems
>> > are labeled according to the policy.
>> >         ( as i am using standard refpolicy to create an default policy
>> > on board )
>>
>> You start by determining the current context of the login user (id -Z
>> will print the context of the current shell). Then you determine the
>> context of the directory in which the file is created (ls -dZ)
>>
>> With this information you can query:
>>
>> sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
>>
>> That should return any existing "type_transition" rules where the type
>> of the user is the source and the type of the destination directory is a target
>>
>> >
>> >
>> > Thanks ,
>> > Ashish
>>
>> The question is whether you want/need IBAC/RBAC on an embedded device
>> with only one user (root)
>>
>> In my policy for OpenWrt (which is a embedded wireless router firmare) i
>> do not use IBAC/RBAC either and i just add a rule that say's when the
>> login program (sshd) executes a shell then assume that this is a login
>> user shell and automatically transition from the sshd context to a specified
>> user context)
>>
>> On embedded devices "modular reference policy" does not make sense to
>> use (these devices generally do not have the resources to compile/link
>> policy at runtime) IMHO and the "monolithic reference policy" does not work well with
>> PAM and users.
>>
>> But, yes, if you want modular refpolicy on a multi-user system then you
>> probably want PAM
>>
>> --
>> gpg --locate-keys dominick.grift@defensec.nl
>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
>> Dominick Grift

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

next prev parent reply	other threads:[~2021-01-06 13:53 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-04 10:55 Selinux context type is same for root & normal user both Ashish Mishra
2021-01-04 12:16 ` Dominick Grift
2021-01-04 12:39   ` Ashish Mishra
2021-01-04 12:51     ` Dominick Grift
2021-01-06 13:35       ` Ashish Mishra
2021-01-06 13:52         ` Dominick Grift [this message]
     [not found]           ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
2021-01-06 14:30             ` Dominick Grift
2021-01-06 14:55               ` Ashish Mishra
2021-01-06 15:04                 ` Dominick Grift
2021-01-06 15:20                   ` Ashish Mishra
2021-01-06 15:39                     ` Dominick Grift
2021-01-06 16:00                       ` Ondrej Mosnacek
2021-01-06 16:16                         ` Ashish Mishra
2021-01-06 16:39                           ` Dominick Grift
2021-01-07  7:35                             ` Ashish Mishra
2021-01-06 14:25       ` Ashish Mishra
2021-01-06 14:27       ` Ashish Mishra
2021-01-06 14:41         ` Dominick Grift
2021-01-06 14:45           ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ypjla6tmgoka.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=ashishm@mvista.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.