* Defining SELinux users, "Unable to get valid context...". Help!
@ 2021-02-11 20:12 Peter Whittaker
2021-02-11 20:40 ` Fwd: " Peter Whittaker
2021-02-12 7:22 ` Dominick Grift
0 siblings, 2 replies; 19+ messages in thread
From: Peter Whittaker @ 2021-02-11 20:12 UTC (permalink / raw)
To: SElinux list
Good afternoon,
BLUF: Logging in via SSH or directly at the console results
in "Unable to get valid context...". Help! Much info included.
I'm working on a software diode implementing a linear assured pipeline
which is secured with SELinux. As part of this, I am defining a number
of SELinux users, with the goal being that Linux users belonging to a
specific Linux group will, at login, be assigned to the applicable
SELinux user, then role, then type, etc.
However. When I log in as my test user, icmc01, via the console or via
SSH, I get the message "Unable to get valid context for icmc01". A
check with "id -Z" shows that my test user has the following context:
system_u:system_r:unconfined_t:s0-s0:c0.c1023
I really want them to have the context:
CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023
(In fact, I don't care about the MLS/MCS portion, I am more than happy
to accept system defaults; I'm really only going for the MAC.)
What follows is everything I could think to include, from their passwd
entry and the group file to semanage settings, from the contexts and
content of various SELinux configuration files to the relevant snips
of the TE file itself.
NOTE: This is all under permissive mode, targeted policy.
Any insight or direction will be much appreciated, I am tearing out
my hair. Thank you!
% grep icmc01 /etc/passwd
icmc01:x:2105:2105::/home/icmc01:/bin/bash
% grep 2105 /etc/group
CDTml_high2local:x:2105:
% semanage login -l |grep CDTml_high2local_u
%CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 *
% semanage user -l |grep CDTml_high2local_u
CDTml_high2local_u user s0 s0-s0:c0.c1023
CDTml_high2local_r
% ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u
-rw-r--r--. root root system_u:object_r:default_context_t:s0
/etc/selinux/targeted/contexts/users/CDTml_high2local_u
% cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u
system_r:crond_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:initrc_su_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:local_login_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:remote_login_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:sshd_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
% ls -lZ /etc/selinux/targeted/contexts/default_*
-rw-r--r--. root root system_u:object_r:default_context_t:s0
/etc/selinux/targeted/contexts/default_contexts
-rw-r--r--. root root system_u:object_r:default_context_t:s0
/etc/selinux/targeted/contexts/default_type
% cat /etc/selinux/targeted/contexts/default_contexts
system_r:crond_t:s0 system_r:system_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
CDTml_high2local_r:xferHigh2Local_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
% uname -a
Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed
Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
% more /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
% yum info installed \*selinux\*|grep -A3 '^Name'
Name : libselinux
Arch : x86_64
Version : 2.5
Release : 15.el7
--
Name : libselinux-python
Arch : x86_64
Version : 2.5
Release : 15.el7
--
Name : libselinux-utils
Arch : x86_64
Version : 2.5
Release : 15.el7
--
Name : selinux-policy
Arch : noarch
Version : 3.13.1
Release : 268.el7_9.2
--
Name : selinux-policy-devel
Arch : noarch
Version : 3.13.1
Release : 268.el7_9.2
--
Name : selinux-policy-targeted
Arch : noarch
Version : 3.13.1
Release : 268.el7_9.2
% grep -C3 CDTml_high2local_r CDTml.te
# and grant them access to our types
role CDTml_low2local_r;
role CDTml_local2high_r;
role CDTml_high2local_r;
role CDTml_local2low_r;
role CDTml_auditor_r;
allow system_r {
CDTml_low2local_r
CDTml_local2high_r
CDTml_high2local_r
CDTml_local2low_r
CDTml_auditor_r
};
allow unconfined_r {
CDTml_low2local_r
CDTml_local2high_r
CDTml_high2local_r
CDTml_local2low_r
CDTml_auditor_r
};
--
xferLocal2High_t
xferLocal2High_exec_t
};
role CDTml_high2local_r types {
xferHigh2Local_t
xferHigh2Local_exec_t
};
% tail -f /var/log/secure
Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session
Feb 11 14:57:44 localhost login: pam_selinux(login:session):
Username= icmc01 SELinux User= CDTml_high2local_u Level=
s0-s0:c0.c1023
Feb 11 14:57:44 localhost login: pam_selinux(login:session):
Unable to get valid context for icmc01
Feb 11 14:57:44 localhost login: pam_unix(login:session): session
opened for user icmc01 by LOGIN(uid=0)
Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01
Peter Whittaker
Director, Business Development
www.SphyrnaSecurity.com
+1 613 864 5337
^ permalink raw reply [flat|nested] 19+ messages in thread* Fwd: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-11 20:12 Defining SELinux users, "Unable to get valid context...". Help! Peter Whittaker @ 2021-02-11 20:40 ` Peter Whittaker 2021-02-12 7:22 ` Dominick Grift 1 sibling, 0 replies; 19+ messages in thread From: Peter Whittaker @ 2021-02-11 20:40 UTC (permalink / raw) To: SElinux list Good afternoon, BLUF: Logging in via SSH or directly at the console results in "Unable to get valid context...". Help! Much info included. I'm working on a software diode implementing a linear assured pipeline which is secured with SELinux. As part of this, I am defining a number of SELinux users, with the goal being that Linux users belonging to a specific Linux group will, at login, be assigned to the applicable SELinux user, then role, then type, etc. However. When I log in as my test user, icmc01, via the console or via SSH, I get the message "Unable to get valid context for icmc01". A check with "id -Z" shows that my test user has the following context: system_u:system_r:unconfined_t:s0-s0:c0.c1023 I really want them to have the context: CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023 (In fact, I don't care about the MLS/MCS portion, I am more than happy to accept system defaults; I'm really only going for the MAC.) What follows is everything I could think to include, from their passwd entry and the group file to semanage settings, from the contexts and content of various SELinux configuration files to the relevant snips of the TE file itself. NOTE: This is all under permissive mode, targeted policy. Any insight or direction will be much appreciated, I am tearing out my hair. Thank you! % grep icmc01 /etc/passwd icmc01:x:2105:2105::/home/icmc01:/bin/bash % grep 2105 /etc/group CDTml_high2local:x:2105: % semanage login -l |grep CDTml_high2local_u %CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 * % semanage user -l |grep CDTml_high2local_u CDTml_high2local_u user s0 s0-s0:c0.c1023 CDTml_high2local_r % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/users/CDTml_high2local_u % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u system_r:crond_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:initrc_su_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:local_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:remote_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 % ls -lZ /etc/selinux/targeted/contexts/default_* -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/default_contexts -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/default_type % cat /etc/selinux/targeted/contexts/default_contexts system_r:crond_t:s0 system_r:system_cronjob_t:s0 system_r:local_login_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 % uname -a Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux % more /etc/redhat-release Red Hat Enterprise Linux Server release 7.9 (Maipo) % yum info installed \*selinux\*|grep -A3 '^Name' Name : libselinux Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : libselinux-python Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : libselinux-utils Arch : x86_64 Version : 2.5 Release : 15.el7 -- Name : selinux-policy Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 -- Name : selinux-policy-devel Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 -- Name : selinux-policy-targeted Arch : noarch Version : 3.13.1 Release : 268.el7_9.2 % grep -C3 CDTml_high2local_r CDTml.te # and grant them access to our types role CDTml_low2local_r; role CDTml_local2high_r; role CDTml_high2local_r; role CDTml_local2low_r; role CDTml_auditor_r; allow system_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; allow unconfined_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; -- xferLocal2High_t xferLocal2High_exec_t }; role CDTml_high2local_r types { xferHigh2Local_t xferHigh2Local_exec_t }; % tail -f /var/log/secure Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session Feb 11 14:57:44 localhost login: pam_selinux(login:session): Username= icmc01 SELinux User= CDTml_high2local_u Level= s0-s0:c0.c1023 Feb 11 14:57:44 localhost login: pam_selinux(login:session): Unable to get valid context for icmc01 Feb 11 14:57:44 localhost login: pam_unix(login:session): session opened for user icmc01 by LOGIN(uid=0) Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01 Peter Whittaker ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-11 20:12 Defining SELinux users, "Unable to get valid context...". Help! Peter Whittaker 2021-02-11 20:40 ` Fwd: " Peter Whittaker @ 2021-02-12 7:22 ` Dominick Grift 2021-02-12 7:54 ` Dominick Grift 1 sibling, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-12 7:22 UTC (permalink / raw) To: Peter Whittaker; +Cc: SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > Good afternoon, > > BLUF: Logging in via SSH or directly at the console results > in "Unable to get valid context...". Help! Much info included. > > I'm working on a software diode implementing a linear assured pipeline > which is secured with SELinux. As part of this, I am defining a number > of SELinux users, with the goal being that Linux users belonging to a > specific Linux group will, at login, be assigned to the applicable > SELinux user, then role, then type, etc. > > However. When I log in as my test user, icmc01, via the console or via > SSH, I get the message "Unable to get valid context for icmc01". A > check with "id -Z" shows that my test user has the following context: > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > I really want them to have the context: > > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023 > > (In fact, I don't care about the MLS/MCS portion, I am more than happy > to accept system defaults; I'm really only going for the MAC.) > > What follows is everything I could think to include, from their passwd > entry and the group file to semanage settings, from the contexts and > content of various SELinux configuration files to the relevant snips > of the TE file itself. A few things that I could find but that are needed for computing contexts are: the login programs need to be allowed to manual transition to the user type. So for example if you want to login with sshd_t: allow sshd_t xferHigh2Local_t:process transition; The user type needs to be a bin and shell entry type: allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint; There is probably more that i am overlooking but these, i think, are important part for computation of contexts See where those get you. > > NOTE: This is all under permissive mode, targeted policy. > > Any insight or direction will be much appreciated, I am tearing out > my hair. Thank you! > > % grep icmc01 /etc/passwd > icmc01:x:2105:2105::/home/icmc01:/bin/bash > > % grep 2105 /etc/group > CDTml_high2local:x:2105: > > % semanage login -l |grep CDTml_high2local_u > %CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 * > > % semanage user -l |grep CDTml_high2local_u > CDTml_high2local_u user s0 s0-s0:c0.c1023 > CDTml_high2local_r > > % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u > -rw-r--r--. root root system_u:object_r:default_context_t:s0 > /etc/selinux/targeted/contexts/users/CDTml_high2local_u > > % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u > system_r:crond_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:initrc_su_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:local_login_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:remote_login_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:sshd_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > > % ls -lZ /etc/selinux/targeted/contexts/default_* > -rw-r--r--. root root system_u:object_r:default_context_t:s0 > /etc/selinux/targeted/contexts/default_contexts > -rw-r--r--. root root system_u:object_r:default_context_t:s0 > /etc/selinux/targeted/contexts/default_type > > % cat /etc/selinux/targeted/contexts/default_contexts > system_r:crond_t:s0 system_r:system_cronjob_t:s0 > system_r:local_login_t:s0 user_r:user_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > > % uname -a > Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed > Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux > > % more /etc/redhat-release > Red Hat Enterprise Linux Server release 7.9 (Maipo) > > % yum info installed \*selinux\*|grep -A3 '^Name' > Name : libselinux > Arch : x86_64 > Version : 2.5 > Release : 15.el7 > -- > Name : libselinux-python > Arch : x86_64 > Version : 2.5 > Release : 15.el7 > -- > Name : libselinux-utils > Arch : x86_64 > Version : 2.5 > Release : 15.el7 > -- > Name : selinux-policy > Arch : noarch > Version : 3.13.1 > Release : 268.el7_9.2 > -- > Name : selinux-policy-devel > Arch : noarch > Version : 3.13.1 > Release : 268.el7_9.2 > -- > Name : selinux-policy-targeted > Arch : noarch > Version : 3.13.1 > Release : 268.el7_9.2 > > % grep -C3 CDTml_high2local_r CDTml.te > # and grant them access to our types > role CDTml_low2local_r; > role CDTml_local2high_r; > role CDTml_high2local_r; > role CDTml_local2low_r; > role CDTml_auditor_r; > > allow system_r { > CDTml_low2local_r > CDTml_local2high_r > CDTml_high2local_r > CDTml_local2low_r > CDTml_auditor_r > }; > allow unconfined_r { > CDTml_low2local_r > CDTml_local2high_r > CDTml_high2local_r > CDTml_local2low_r > CDTml_auditor_r > }; > -- > xferLocal2High_t > xferLocal2High_exec_t > }; > role CDTml_high2local_r types { > xferHigh2Local_t > xferHigh2Local_exec_t > }; > > % tail -f /var/log/secure > Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session > Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session > Feb 11 14:57:44 localhost login: pam_selinux(login:session): > Username= icmc01 SELinux User= CDTml_high2local_u Level= > s0-s0:c0.c1023 > Feb 11 14:57:44 localhost login: pam_selinux(login:session): > Unable to get valid context for icmc01 > Feb 11 14:57:44 localhost login: pam_unix(login:session): session > opened for user icmc01 by LOGIN(uid=0) > Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01 > > > Peter Whittaker > Director, Business Development > www.SphyrnaSecurity.com > +1 613 864 5337 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-12 7:22 ` Dominick Grift @ 2021-02-12 7:54 ` Dominick Grift 2021-02-12 21:16 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-12 7:54 UTC (permalink / raw) To: Peter Whittaker; +Cc: SElinux list Dominick Grift <dominick.grift@defensec.nl> writes: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> Good afternoon, >> >> BLUF: Logging in via SSH or directly at the console results >> in "Unable to get valid context...". Help! Much info included. >> >> I'm working on a software diode implementing a linear assured pipeline >> which is secured with SELinux. As part of this, I am defining a number >> of SELinux users, with the goal being that Linux users belonging to a >> specific Linux group will, at login, be assigned to the applicable >> SELinux user, then role, then type, etc. >> >> However. When I log in as my test user, icmc01, via the console or via >> SSH, I get the message "Unable to get valid context for icmc01". A >> check with "id -Z" shows that my test user has the following context: >> >> system_u:system_r:unconfined_t:s0-s0:c0.c1023 >> >> I really want them to have the context: >> >> CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0-s0:c0.c1023 >> >> (In fact, I don't care about the MLS/MCS portion, I am more than happy >> to accept system defaults; I'm really only going for the MAC.) >> >> What follows is everything I could think to include, from their passwd >> entry and the group file to semanage settings, from the contexts and >> content of various SELinux configuration files to the relevant snips >> of the TE file itself. > > A few things that I could find but that are needed for computing > contexts are: > > the login programs need to be allowed to manual transition to the user > type. So for example if you want to login with sshd_t: > allow sshd_t xferHigh2Local_t:process transition; In relation to the above, ensure that the xferHigh2Local_t type is associated with the process_user_target typeattribute: typeattribute xferHigh2Local_t process_user_target; > > The user type needs to be a bin and shell entry type: > allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint; > > There is probably more that i am overlooking but these, i think, are > important part for computation of contexts > > See where those get you. > >> >> NOTE: This is all under permissive mode, targeted policy. >> >> Any insight or direction will be much appreciated, I am tearing out >> my hair. Thank you! >> >> % grep icmc01 /etc/passwd >> icmc01:x:2105:2105::/home/icmc01:/bin/bash >> >> % grep 2105 /etc/group >> CDTml_high2local:x:2105: >> >> % semanage login -l |grep CDTml_high2local_u >> %CDTml_high2local CDTml_high2local_u s0-s0:c0.c1023 * >> >> % semanage user -l |grep CDTml_high2local_u >> CDTml_high2local_u user s0 s0-s0:c0.c1023 >> CDTml_high2local_r >> >> % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u >> -rw-r--r--. root root system_u:object_r:default_context_t:s0 >> /etc/selinux/targeted/contexts/users/CDTml_high2local_u >> >> % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u >> system_r:crond_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:initrc_su_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:local_login_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:remote_login_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:sshd_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> >> % ls -lZ /etc/selinux/targeted/contexts/default_* >> -rw-r--r--. root root system_u:object_r:default_context_t:s0 >> /etc/selinux/targeted/contexts/default_contexts >> -rw-r--r--. root root system_u:object_r:default_context_t:s0 >> /etc/selinux/targeted/contexts/default_type >> >> % cat /etc/selinux/targeted/contexts/default_contexts >> system_r:crond_t:s0 system_r:system_cronjob_t:s0 >> system_r:local_login_t:s0 user_r:user_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:remote_login_t:s0 user_r:user_t:s0 >> CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:sshd_t:s0 user_r:user_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 >> system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 >> system_r:xdm_t:s0 user_r:user_t:s0 >> >> % uname -a >> Linux localhost.localdomain 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed >> Oct 21 13:44:38 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux >> >> % more /etc/redhat-release >> Red Hat Enterprise Linux Server release 7.9 (Maipo) >> >> % yum info installed \*selinux\*|grep -A3 '^Name' >> Name : libselinux >> Arch : x86_64 >> Version : 2.5 >> Release : 15.el7 >> -- >> Name : libselinux-python >> Arch : x86_64 >> Version : 2.5 >> Release : 15.el7 >> -- >> Name : libselinux-utils >> Arch : x86_64 >> Version : 2.5 >> Release : 15.el7 >> -- >> Name : selinux-policy >> Arch : noarch >> Version : 3.13.1 >> Release : 268.el7_9.2 >> -- >> Name : selinux-policy-devel >> Arch : noarch >> Version : 3.13.1 >> Release : 268.el7_9.2 >> -- >> Name : selinux-policy-targeted >> Arch : noarch >> Version : 3.13.1 >> Release : 268.el7_9.2 >> >> % grep -C3 CDTml_high2local_r CDTml.te >> # and grant them access to our types >> role CDTml_low2local_r; >> role CDTml_local2high_r; >> role CDTml_high2local_r; >> role CDTml_local2low_r; >> role CDTml_auditor_r; >> >> allow system_r { >> CDTml_low2local_r >> CDTml_local2high_r >> CDTml_high2local_r >> CDTml_local2low_r >> CDTml_auditor_r >> }; >> allow unconfined_r { >> CDTml_low2local_r >> CDTml_local2high_r >> CDTml_high2local_r >> CDTml_local2low_r >> CDTml_auditor_r >> }; >> -- >> xferLocal2High_t >> xferLocal2High_exec_t >> }; >> role CDTml_high2local_r types { >> xferHigh2Local_t >> xferHigh2Local_exec_t >> }; >> >> % tail -f /var/log/secure >> Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session >> Feb 11 14:57:44 localhost login: pam_selinux(login:session): Open Session >> Feb 11 14:57:44 localhost login: pam_selinux(login:session): >> Username= icmc01 SELinux User= CDTml_high2local_u Level= >> s0-s0:c0.c1023 >> Feb 11 14:57:44 localhost login: pam_selinux(login:session): >> Unable to get valid context for icmc01 >> Feb 11 14:57:44 localhost login: pam_unix(login:session): session >> opened for user icmc01 by LOGIN(uid=0) >> Feb 11 14:57:44 localhost login: LOGIN ON tty2 BY icmc01 >> >> >> Peter Whittaker >> Director, Business Development >> www.SphyrnaSecurity.com >> +1 613 864 5337 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-12 7:54 ` Dominick Grift @ 2021-02-12 21:16 ` Peter Whittaker 2021-02-12 21:49 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-12 21:16 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Dominick Grift <dominick.grift@defensec.nl> writes: > > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > > >> BLUF: Logging in via SSH or directly at the console results > >> in "Unable to get valid context...". Help! Much info included. Thanks to Dominick, I have made at least some progress: I can get the role to transition, but not the user or the process type. Details below. > > A few things that I could find but that are needed for computing > > contexts are: > > > > the login programs need to be allowed to manual transition to the user > > type. So for example if you want to login with sshd_t: > > allow sshd_t xferHigh2Local_t:process transition; That rule was already present (it is the only one I really need, these users will be coming in via SSH only). > In relation to the above, ensure that the xferHigh2Local_t type is > associated with the process_user_target typeattribute: > typeattribute xferHigh2Local_t process_user_target; I added process_user_target to the type definition, no effect: type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; > > The user type needs to be a bin and shell entry type: > > allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint; Also added that, after testing process_user_target, no effect. (So I had all three suggestions active.) I then added role_transition system_r sshd_exec_t CDTml_high2local_r; and this got me my first real progress - 'id -Z' now shows: system_u:CDTml_high2local_r:unconfined_t:s0 > > There is probably more that i am overlooking but these, i think, are > > important part for computation of contexts Any other suggestions would be most welcome! I am at a loss, especially since the *_u "types" are not part of the policy but are defined via semanage, and I already have rules for the _t types, via an existing rules: allow { sshd_t unconfined_t } xferHigh2Local_t:process transition; What surprises me most is that originally nothing showed up in ausearch. I suppose this is because either PAM or SSHD is doing the computation and not logging it in audit.log, but that is just a guess, likely misguided. However! After that last allow, above, I finally have errors in ausearch, many repeats of: libsepol.context_from_record: invalid security context: "system_u:CDTml_high2local_r:sshd_t:s0" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:CDTml_high2local_r:sshd_t:s0 to sid libsepol.context_from_record: invalid security context: "system_u:CDTml_high2local_r:unconfined_t:s0" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:CDTml_high2local_r:unconfined_t:s0 to sid I then expanded the basic allow rule for the CDTml_high2local_r role: role CDTml_high2local_r types { sshd_t unconfined_t xferHigh2Local_t xferHigh2Local_exec_t }; This didn't get me any farther, though. Do I need to widen the roles associated with CDTml_high2local_u at login? I really am trying to keep them as tight as possible. (Which, incidentally, is one of the reasons I am using "old school" rules and not CIL: the M4 macros may do more than I need them to....) Thanks, P PS apologies to all for the double send of the original, user error (PEBCAD). Peter Whittaker Director, Business Development www.SphyrnaSecurity.com +1 613 864 5337 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-12 21:16 ` Peter Whittaker @ 2021-02-12 21:49 ` Dominick Grift 2021-02-12 22:43 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-12 21:49 UTC (permalink / raw) To: Peter Whittaker; +Cc: SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> Dominick Grift <dominick.grift@defensec.nl> writes: >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> > >> >> BLUF: Logging in via SSH or directly at the console results >> >> in "Unable to get valid context...". Help! Much info included. > > Thanks to Dominick, I have made at least some progress: I can get the > role to transition, > but not the user or the process type. Details below. > >> > A few things that I could find but that are needed for computing >> > contexts are: >> > >> > the login programs need to be allowed to manual transition to the user >> > type. So for example if you want to login with sshd_t: >> > allow sshd_t xferHigh2Local_t:process transition; > > That rule was already present (it is the only one I really need, these > users will be coming in via SSH only). Okay I dont think you mentioned that before > >> In relation to the above, ensure that the xferHigh2Local_t type is >> associated with the process_user_target typeattribute: >> typeattribute xferHigh2Local_t process_user_target; > > I added process_user_target to the type definition, no effect: > > type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; I dont think you mentioned this before and I think you also didnt mention that you had userdomain associates with it. > >> > The user type needs to be a bin and shell entry type: >> > allow xferHigh2Local_t { bin_t shell_exec_t }:file entrypoint; > > Also added that, after testing process_user_target, no effect. (So I > had all three suggestions active.) > > I then added > > role_transition system_r sshd_exec_t CDTml_high2local_r; That is wrong > > and this got me my first real progress - 'id -Z' now shows: > > system_u:CDTml_high2local_r:unconfined_t:s0 Yes but that is wrong > >> > There is probably more that i am overlooking but these, i think, are >> > important part for computation of contexts > > Any other suggestions would be most welcome! I am at a loss, > especially since the > *_u "types" are not part of the policy but are defined via semanage, > and I already have > rules for the _t types, via an existing rules: > > allow { sshd_t unconfined_t } xferHigh2Local_t:process transition; > > What surprises me most is that originally nothing showed up in ausearch. > I suppose this is because either PAM or SSHD is doing the computation > and not logging it in audit.log, but that is just a guess, likely misguided. Yes the computation does not cause any logging > > However! After that last allow, above, I finally have errors in ausearch, > many repeats of: > > libsepol.context_from_record: invalid security context: > "system_u:CDTml_high2local_r:sshd_t:s0" > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:CDTml_high2local_r:sshd_t:s0 to sid > libsepol.context_from_record: invalid security context: > "system_u:CDTml_high2local_r:unconfined_t:s0" > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:CDTml_high2local_r:unconfined_t:s0 to sid > > I then expanded the basic allow rule for the CDTml_high2local_r role: > > role CDTml_high2local_r types { > sshd_t > unconfined_t > xferHigh2Local_t > xferHigh2Local_exec_t > }; Yes but the above is not right, and so those errors are expected. > > This didn't get me any farther, though. > > Do I need to widen the roles associated with CDTml_high2local_u at login? It helps if you post your full policy related to this and also the output of the following: seinfo -xuCDTml_high2local_u seinfo -xrCDTml_high2local_r seinfo -xtxferHigh2Local_t > > I really am trying to keep them as tight as possible. (Which, > incidentally, is one > of the reasons I am using "old school" rules and not CIL: the M4 macros may > do more than I need them to....) That shouldnt matter, but it helps if you post the full policy rather than snippets. also there are some tools that you can use to verify if a specified context can be reached. getconlist: https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getconlist.c getdefaultcon: https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getdefaultcon.c There is also a boolean that might affect things (but speculation without a closer look at your policy): ssh_sysadm_login see if setting that to on helps > > Thanks, > > P > > PS apologies to all for the double send of the original, user error (PEBCAD). > > Peter Whittaker > Director, Business Development > www.SphyrnaSecurity.com > +1 613 864 5337 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-12 21:49 ` Dominick Grift @ 2021-02-12 22:43 ` Peter Whittaker 2021-02-13 7:22 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-12 22:43 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list [-- Attachment #1: Type: text/plain, Size: 3502 bytes --] On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> Dominick Grift <dominick.grift@defensec.nl> writes: > >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> >> BLUF: Logging in via SSH or directly at the console results > >> >> in "Unable to get valid context...". Help! Much info included. > > > > Thanks to Dominick, I have made at least some progress: I can get the > > role to transition, but not the user or the process type. Details below. SNIP > > That rule was already present (it is the only one I really need, these > > users will be coming in via SSH only). > > Okay I dont think you mentioned that before No, I didn't. I've been testing with both SSH and local login in an attempt to determine where the problem might lie. > > I added process_user_target to the type definition, no effect: > > > > type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; > > I dont think you mentioned this before and I think you also didnt > mention that you had userdomain associates with it. Correct. Oversight on my part. > > I then added > > > > role_transition system_r sshd_exec_t CDTml_high2local_r; > > That is wrong OK. I thought so to, thinking that the context/users and default_* files would control this, but it did cause a change. Thought it might be a useful data point. Can you validate my assumption re the users and default_* files? > > and this got me my first real progress - 'id -Z' now shows: > > > > system_u:CDTml_high2local_r:unconfined_t:s0 > > Yes but that is wrong Indeed! > > What surprises me most is that originally nothing showed up in ausearch. > > I suppose this is because either PAM or SSHD is doing the computation > > and not logging it in audit.log, but that is just a guess, likely misguided. > > Yes the computation does not cause any logging Ah. Unfortunate. > > However! After that last allow, above, I finally have errors in ausearch, > > many repeats of: > > > > libsepol.context_from_record: invalid security context: snip > > > > I then expanded the basic allow rule for the CDTml_high2local_r role: > > > > role CDTml_high2local_r types { > > sshd_t > > unconfined_t > > xferHigh2Local_t > > xferHigh2Local_exec_t > > }; > > Yes but the above is not right, and so those errors are expected. OK, that makes sense. > > This didn't get me any farther, though. > > > > Do I need to widen the roles associated with CDTml_high2local_u at login? > > It helps if you post your full policy related to this and also the output > of the following: > > seinfo -xuCDTml_high2local_u > seinfo -xrCDTml_high2local_r > seinfo -xtxferHigh2Local_t Attached as seinfosnip. You'll see that the final seinfo output is much too broad, I need to narrow down some of the access rules once I get basic functionality working. > That shouldnt matter, but it helps if you post the full policy rather > than snippets. Didn't want to overwhelm things! I've attached the full policy, CDTml.te. > getconlist: > getdefaultcon: I'll look into those next week. > There is also a boolean that might affect things (but speculation > without a closer look at your policy): > > ssh_sysadm_login I removed the bogus role perms and tried again, with that binary set. No effect. Thanks again! P [-- Attachment #2: seinfosnip --] [-- Type: application/octet-stream, Size: 1027 bytes --] seinfo -xuCDTml_high2local_u CDTml_high2local_u default level: s0 range: s0 roles: object_r CDTml_high2local_r seinfo -xrCDTml_high2local_r CDTml_high2local_r Dominated Roles: CDTml_high2local_r Types: xferHigh2Local_t xferHigh2Local_exec_t seinfo -xtxferHigh2Local_t xferHigh2Local_t CDTml_types process_user_target userdomain seinfo -xaCDTml_types CDTml_types xferRoot_t xferRootL2H_t xferRootH2L_t xferHigh2Local_t xferLocal2Low_t xferLow2Local_t xferLocal2High_t xferAdmin_t xferAdmin_exec_t xfer_etc_t xferVar_t xferLib_t xferAudit_t xferAudit_exec_t xferSELinux_t xferFilter_t xferAV_t xferAV_etc_t xferAVfail_t xferDWC_t xferDWC_etc_t xferHigh2Local_exec_t xferLocal2Low_exec_t xferLow2Local_exec_t xferLocal2High_exec_t xferAV_exec_t xferDWC_exec_t [-- Attachment #3: CDTml.te --] [-- Type: application/octet-stream, Size: 34146 bytes --] module CDTml 1.0; ########################################################### # # External dependencies. While only some of these are # used, there is no harm in including more than is # required. It's an odd vagary of SELinux. These are # derived from other working cross-domain systems. require { attribute can_change_object_identity; attribute can_read_shadow_passwords; attribute can_system_change; attribute dbusd_unconfined; attribute process_user_target; attribute userdomain; class capability { audit_write chown dac_override dac_read_search fowner fsetid net_admin net_raw setgid setuid sys_boot sys_ptrace }; class chr_file { append getattr ioctl open read setattr write }; class dbus { send_msg }; class dir { add_name create getattr open read relabelfrom relabelto remove_name rmdir search setattr write }; class fd { use }; class fifo_file { getattr create ioctl map open read relabelto setattr write }; class file { append create entrypoint execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr write unlink }; class filesystem { associate getattr }; class key { link read search view write }; class lnk_file { getattr open read }; class netif { egress ingress }; class netlink_audit_socket { create nlmsg_relay read write }; class netlink_route_socket { bind create getattr nlmsg_read read setopt write }; class netlink_selinux_socket { bind create getattr nlmsg_read read setopt write }; class passwd { passwd }; class process { execmem fork getattr noatsecure rlimitinh setfscreate setrlimit setsched siginh sigchld sigkill signal signull sigstop transition }; class rawip_socket { create getopt setopt }; class security { check_context compute_av compute_create }; class service { disable enable start status stop }; class sock_file { create read unlink write }; class system { module_request reload status }; class tcp_socket { connect create getattr getopt name_connect read setopt shutdown write }; class udp_socket { bind connect connectto create getattr getopt ioctl name_bind node_bind read setopt write }; class unix_dgram_socket { connect connectto create getattr getopt ioctl read sendto setopt write }; class unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen read setopt shutdown write }; role object_r; role system_r; role unconfined_r; type admin_home_t; type abrt_t; type abrt_watch_log_t; type aide_log_t; type aide_t; type auditd_t; type auditd_log_t; type bin_t; type boot_t; type cert_t; type cgroup_t; type chkpwd_exec_t; type chronyd_unit_file_t; type chronyd_var_log_t; type config_home_t; type crack_db_t; type crond_t; type cpu_online_t; type data_home_t; type dbusd_etc_t; type default_t; type dhcpc_t; type default_context_t; type device_t; type devlog_t; type devpts_t; type devtty_t; type etc_runtime_t; type etc_t; type faillog_t; type file_context_t; type firewalld_t; type firewalld_unit_file_t; type fs_t; type fsdaemon_t; type getty_t; type gconf_home_t; type home_root_t; type hostname_etc_t; type hostname_exec_t; type hugetlbfs_t; type ifconfig_exec_t; type initrc_exec_t; type initrc_t; type initrc_var_run_t; type init_t; type init_tmp_t; type init_var_run_t; type iptables_exec_t; type iptables_var_run_t; type kernel_t; type krb5_conf_t; type lastlog_t; type ld_so_cache_t; type ld_so_t; type lib_t; type load_policy_t; type locale_t; type local_login_t; type lost_found_t; type lsmd_t; type lvm_t; type mail_spool_t; type mnt_t; type mozilla_home_t; type net_conf_t; type node_t; type null_device_t; type passwd_exec_t; type passwd_file_t; type passwd_t; type plymouthd_var_log_t; type plymouth_exec_t; type policykit_t; type proc_net_t; type proc_t; type ptmx_t; type readahead_t; type rhnsd_t; type rhsmcertd_t; type rngd_t; type root_t; type rpcbind_t; type security_t; type selinux_config_t; type setfiles_t; type setfiles_exec_t; type setrans_var_run_t; type shadow_t; type shell_exec_t; type sshd_t; type sshd_exec_t; type sshd_unit_file_t; type ssh_agent_exec_t; type ssh_exec_t; type ssh_home_t; type ssh_keygen_exec_t; type ssh_port_t; type su_exec_t; type sysctl_crypto_t; type sysctl_kernel_t; type sysctl_net_t; type sysctl_t; type sysfs_t; type syslog_conf_t; type syslogd_t; type system_cronjob_t; type system_dbusd_t; type system_dbusd_var_lib_t; type system_dbusd_var_run_t; type systemd_hostnamed_t; type systemd_logind_t; type systemd_logind_sessions_t; type systemd_passwd_agent_exec_t; type systemd_passwd_var_run_t; type systemd_systemctl_exec_t; type systemd_tmpfiles_t; type systemd_unit_file_t; type tmpfs_t; type tmp_t; type tuned_t; type udev_t; type unconfined_service_t; type unconfined_t; type unreserved_port_t; type urandom_device_t; type useradd_exec_t; type user_devpts_t; type user_home_dir_t; type user_home_t; type user_tmp_t; type user_tty_device_t; type usr_t; type var_lib_t; type var_log_t; type var_run_t; type var_spool_t; type var_t; type xserver_port_t; }; # for development and test on VM optional { require { type vmtools_t; }; allow CDTml_types vmtools_t:dir { getattr open search }; allow CDTml_types vmtools_t:file { open read }; }; ########################################################### # # type attributes to simplify many rules attribute CDTml_exec; attribute CDTml_conf; attribute CDTml_file; attribute CDTml_service; attribute CDTml_types; ########################################################### # # Core CDTml types type nicSideHigh_t; type nicSideLow_t; type xferRoot_t, CDTml_types; type xferRootL2H_t, CDTml_types; type xferRootH2L_t, CDTml_types; # primarily process types type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; type xferLocal2Low_t, CDTml_types, CDTml_service; type xferLow2Local_t, CDTml_types, CDTml_service; type xferLocal2High_t, CDTml_types, CDTml_service; # file and folder types type xferLocal2Low_data_t, CDTml_file; type xferLow2Local_data_t, CDTml_file; type xferLocal2High_data_t, CDTml_file; type xferAdmin_t, CDTml_types, can_change_object_identity; type xferAdmin_exec_t, CDTml_types; type xfer_etc_t, CDTml_types; type xferVar_t, CDTml_types; type xferLib_t, CDTml_types; type xferAudit_t, CDTml_types; type xferAudit_exec_t, CDTml_types; type xferSELinux_t, CDTml_types; type xferFilter_t, CDTml_types; type xferAV_t, CDTml_types; type xferAV_etc_t, CDTml_types; type xferAVfail_t, CDTml_types; type xferDWC_t, CDTml_types; type xferDWC_data_t, CDTml_file; type xferDWC_etc_t, CDTml_types; type xferHigh2Local_exec_t, CDTml_types, CDTml_exec; type xferLocal2Low_exec_t, CDTml_types, CDTml_exec; type xferLow2Local_exec_t, CDTml_types, CDTml_exec; type xferLocal2High_exec_t, CDTml_types, CDTml_exec; type xferAV_exec_t, CDTml_types, CDTml_exec; type xferDWC_exec_t, CDTml_types, CDTml_exec; ########################################################### # # Basic system accesses to CDTml types role object_r types { CDTml_types }; role system_r types { CDTml_types }; role unconfined_r types { CDTml_types }; # for aide, at least when run during install # commented out, because we should still be in permissive mode #allow unconfined_t CDTml_types:file map; #allow unconfined_t xferAudit_t:file { ioctl lock map }; allow { aide_t policykit_t readahead_t setfiles_t } { CDTml_file CDTml_types }:file { getattr ioctl map open read }; allow { aide_t policykit_t setfiles_t } { CDTml_file CDTml_types }:dir { getattr read open search }; allow setfiles_t { CDTml_file CDTml_types }:dir relabelto; allow setfiles_t { CDTml_file CDTml_types }:file relabelto; ########################################################### # # Having defined our types, define our roles, # and grant them access to our types role CDTml_low2local_r; role CDTml_local2high_r; role CDTml_high2local_r; role CDTml_local2low_r; role CDTml_auditor_r; allow system_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; allow unconfined_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; role CDTml_low2local_r types { xferLow2Local_t xferLow2Local_exec_t }; role CDTml_local2high_r types { xferLocal2High_t xferLocal2High_exec_t }; role CDTml_high2local_r types { xferHigh2Local_t xferHigh2Local_exec_t }; role CDTml_local2low_r types { xferLocal2Low_t xferLocal2Low_exec_t }; role CDTml_auditor_r types { xferAudit_t xferAudit_exec_t }; allow xferHigh2Local_t xferDWC_data_t:dir { add_name getattr open read search setattr write }; allow xferHigh2Local_t xferDWC_data_t:file { create getattr open setattr write }; allow xferDWC_t xferDWC_data_t:dir { getattr open read remove_name search write }; allow xferDWC_t xferDWC_data_t:file { getattr open read unlink }; allow xferDWC_t xferLocal2Low_data_t:dir { add_name getattr open read search setattr write }; allow xferDWC_t xferLocal2Low_data_t:file { create getattr open read setattr write }; allow xferLocal2Low_t xferLocal2Low_data_t:dir { getattr open read remove_name search write }; allow xferLocal2Low_t xferLocal2Low_data_t:file { getattr read unlink }; # perms for low to local, with or without AV allow xferLow2Local_t { xferLow2Local_data_t xferLocal2High_data_t }:dir { add_name getattr open read search setattr write }; allow xferLow2Local_t { xferLow2Local_data_t xferLocal2High_data_t }:file { create getattr open setattr write }; allow { xferLocal2High_t xferAV_t } xferLow2Local_data_t:dir { getattr open read remove_name search setattr write }; allow { xferLocal2High_t xferAV_t } xferLow2Local_data_t:file { getattr open read unlink }; # rules when AV is running allow xferAV_t xferLocal2High_data_t:dir { add_name getattr open read search setattr }; allow xferAV_t xferLocal2High_data_t:file { create getattr setattr write }; allow xferLocal2High_t xferLocal2High_data_t:dir { getattr open read remove_name search write }; allow xferLocal2High_t xferLocal2High_data_t:file { getattr open read unlink }; allow xferLow2Local_t xferAVfail_t:dir { getattr open read remove_name search }; allow xferLow2Local_t xferAVfail_t:file { getattr setattr unlink }; allow xferLow2Local_t xferLocal2High_data_t:dir { getattr open read search setattr }; allow xferLow2Local_t xferLocal2High_data_t:file getattr; allow xferAV_t xferAVfail_t:dir { add_name getattr open read search setattr write }; allow xferAV_t xferAVfail_t:file { create getattr setattr write }; allow xferLocal2Low_t nicSideLow_t:netif { ingress egress }; allow xferLow2Local_t nicSideLow_t:netif { ingress egress }; allow xferLocal2High_t nicSideHigh_t:netif { ingress egress }; allow xferHigh2Local_t nicSideHigh_t:netif { ingress egress }; allow { initrc_t unconfined_service_t syslogd_t systemd_logind_t systemd_tmpfiles_t } CDTml_types:file { getattr ioctl open read }; allow { initrc_t syslogd_t systemd_logind_t systemd_tmpfiles_t } CDTml_types:dir { getattr open read search }; allow { initrc_t syslogd_t systemd_tmpfiles_t } CDTml_types:lnk_file { getattr read }; # Define our process transitions - define them so that only # ICMC users can transition for High2Local, but all other # domains can be entered either via login or via systemd allow unconfined_t xferHigh2Local_exec_t:file { getattr execute open read }; allow xferHigh2Local_t xferHigh2Local_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow xferHigh2Local_t sshd_exec_t:file { entrypoint }; type_transition unconfined_t xferHigh2Local_exec_t:process xferHigh2Local_t; allow { sshd_t unconfined_t } xferHigh2Local_t:process transition; # init_t needs these, to start from systemd; unconfined_t needs for root # to start single processes; xferAdmin_t needs to start the startAll utility allow { init_t unconfined_t xferAdmin_t } xferLocal2Low_exec_t:file { getattr execute open read }; allow xferLocal2Low_t xferLocal2Low_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLocal2Low_exec_t:process xferLocal2Low_t ; allow { init_t unconfined_t xferAdmin_t } xferLocal2Low_t:process transition; allow { init_t unconfined_t xferAdmin_t } xferLow2Local_exec_t:file { getattr execute open read }; allow xferLow2Local_t xferLow2Local_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLow2Local_exec_t:process xferLow2Local_t ; allow { init_t unconfined_t xferAdmin_t } xferLow2Local_t:process transition; allow { init_t unconfined_t xferAdmin_t } xferLocal2High_exec_t:file { getattr execute open read }; allow xferLocal2High_t xferLocal2High_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLocal2High_exec_t:process xferLocal2High_t ; allow { init_t unconfined_t xferAdmin_t } xferLocal2High_t:process transition; # define our file transitions: These ensure the Linear Assured Pipeline type_transition xferLow2Local_t xferLocal2High_data_t:file xferLocal2High_data_t; type_transition xferHigh2Local_t xferLocal2Low_data_t:file xferLocal2Low_data_t; # allow administrators to start and stop services, monitor them, etc. allow unconfined_t CDTml_types:file { getattr open read }; allow unconfined_t CDTml_types:dir { getattr search }; allow unconfined_t CDTml_types:process { getattr }; allow unconfined_t xferAdmin_exec_t:file { execute getattr open read }; # but limit who can do what with a type transition allow xferAdmin_t xferAdmin_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition unconfined_t xferAdmin_exec_t:process xferAdmin_t; allow unconfined_t xferAdmin_t:process transition; allow unconfined_t xferAdmin_exec_t:file { append relabelto }; allow unconfined_t { CDTml_types CDTml_file }:dir { getattr open read search }; # then let our own process relabel everything we own allow xferAdmin_t aide_log_t:dir { getattr open read relabelto search }; allow xferAdmin_t aide_log_t:file { getattr relabelto }; allow xferAdmin_t bin_t:dir { relabelfrom relabelto }; allow xferAdmin_t bin_t:file { relabelfrom relabelto }; allow xferAdmin_t boot_t:dir getattr; allow xferAdmin_t cgroup_t:dir { getattr search }; allow xferAdmin_t cgroup_t:filesystem getattr; allow xferAdmin_t default_context_t:file { getattr open read }; allow xferAdmin_t default_t:dir { getattr relabelfrom }; allow xferAdmin_t device_t:filesystem getattr; allow xferAdmin_t devpts_t:dir getattr; allow xferAdmin_t file_context_t:dir search; allow xferAdmin_t file_context_t:file { getattr map open read }; allow xferAdmin_t hugetlbfs_t:dir getattr; allow xferAdmin_t hugetlbfs_t:filesystem getattr; allow xferAdmin_t lib_t:dir relabelfrom; allow xferAdmin_t lib_t:file relabelfrom; allow xferAdmin_t self:dir relabelto; allow xferAdmin_t self:file relabelto; allow xferAdmin_t selinux_config_t:file { getattr open read }; allow xferAdmin_t setfiles_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t sysfs_t:dir getattr; allow xferAdmin_t sysfs_t:filesystem getattr; allow xferAdmin_t tmpfs_t:dir getattr; allow xferAdmin_t tmpfs_t:filesystem getattr; allow xferAdmin_t user_tmp_t:dir getattr; allow xferAdmin_t usr_t:dir relabelfrom; allow xferAdmin_t usr_t:file relabelfrom; allow xferAdmin_t xferAV_etc_t:file { getattr relabelto }; allow xferAdmin_t xferAV_exec_t:file { getattr relabelto }; allow xferAdmin_t xferAV_t:file { getattr relabelto }; allow xferAdmin_t xferAVfail_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferAdmin_exec_t:file relabelto; allow xferAdmin_t xferAudit_exec_t:file { getattr relabelto }; allow xferAdmin_t xferAudit_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferAudit_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferDWC_etc_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_exec_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_t:file { getattr relabelto }; allow xferAdmin_t xferFilter_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLib_t:dir relabelto; allow xferAdmin_t xferLocal2High_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLocal2High_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2High_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2Low_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLocal2Low_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2Low_t:file { getattr relabelto }; allow xferAdmin_t xferLow2Local_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLow2Local_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLow2Local_t:file { getattr relabelto }; allow xferAdmin_t xferRootH2L_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferRootL2H_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferRoot_t:dir relabelto; allow xferAdmin_t xferSELinux_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferSELinux_t:file { getattr relabelto }; allow xferAdmin_t xferVar_t:dir { getattr open read relabelto search }; allow xferAdmin_t xfer_etc_t:dir { getattr open read relabelto search }; # # administrative functions, especially user creation allow xferAdmin_t chkpwd_exec_t:file { execute execute_no_trans map open read }; allow xferAdmin_t crack_db_t:file { getattr open read }; allow xferAdmin_t devtty_t:chr_file getattr; allow xferAdmin_t mail_spool_t:dir search; allow xferAdmin_t mail_spool_t:file open; allow xferAdmin_t passwd_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t passwd_file_t:file { ioctl lock }; allow xferAdmin_t self:file relabelfrom; allow xferAdmin_t useradd_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t xferAudit_exec_t:file relabelfrom; # finally, allow xferAdmin_t to start and stop things, too # (since the startall utility is now xfer_admin_t # NOTE: These were added above. # these may seem odd, but these allow the services to see each other's # process information - the dirs and files are in /proc - when running # any of the administrative status commands allow xferLocal2High_t xferLocal2Low_t:dir { getattr search }; allow xferLocal2High_t xferLocal2Low_t:file { open read }; allow xferLocal2High_t xferLow2Local_t:dir { getattr search }; allow xferLocal2High_t xferLow2Local_t:file { open read }; allow xferLocal2Low_t xferLocal2High_t:dir { getattr search }; allow xferLocal2Low_t xferLocal2High_t:file { open read }; allow xferLocal2Low_t xferLow2Local_t:dir { getattr search }; allow xferLocal2Low_t xferLow2Local_t:file { open read }; allow xferLow2Local_t xferLocal2High_t:dir { getattr search }; allow xferLow2Local_t xferLocal2High_t:file { open read }; allow xferLow2Local_t xferLocal2Low_t:dir { getattr search }; allow xferLow2Local_t xferLocal2Low_t:file { open read }; # do something similar for cron - part of creating the daily report allow system_cronjob_t xferLocal2High_t:dir { getattr search }; allow system_cronjob_t xferLocal2High_t:file { open read }; allow system_cronjob_t xferLocal2Low_t:dir { getattr search }; allow system_cronjob_t xferLocal2Low_t:file { open read }; allow system_cronjob_t xferLow2Local_t:dir { getattr search }; allow system_cronjob_t xferLow2Local_t:file { open read }; # allow init_t, etc., to start the services allow { xferAdmin_t init_t } CDTml_service:process { noatsecure rlimitinh siginh sigkill signull signal }; allow CDTml_service { xferAdmin_t init_t}:process { sigchld }; allow CDTml_service { xferAdmin_t init_t }:fd { use }; allow CDTml_service init_t:unix_stream_socket { connectto getattr ioctl read write }; allow CDTml_service init_tmp_t:file { append create getattr ioctl lock map open read write }; allow CDTml_service xferAdmin_t:fifo_file { getattr ioctl open read write }; allow CDTml_service xferAdmin_t:file { open read }; allow CDTml_service xferAdmin_t:key { link read search view }; allow CDTml_types xferVar_t:dir { add_name remove_name write }; allow CDTml_types xferVar_t:file { append create getattr ioctl lock map open read unlink write }; allow CDTml_types xferRoot_t:dir { getattr open read search }; allow { xferLow2Local_t xferLocal2High_t } xferRootL2H_t:dir { getattr open read search }; allow { xferHigh2Local_t xferLocal2Low_t } xferRootH2L_t:dir { getattr open read search }; ########################################################### # # General system access allow CDTml_types admin_home_t:dir { add_name getattr open read remove_name search write }; allow CDTml_types admin_home_t:file { append create getattr ioctl open read write }; allow CDTml_types bin_t:dir { getattr open read search }; allow CDTml_types bin_t:file { execute execute_no_trans getattr ioctl map open read }; allow CDTml_types bin_t:lnk_file { open read }; allow { CDTml_types xferAdmin_t } cert_t:file { getattr open read }; allow { CDTml_service xferAdmin_t } cert_t:dir { getattr open read search }; allow CDTml_types chronyd_unit_file_t:service { start status enable disable start stop }; allow CDTml_types cpu_online_t:file { getattr ioctl open read }; allow CDTml_types device_t:dir search; allow CDTml_types devlog_t:sock_file write; allow CDTml_types devpts_t:chr_file { getattr open read write }; allow CDTml_types devpts_t:filesystem { getattr }; allow CDTml_types devtty_t:chr_file { ioctl open read write }; allow CDTml_types etc_t:dir { add_name getattr open read remove_name search write }; allow CDTml_types etc_t:file { append create getattr ioctl link open read rename setattr unlink write }; allow CDTml_types etc_t:lnk_file { getattr open read }; allow CDTml_types faillog_t:file { getattr open read write }; allow CDTml_types fs_t:filesystem { getattr associate }; allow CDTml_file fs_t:filesystem { associate }; allow CDTml_types home_root_t:dir { add_name getattr write }; allow CDTml_types hostname_etc_t:file { append getattr ioctl open read write }; allow CDTml_types hostname_exec_t:file { getattr execute execute_no_trans ioctl map open read }; allow CDTml_types initrc_exec_t:file { entrypoint execute getattr ioctl map open read }; allow CDTml_types init_t:process sigchld; allow CDTml_types init_t:service { status stop start enable disable }; allow CDTml_types init_t:unix_stream_socket { connectto getattr ioctl read write }; allow CDTml_types init_var_run_t:dir { add_name create write }; allow CDTml_types init_var_run_t:fifo_file { create open read }; allow CDTml_types init_var_run_t:sock_file { write }; allow CDTml_types initrc_var_run_t:file { lock }; allow CDTml_types kernel_t:system module_request; allow CDTml_types kernel_t:unix_dgram_socket sendto; allow CDTml_types krb5_conf_t:file { getattr open read }; allow CDTml_types lastlog_t:file { append getattr ioctl lock open read write }; allow CDTml_types ld_so_cache_t:file { getattr map open read }; allow CDTml_types ld_so_t:file { execute map open read }; allow CDTml_types lib_t:dir { getattr open read search }; allow CDTml_types lib_t:file { execute ioctl getattr map open read }; allow CDTml_types lib_t:lnk_file read; allow CDTml_types locale_t:dir search; allow CDTml_types locale_t:file { getattr map open read }; allow CDTml_types locale_t:lnk_file read; allow CDTml_types local_login_t:fd use; allow CDTml_types local_login_t:process sigchld; allow CDTml_types mail_spool_t:dir { add_name write }; allow CDTml_types mail_spool_t:file { create setattr write }; allow CDTml_types CDTml_conf:file { append create getattr ioctl open read rename setattr unlink write }; allow CDTml_types mozilla_home_t:dir { add_name create setattr write }; allow CDTml_types net_conf_t:dir { add_name remove_name write }; allow CDTml_types net_conf_t:file { append create getattr open read rename setattr unlink write }; allow CDTml_types node_t:udp_socket node_bind; allow CDTml_types null_device_t:chr_file { ioctl read }; allow CDTml_types passwd_file_t:file { create getattr map open read rename setattr unlink write }; allow CDTml_types proc_t:dir { getattr open read search }; allow CDTml_types proc_t:file { getattr open read }; allow CDTml_types proc_t:filesystem getattr; allow CDTml_types ptmx_t:chr_file { ioctl open read write }; allow CDTml_types root_t:dir { getattr search }; allow CDTml_types security_t:dir { getattr open read search }; allow CDTml_types security_t:filesystem getattr; allow CDTml_types security_t:file { getattr open read write }; allow CDTml_types security_t:security { check_context compute_av }; allow CDTml_types self:capability { audit_write chown dac_override dac_read_search fowner fsetid net_admin net_raw setgid setuid sys_boot sys_ptrace }; allow CDTml_types self:fd use; allow CDTml_types self:fifo_file { getattr open read write }; allow CDTml_types self:file { getattr open read write }; allow CDTml_types self:key { read search view write }; allow CDTml_types self:lnk_file { read }; allow CDTml_types self:netlink_audit_socket { create nlmsg_relay read write }; allow CDTml_types self:passwd passwd; allow CDTml_types self:process { execmem fork noatsecure rlimitinh setfscreate sigchld siginh signal transition }; allow CDTml_types self:rawip_socket { create getopt setopt }; allow CDTml_types self:tcp_socket { connect create getattr getopt read setopt shutdown write }; allow CDTml_types self:udp_socket { bind connect create getattr ioctl read setopt write }; allow CDTml_types self:unix_dgram_socket { connect create write }; allow CDTml_types self:unix_stream_socket { connect create shutdown }; allow CDTml_types selinux_config_t:dir search; allow CDTml_types shadow_t:file { create getattr open map read rename setattr unlink write }; allow CDTml_types shell_exec_t:file { execute map read }; allow CDTml_types ssh_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types ssh_home_t:dir { add_name create remove_name search setattr write }; allow CDTml_types ssh_home_t:file { append create setattr unlink write }; allow CDTml_types ssh_keygen_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types ssh_port_t:tcp_socket { name_connect }; allow CDTml_types sysctl_net_t:file write; allow CDTml_types sysfs_t:dir search; allow CDTml_types syslog_conf_t:file { write }; allow CDTml_types system_dbusd_var_run_t:sock_file write; allow CDTml_types systemd_logind_t:fd use; allow CDTml_types systemd_logind_t:file { getattr open read }; allow CDTml_types systemd_unit_file_t:service { start stop enable disable status }; allow CDTml_types tmp_t:dir { add_name create getattr open read remove_name rmdir search setattr write }; allow CDTml_types tmp_t:file { append create getattr ioctl open read setattr unlink write }; allow CDTml_types tmp_t:sock_file { create unlink write }; allow CDTml_types tuned_t:dir { getattr search }; allow CDTml_types tuned_t:file { getattr open read }; allow CDTml_types udev_t:dir { getattr search }; allow CDTml_types udev_t:file { getattr open read }; allow CDTml_types unconfined_t:dir { getattr search }; allow CDTml_types unconfined_t:fifo_file { getattr ioctl open read write }; allow CDTml_types unconfined_t:file { getattr open read }; allow CDTml_types unconfined_t:key { link read search view }; allow CDTml_types user_home_dir_t:dir { add_name create getattr open read remove_name search setattr write }; allow CDTml_types user_home_dir_t:file { append create getattr ioctl open read rename setattr unlink write }; allow CDTml_types user_home_t:file { append create getattr open read rename setattr unlink write }; allow CDTml_types user_tmp_t:file write; allow CDTml_types user_tty_device_t:chr_file { getattr ioctl read write }; allow CDTml_types usr_t:dir { getattr open search }; allow CDTml_types usr_t:file { getattr ioctl open read }; allow CDTml_types var_log_t:file { getattr ioctl lock map open read }; allow CDTml_types var_run_t:dir search; allow CDTml_types var_run_t:file { lock open read }; allow CDTml_types var_run_t:lnk_file read; allow CDTml_types var_t:dir { add_name getattr search open write }; allow initrc_t CDTml_types:dir { getattr open read search }; allow initrc_t CDTml_types:file { getattr ioctl map open read }; allow syslogd_t CDTml_types:dir search; allow syslogd_t CDTml_types:file { getattr open read }; allow syslogd_t CDTml_types:lnk_file read; allow CDTml_types { abrt_t abrt_watch_log_t auditd_t crond_t dhcpc_t firewalld_t fsdaemon_t getty_t init_t initrc_var_run_t kernel_t local_login_t lsmd_t lvm_t policykit_t proc_t rhnsd_t rhsmcertd_t rngd_t rpcbind_t user_home_t var_log_t xferAdmin_t xferLib_t }:dir { getattr open read search }; allow CDTml_types { abrt_t abrt_watch_log_t auditd_t crond_t dhcpc_t firewalld_t fsdaemon_t getty_t init_t initrc_var_run_t kernel_t local_login_t lsmd_t lvm_t policykit_t rhnsd_t rhsmcertd_t rngd_t rpcbind_t }:file { open read }; allow CDTml_types { proc_t }:lnk_file { getattr open read }; allow CDTml_types { null_device_t user_devpts_t }:chr_file { append getattr ioctl open read write }; allow CDTml_types security_t:file { getattr open read }; allow CDTml_types self:key link; allow CDTml_types self:process { setrlimit setsched sigkill }; allow CDTml_types self:unix_stream_socket { accept bind listen }; allow CDTml_types setrans_var_run_t:dir search; allow CDTml_types shell_exec_t:file { execute_no_trans getattr open }; allow CDTml_types ssh_agent_exec_t:file { execute execute_no_trans map open read }; allow CDTml_types ssh_home_t:dir getattr; allow CDTml_types ssh_home_t:file { getattr open read }; allow CDTml_types sshd_t:dir { getattr search }; allow CDTml_types sshd_t:file { open read }; allow CDTml_types su_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types sysctl_kernel_t:dir search; allow CDTml_types sysctl_kernel_t:file { open read }; allow CDTml_types syslogd_t:dir { getattr search }; allow CDTml_types syslogd_t:file { open read }; allow CDTml_types system_dbusd_t:dir { getattr search }; allow CDTml_types system_dbusd_t:file { open read }; allow CDTml_types systemd_logind_sessions_t:fifo_file write; allow CDTml_types systemd_logind_t:dbus send_msg; allow CDTml_types systemd_logind_t:dir { getattr search }; ########################################################### # # For connecting to and using dbus, if necessary allow CDTml_types { system_dbusd_t self }:dbus send_msg; allow { system_dbusd_t dbusd_unconfined } CDTml_types:dbus send_msg; allow CDTml_types system_dbusd_var_lib_t:dir { getattr search open }; allow CDTml_types system_dbusd_var_lib_t:file { open { getattr read ioctl lock } }; allow CDTml_types var_lib_t:dir { getattr search open }; allow CDTml_types device_t:dir { getattr search open }; allow CDTml_types urandom_device_t:chr_file { getattr open read ioctl }; allow CDTml_types var_t:lnk_file { read }; allow CDTml_types var_run_t:lnk_file { read }; allow CDTml_types var_run_t:dir { add_name create getattr open read relabelto remove_name search setattr write }; allow CDTml_types system_dbusd_var_run_t:dir { getattr search open }; allow CDTml_types system_dbusd_var_run_t:sock_file { write }; allow CDTml_types system_dbusd_t:unix_stream_socket connectto; allow CDTml_types dbusd_etc_t:dir { getattr search open read }; allow CDTml_types dbusd_etc_t:file { open { getattr read ioctl lock } }; allow CDTml_types unconfined_service_t:dbus send_msg; allow unconfined_service_t CDTml_types:dbus send_msg; allow CDTml_types sshd_t:fd { use }; allow CDTml_types init_tmp_t:file { append create getattr ioctl open read write }; allow CDTml_types unconfined_t:fd { use }; allow unconfined_t CDTml_types:process { noatsecure rlimitinh siginh sigkill signal signull }; allow CDTml_types unconfined_t :process { sigchld }; allow CDTml_types self:dir { getattr open read search }; allow CDTml_types self:file { getattr ioctl open read }; allow CDTml_types self:fifo_file { ioctl }; allow CDTml_types self:netlink_route_socket { bind create getattr nlmsg_read read setopt write }; allow CDTml_types self:netlink_selinux_socket { bind create getattr nlmsg_read read setopt write }; allow CDTml_types self:unix_stream_socket { connectto getattr getopt ioctl read setopt write }; allow CDTml_types init_t:dbus send_msg; allow init_t CDTml_types:dbus send_msg; allow CDTml_types system_dbusd_t:dbus send_msg; allow CDTml_types system_dbusd_t:unix_stream_socket connectto; allow init_t CDTml_types:file { getattr ioctl open read }; allow init_t CDTml_types:dir { getattr open read search }; allow system_dbusd_t CDTml_types:file { getattr ioctl open read }; allow system_dbusd_t CDTml_types:dir { getattr open read search }; allow CDTml_types init_t:system { reload status }; allow CDTml_types policykit_t:dbus send_msg; allow policykit_t CDTml_types:dbus send_msg; allow CDTml_types systemd_hostnamed_t:dbus send_msg; allow systemd_hostnamed_t CDTml_types:dbus send_msg; allow systemd_logind_t CDTml_types:dbus send_msg; ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-12 22:43 ` Peter Whittaker @ 2021-02-13 7:22 ` Dominick Grift 2021-02-13 14:13 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-13 7:22 UTC (permalink / raw) To: Peter Whittaker; +Cc: SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> Dominick Grift <dominick.grift@defensec.nl> writes: >> >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> >> >> BLUF: Logging in via SSH or directly at the console results >> >> >> in "Unable to get valid context...". Help! Much info included. >> > >> > Thanks to Dominick, I have made at least some progress: I can get the >> > role to transition, but not the user or the process type. Details below. > > SNIP You missed a fundamental type attribute association: type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; It seems that you did not associate your process types with "domain": typeattribute xferHigh2Local_t domain; See if adding that helps > >> > That rule was already present (it is the only one I really need, these >> > users will be coming in via SSH only). >> >> Okay I dont think you mentioned that before > > No, I didn't. I've been testing with both SSH and local login in an > attempt to determine where the problem might lie. > >> > I added process_user_target to the type definition, no effect: >> > >> > type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; >> >> I dont think you mentioned this before and I think you also didnt >> mention that you had userdomain associates with it. > > Correct. Oversight on my part. > >> > I then added >> > >> > role_transition system_r sshd_exec_t CDTml_high2local_r; >> >> That is wrong > > OK. I thought so to, thinking that the context/users and default_* > files would control this, but it did cause a change. Thought it might > be a useful data point. > > Can you validate my assumption re the users and default_* files? > >> > and this got me my first real progress - 'id -Z' now shows: >> > >> > system_u:CDTml_high2local_r:unconfined_t:s0 >> >> Yes but that is wrong > > Indeed! > >> > What surprises me most is that originally nothing showed up in ausearch. >> > I suppose this is because either PAM or SSHD is doing the computation >> > and not logging it in audit.log, but that is just a guess, likely misguided. >> >> Yes the computation does not cause any logging > > Ah. Unfortunate. > >> > However! After that last allow, above, I finally have errors in ausearch, >> > many repeats of: >> > >> > libsepol.context_from_record: invalid security context: > snip >> > >> > I then expanded the basic allow rule for the CDTml_high2local_r role: >> > >> > role CDTml_high2local_r types { >> > sshd_t >> > unconfined_t >> > xferHigh2Local_t >> > xferHigh2Local_exec_t >> > }; >> >> Yes but the above is not right, and so those errors are expected. > > OK, that makes sense. > >> > This didn't get me any farther, though. >> > >> > Do I need to widen the roles associated with CDTml_high2local_u at login? >> >> It helps if you post your full policy related to this and also the output >> of the following: >> >> seinfo -xuCDTml_high2local_u >> seinfo -xrCDTml_high2local_r >> seinfo -xtxferHigh2Local_t > > Attached as seinfosnip. You'll see that the final seinfo output is > much too broad, I need to narrow down some of the access rules once I > get basic functionality working. > >> That shouldnt matter, but it helps if you post the full policy rather >> than snippets. > > Didn't want to overwhelm things! I've attached the full policy, CDTml.te. > >> getconlist: >> getdefaultcon: > > I'll look into those next week. > >> There is also a boolean that might affect things (but speculation >> without a closer look at your policy): >> >> ssh_sysadm_login > > I removed the bogus role perms and tried again, with that binary set. No effect. > > Thanks again! > > P > > > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 7:22 ` Dominick Grift @ 2021-02-13 14:13 ` Peter Whittaker 2021-02-13 16:09 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-13 14:13 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift > >> > <dominick.grift@defensec.nl> wrote: > >> >> Dominick Grift <dominick.grift@defensec.nl> writes: > >> >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> >> >> BLUF: Logging in via SSH or directly at the console results > >> >> >> in "Unable to get valid context...". Help! Much info included. > > You missed a fundamental type attribute association: > > type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; > > It seems that you did not associate your process types with "domain": > > typeattribute xferHigh2Local_t domain; > > See if adding that helps It didn't - but! The failure motivated me to dive more deeply back into /var/log/audit/audit.log, wherein I noticed that the desired user context has been being computed correctly since sometime yesterday (15:29:25 EST, in fact) - but SSH logins were still failing to assign that context. So I tried a console login and it worked (I've not made any console related changes since you started helping me with this). Progress: The desired context is properly computed and assigned, at least with console (local) login. This leaves me two major items to figure out: 1. Of the changes I have applied over the last 1-3 days, what is the minimum set required to achieve this? My immediate future includes bisection. 2. Why doesn't it work with SSH, when it does work with the console (yes, the ssh_sysadm_login is on)? I've read that the latter may have to do with network labelling and/or default network context, I may need to explore that. All suggestions welcome! Thanks! Progress restores optimism. P ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 14:13 ` Peter Whittaker @ 2021-02-13 16:09 ` Dominick Grift 2021-02-13 18:06 ` Topi Miettinen 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-13 16:09 UTC (permalink / raw) To: Peter Whittaker; +Cc: SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> > On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> >> > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift >> >> > <dominick.grift@defensec.nl> wrote: >> >> >> Dominick Grift <dominick.grift@defensec.nl> writes: >> >> >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> >> >> >> BLUF: Logging in via SSH or directly at the console results >> >> >> >> in "Unable to get valid context...". Help! Much info included. >> >> You missed a fundamental type attribute association: >> >> type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; >> >> It seems that you did not associate your process types with "domain": >> >> typeattribute xferHigh2Local_t domain; >> >> See if adding that helps > > It didn't - but! The failure motivated me to dive more deeply back > into /var/log/audit/audit.log, wherein I noticed that the desired user > context has been being computed correctly since sometime yesterday > (15:29:25 EST, in fact) - but SSH logins were still failing to assign > that context. So I tried a console login and it worked (I've not made > any console related changes since you started helping me with this). Okay but all processes should alway's associate with the domain attribute > > Progress: The desired context is properly computed and assigned, at > least with console (local) login. This leaves me two major items to > figure out: > > 1. Of the changes I have applied over the last 1-3 days, > what is the minimum set required to achieve this? My > immediate future includes bisection. Yes i guess work your way back and see... > > 2. Why doesn't it work with SSH, when it does work with > the console (yes, the ssh_sysadm_login is on)? see if the ssh daemon runs with the expected: system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh) then doubt check that /etc/selinux/targeted/contexts/users/CDTml_high2local_u has: system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 And use sesearch to verify that the following queries return: sesearch -A -s sshd_t -t xferHigh2Local_t -c process -p transition sesearch -A -s xferHigh2Local_t bin_t -c file -p entrypoint sesearch -A -s xferHigh2Local_t shell_exec_t -c file -p entrypoint Also, just in case, try in permissive mode to see if that changes anything (unlikely but worth a try) > > I've read that the latter may have to do with network labelling and/or > default network context, I may need to explore that. I dont think that is related > > All suggestions welcome! > > Thanks! Progress restores optimism. > > P -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 16:09 ` Dominick Grift @ 2021-02-13 18:06 ` Topi Miettinen 2021-02-13 20:26 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Topi Miettinen @ 2021-02-13 18:06 UTC (permalink / raw) To: Dominick Grift, Peter Whittaker; +Cc: SElinux list On 13.2.2021 18.09, Dominick Grift wrote: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift >> <dominick.grift@defensec.nl> wrote: >>> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >>>> On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift >>>> <dominick.grift@defensec.nl> wrote: >>>>> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >>>>>> On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift >>>>>> <dominick.grift@defensec.nl> wrote: >>>>>>> Dominick Grift <dominick.grift@defensec.nl> writes: >>>>>>>> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >>>>>>>>> BLUF: Logging in via SSH or directly at the console results >>>>>>>>> in "Unable to get valid context...". Help! Much info included. >>> >>> You missed a fundamental type attribute association: >>> >>> type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; >>> >>> It seems that you did not associate your process types with "domain": >>> >>> typeattribute xferHigh2Local_t domain; >>> >>> See if adding that helps >> >> It didn't - but! The failure motivated me to dive more deeply back >> into /var/log/audit/audit.log, wherein I noticed that the desired user >> context has been being computed correctly since sometime yesterday >> (15:29:25 EST, in fact) - but SSH logins were still failing to assign >> that context. So I tried a console login and it worked (I've not made >> any console related changes since you started helping me with this). > > Okay but all processes should alway's associate with the domain attribute > >> >> Progress: The desired context is properly computed and assigned, at >> least with console (local) login. This leaves me two major items to >> figure out: >> >> 1. Of the changes I have applied over the last 1-3 days, >> what is the minimum set required to achieve this? My >> immediate future includes bisection. > > Yes i guess work your way back and see... > >> >> 2. Why doesn't it work with SSH, when it does work with >> the console (yes, the ssh_sysadm_login is on)? > > see if the ssh daemon runs with the expected: > system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh) > > then doubt check that > /etc/selinux/targeted/contexts/users/CDTml_high2local_u has: > system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 > > And use sesearch to verify that the following queries return: > > sesearch -A -s sshd_t -t xferHigh2Local_t -c process -p transition > sesearch -A -s xferHigh2Local_t bin_t -c file -p entrypoint > sesearch -A -s xferHigh2Local_t shell_exec_t -c file -p entrypoint There's also `sedta` (Debian: setools package) which AFAICT walks through the login process (except for the part that tries to find out the default context for the user): $ sedta -s sshd_t -t user_t -S Domain transition path 1: Step 1: sshd_t -> user_t Domain transition rule(s): allow sshd_t userdomain:process transition; [ ssh_sysadm_login ]:True allow sshd_t unpriv_userdomain:process transition; [ ssh_sysadm_login ]:False Set execution context rule(s): allow sshd_t sshd_t:process { fork getcap getsched setcap setexec setkeycreate setrlimit setsched sigchld signal }; Entrypoint bin_t: Domain entrypoint rule(s): allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; File execute rule(s): allow sshd_t bin_t:file { execute execute_no_trans getattr ioctl lock map open read }; Entrypoint shell_exec_t: Domain entrypoint rule(s): allow user_t shell_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; File execute rule(s): allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; allow sshd_t shell_exec_t:file { execute getattr ioctl map open read }; [ ssh_sysadm_login ]:True allow sshd_t shell_exec_t:file { execute getattr ioctl map open read }; [ ssh_sysadm_login ]:False 1 domain transition path(s) found. $ sedta -s local_login_t -t user_t -S Domain transition path 1: Step 1: local_login_t -> user_t Domain transition rule(s): allow local_login_t userdomain:process { sigchld signal transition }; Set execution context rule(s): allow local_login_t local_login_t:process { fork getcap setcap setexec setkeycreate setrlimit setsched sigchld }; Entrypoint shell_exec_t: Domain entrypoint rule(s): allow user_t shell_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; File execute rule(s): allow local_login_t shell_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; Entrypoint bin_t: Domain entrypoint rule(s): allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; File execute rule(s): allow local_login_t bin_t:file { execute execute_no_trans getattr ioctl lock map open read }; 1 domain transition path(s) found. -Topi > > Also, just in case, try in permissive mode to see if that changes > anything (unlikely but worth a try) > >> >> I've read that the latter may have to do with network labelling and/or >> default network context, I may need to explore that. > > I dont think that is related > >> >> All suggestions welcome! >> >> Thanks! Progress restores optimism. >> >> P > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 18:06 ` Topi Miettinen @ 2021-02-13 20:26 ` Peter Whittaker 2021-02-13 20:39 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-13 20:26 UTC (permalink / raw) To: Topi Miettinen; +Cc: Dominick Grift, SElinux list [-- Attachment #1: Type: text/plain, Size: 14389 bytes --] On Sat, Feb 13, 2021 at 1:08 PM Topi Miettinen <toiwoton@gmail.com> wrote: > On 13.2.2021 18.09, Dominick Grift wrote: > > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> 1. Of the changes I have applied over the last 1-3 days, > >> what is the minimum set required to achieve this? My > >> immediate future includes bisection. > > > > Yes i guess work your way back and see... Well, this turned out to be more difficult than I had hoped. I made a stupid decision when I was committing changes, amending previous commits instead of letting them pile on. I did it to avoid excessive commit history and that was a stupid choice - I cannot bisect what I do not have - I won't do that again. I decided to take a different tack, and that has some interesting results: I have two user types that must be able to connect to the box, auditors and transfer initiators; my results so far have involved transfer initiators, which work at the local console but not over SSH, so I decided to duplicate what I have for transfer initiators and see if I could get auditors to work. Long story short, I cannot: The key point seems to be that only some of the contexts that become valid for CDTml_high2local_u/xferHigh2Local_t (transfer initiators) become valid for CDTml_auditor_u/xferAudit_t. I'll point that out below in the journalctl extracts.... > >> 2. Why doesn't it work with SSH, when it does work with > >> the console (yes, the ssh_sysadm_login is on)? > > > > see if the ssh daemon runs with the expected: > > system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh) It does: See the shell output, below. Everything else checks out too, AFAICT. >> genconlist >> getdefaultcon > There's also `sedta` (Debian: setools package) which AFAICT walks > through the login process (except for the part that tries to find out > the default context for the user): The sedta utility is not available in my setools, which are still back at version 3; I could build it, but I am worried about the overall SELinux installation getting too far ahead of the version I need to work with (long story, customer related). The same limitations/concerns prevent me from doing much with getconlist/getdefaultcon. I am going to have to bite the bullet and do most/all of my development/test on very recent Fedora, then rebuild on the older RHEL I have to work with. I'm not up for that this weekend, I'll look at this for Monday. Which is a holiday. Sigh. In the meantime, I've run some comparisons with interesting results. Apologies for the excess quantities of logs, etc., it seemed relevant. Remember that transfer users can login at the console and get the right context, but do not get the correct context via SSH (though they can login), while auditors can log in on both and get bogus contexts on both. There are clues in the journalctl output, but I cannot interpret them. WRT all of what follows, I've attached the current CDTml.te; yes, it misses the domain type, but at this point, I want to identify why the two different types of users are treated differently. This is all under permissive mode. Shell commands to compare the two types of users, their policies, and to verity that things are installed and labelled as expected: % seinfo -xuCDTml_high2local_u CDTml_high2local_u default level: s0 range: s0 roles: object_r CDTml_high2local_r % seinfo -xuCDTml_auditor_u CDTml_auditor_u default level: s0 range: s0 roles: object_r CDTml_auditor_r % seinfo -xrCDTml_high2local_r CDTml_high2local_r Dominated Roles: CDTml_high2local_r Types: xferHigh2Local_t xferHigh2Local_exec_t % seinfo -xrCDTml_auditor_r CDTml_auditor_r Dominated Roles: CDTml_auditor_r Types: xferAudit_t xferAudit_exec_t % seinfo -xtxferHigh2Local_t xferHigh2Local_t CDTml_types process_user_target userdomain % seinfo -xtxferAudit_t xferAudit_t CDTml_types process_user_target userdomain % semanage user -l (trimmed to just these two) CDTml_auditor_u user s0 s0 CDTml_auditor_r CDTml_high2local_u user s0 s0 CDTml_high2local_r % semanage login -l (trimmed to just these two) %CDTml_high2local CDTml_high2local_u s0 * %xferAuditGroup CDTml_auditor_u s0 * % ps auxZ |grep sshd system_u:system_r:sshd_t:s0 root 1939 0.0 0.2 156816 5588 ? Ss 13:25 0:00 sshd: pww [priv] unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pww 1942 0.0 0.1 156816 2512 ? S 13:25 0:00 sshd: pww@pts/0 system_u:system_r:sshd_t:s0 root 2071 0.0 0.3 156816 5592 ? Ss 13:30 0:00 sshd: pww [priv] unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pww 2074 0.0 0.1 156816 2512 ? S 13:30 0:00 sshd: pww@pts/1 system_u:system_r:sshd_t:s0 root 58459 0.0 0.2 112936 4292 ? Ss 14:10 0:00 /usr/sbin/sshd -D unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 61323 0.0 0.0 112808 952 pts/0 S+ 14:50 0:00 grep sshd % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_auditor_u -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/users/CDTml_auditor_u % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u -rw-r--r--. root root system_u:object_r:default_context_t:s0 /etc/selinux/targeted/contexts/users/CDTml_high2local_u % cat /etc/selinux/targeted/contexts/users/CDTml_auditor_u system_r:crond_t:s0 CDTml_audit_r:xferAudit_t:s0 system_r:initrc_su_t:s0 CDTml_audit_r:xferAudit_t:s0 system_r:local_login_t:s0 CDTml_audit_r:xferAudit_t:s0 system_r:remote_login_t:s0 CDTml_audit_r:xferAudit_t:s0 system_r:sshd_t:s0 CDTml_audit_r:xferAudit_t:s0 CDTml_audit_r:xferAudit_t:s0 CDTml_audit_r:xferAudit_t:s0 % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u system_r:crond_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:initrc_su_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:local_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:remote_login_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 system_r:sshd_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 CDTml_high2local_r:xferHigh2Local_t:s0 So far, everything compares cleanly: All file contents and contexts are correct and, as far as the commands above are concerned, the two user types and roles have similar properties. journalctl is where things are interesting; I'll add commentary to the journalctl results IN CAPS (annoying but easy to pick out: THIS STARTS WITH MY INSTALLATION SCRIPT, which runs semodule to install the PP and semanage to set up users and mappings; it also creates the first Linux user of each type. INSTALLING THE RPM: Base groups are created Feb 13 14:09:53 localhost.localdomain groupadd[57256]: group added to /etc/group: name=CDTml_high2local, GID=2105 Feb 13 14:09:53 localhost.localdomain groupadd[57256]: group added to /etc/gshadow: name=CDTml_high2local Feb 13 14:09:53 localhost.localdomain groupadd[57256]: new group: name=CDTml_high2local, GID=2105 Feb 13 14:09:53 localhost.localdomain groupadd[57261]: group added to /etc/group: name=xferAuditGroup, GID=2200 Feb 13 14:09:53 localhost.localdomain groupadd[57261]: group added to /etc/gshadow: name=xferAuditGroup Feb 13 14:09:53 localhost.localdomain groupadd[57261]: new group: name=xferAuditGroup, GID=2200 CONTEXTS BECOMING VALID AS SEMODULE PROCESSES CDTml.pp: Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:system_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:system_r:xferAudit_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:system_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:system_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:unconfined_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:unconfined_r:xferAudit_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:unconfined_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context system_u:unconfined_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context unconfined_u:system_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context unconfined_u:system_r:xferAudit_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context unconfined_u:system_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context unconfined_u:system_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context unconfined_u:unconfined_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context unconfined_u:unconfined_r:xferAudit_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context unconfined_u:unconfined_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context unconfined_u:unconfined_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context system_u:object_r:xferAudit_t:s0 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context system_u:object_r:xferAudit_exec_t:s0 became valid (mapped). Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context system_u:object_r:xferHigh2Local_exec_t:s0 became valid (mapped). CONTEXTS BECOMING VALID AS A RESULT OF SEMANAGE USER/LOGIN Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 became valid (mapped). Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_exec_t:s0 became valid (mapped). Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:object_r:tty_device_t:s0 became valid (mapped). Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:object_r:cache_home_t:s0 became valid (mapped). Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:object_r:config_home_t:s0 became valid (mapped). Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context CDTml_high2local_u:object_r:user_home_t:s0 became valid (mapped). Feb 13 14:11:03 localhost.localdomain kernel: SELinux: Context CDTml_auditor_u:CDTml_auditor_r:xferAudit_t:s0 became valid (mapped). Feb 13 14:11:03 localhost.localdomain kernel: SELinux: Context CDTml_auditor_u:CDTml_auditor_r:xferAudit_exec_t:s0 became valid (mapped). NOTE NOTE NOTE ^^^^ THERE ARE ONLY TWO CONTEXTS FOR auditors, VERSUS SIX FOR transfer initiators. WHAT CAUSES THE MISS? USERS LOGGING IN - NOTE THE SSH REJECTION OF AN OTHERWISE CORRECT CONTEXT FOR icmc01 Feb 13 14:13:41 localhost.localdomain sshd[58993]: pam_selinux(sshd:session): Username= icmc01 SELinux User= CDTml_high2local_u Level= s0 Feb 13 14:13:41 localhost.localdomain sshd[58993]: pam_selinux(sshd:session): Selected Security Context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Feb 13 14:13:41 localhost.localdomain sshd[58993]: pam_selinux(sshd:session): Checking if CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 mls range valid for CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Feb 13 14:13:41 localhost.localdomain sshd[58993]: pam_selinux(sshd:session): Security context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 is not allowed for CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 WHAT? ^^^ WHY NOT? Feb 13 14:14:08 localhost.localdomain sshd[59060]: pam_selinux(sshd:session): Username= audit01 SELinux User= CDTml_auditor_u Level= s0 Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Username= icmc01 SELinux User= CDTml_high2local_u Level= s0 Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Set file context of tty /dev/tty1: [system_u:object_r:tty_device_t:s0] -> [CDTml_high2local_u:object_r:tty_device_t:s0] Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Set executable context: [] -> [CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0] Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Security Context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Assigned Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Set key creation context to CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Feb 13 14:14:23 localhost.localdomain login[1936]: pam_selinux(login:session): Key Creation Context CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Assigned Feb 13 14:14:28 localhost.localdomain login[1936]: pam_selinux(login:session): Restore file context of tty /dev/tty1: [CDTml_high2local_u:object_r:tty_device_t:s0] -> [system_u:object_r:tty_device_t:s0] Feb 13 14:14:28 localhost.localdomain login[1936]: pam_selinux(login:session): Restore executable context: [CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0] -> [] Feb 13 14:14:33 localhost.localdomain login[59190]: pam_selinux(login:session): Username= audit01 SELinux User= CDTml_auditor_u Level= s0 At this point, I think audit01 fails to get their context because of the six "missing" mappings, but I do not understand why SSHD is rejecting the context for icmc01 that local login happily accepts. Thoughts? Thanks, P [-- Attachment #2: CDTml.te --] [-- Type: application/octet-stream, Size: 34400 bytes --] module CDTml 1.0; ########################################################### # # External dependencies. While only some of these are # used, there is no harm in including more than is # required. It's an odd vagary of SELinux. These are # derived from other working cross-domain systems. require { attribute can_change_object_identity; attribute can_read_shadow_passwords; attribute can_system_change; attribute domain; attribute dbusd_unconfined; attribute process_user_target; attribute userdomain; class capability { audit_write chown dac_override dac_read_search fowner fsetid net_admin net_raw setgid setuid sys_boot sys_ptrace }; class chr_file { append getattr ioctl open read setattr write }; class dbus { send_msg }; class dir { add_name create getattr open read relabelfrom relabelto remove_name rmdir search setattr write }; class fd { use }; class fifo_file { getattr create ioctl map open read relabelto setattr write }; class file { append create entrypoint execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr write unlink }; class filesystem { associate getattr }; class key { link read search view write }; class lnk_file { getattr open read }; class netif { egress ingress }; class netlink_audit_socket { create nlmsg_relay read write }; class netlink_route_socket { bind create getattr nlmsg_read read setopt write }; class netlink_selinux_socket { bind create getattr nlmsg_read read setopt write }; class passwd { passwd }; class process { execmem fork getattr noatsecure rlimitinh setfscreate setrlimit setsched siginh sigchld sigkill signal signull sigstop transition }; class rawip_socket { create getopt setopt }; class security { check_context compute_av compute_create }; class service { disable enable start status stop }; class sock_file { create read unlink write }; class system { module_request reload status }; class tcp_socket { connect create getattr getopt name_connect read setopt shutdown write }; class udp_socket { bind connect connectto create getattr getopt ioctl name_bind node_bind read setopt write }; class unix_dgram_socket { connect connectto create getattr getopt ioctl read sendto setopt write }; class unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen read setopt shutdown write }; role object_r; role system_r; role unconfined_r; type admin_home_t; type abrt_t; type abrt_watch_log_t; type aide_log_t; type aide_t; type auditd_t; type auditd_log_t; type bin_t; type boot_t; type cert_t; type cgroup_t; type chkpwd_exec_t; type chronyd_unit_file_t; type chronyd_var_log_t; type config_home_t; type crack_db_t; type crond_t; type cpu_online_t; type data_home_t; type dbusd_etc_t; type default_t; type dhcpc_t; type default_context_t; type device_t; type devlog_t; type devpts_t; type devtty_t; type etc_runtime_t; type etc_t; type faillog_t; type file_context_t; type firewalld_t; type firewalld_unit_file_t; type fs_t; type fsdaemon_t; type getty_t; type gconf_home_t; type home_root_t; type hostname_etc_t; type hostname_exec_t; type hugetlbfs_t; type ifconfig_exec_t; type initrc_exec_t; type initrc_t; type initrc_var_run_t; type init_t; type init_tmp_t; type init_var_run_t; type iptables_exec_t; type iptables_var_run_t; type kernel_t; type krb5_conf_t; type lastlog_t; type ld_so_cache_t; type ld_so_t; type lib_t; type load_policy_t; type locale_t; type local_login_t; type lost_found_t; type lsmd_t; type lvm_t; type mail_spool_t; type mnt_t; type mozilla_home_t; type net_conf_t; type node_t; type null_device_t; type passwd_exec_t; type passwd_file_t; type passwd_t; type plymouthd_var_log_t; type plymouth_exec_t; type policykit_t; type proc_net_t; type proc_t; type ptmx_t; type readahead_t; type rhnsd_t; type rhsmcertd_t; type rngd_t; type root_t; type rpcbind_t; type security_t; type selinux_config_t; type setfiles_t; type setfiles_exec_t; type setrans_var_run_t; type shadow_t; type shell_exec_t; type sshd_t; type sshd_exec_t; type sshd_unit_file_t; type ssh_agent_exec_t; type ssh_exec_t; type ssh_home_t; type ssh_keygen_exec_t; type ssh_port_t; type su_exec_t; type sysctl_crypto_t; type sysctl_kernel_t; type sysctl_net_t; type sysctl_t; type sysfs_t; type syslog_conf_t; type syslogd_t; type system_cronjob_t; type system_dbusd_t; type system_dbusd_var_lib_t; type system_dbusd_var_run_t; type systemd_hostnamed_t; type systemd_logind_t; type systemd_logind_sessions_t; type systemd_passwd_agent_exec_t; type systemd_passwd_var_run_t; type systemd_systemctl_exec_t; type systemd_tmpfiles_t; type systemd_unit_file_t; type tmpfs_t; type tmp_t; type tuned_t; type udev_t; type unconfined_service_t; type unconfined_t; type unreserved_port_t; type urandom_device_t; type useradd_exec_t; type user_devpts_t; type user_home_dir_t; type user_home_t; type user_tmp_t; type user_tty_device_t; type usr_t; type var_lib_t; type var_log_t; type var_run_t; type var_spool_t; type var_t; type xserver_port_t; }; # for development and test on VM optional { require { type vmtools_t; }; allow CDTml_types vmtools_t:dir { getattr open search }; allow CDTml_types vmtools_t:file { open read }; }; ########################################################### # # type attributes to simplify many rules attribute CDTml_exec; attribute CDTml_conf; attribute CDTml_file; attribute CDTml_service; attribute CDTml_types; ########################################################### # # Core CDTml types type nicSideHigh_t; type nicSideLow_t; type xferRoot_t, CDTml_types; type xferRootL2H_t, CDTml_types; type xferRootH2L_t, CDTml_types; # primarily process types #type xferHigh2Local_t, CDTml_types, domain, userdomain, process_user_target; type xferHigh2Local_t, CDTml_types, userdomain, process_user_target; type xferLocal2Low_t, CDTml_types, CDTml_service; type xferLow2Local_t, CDTml_types, CDTml_service; type xferLocal2High_t, CDTml_types, CDTml_service; # file and folder types type xferLocal2Low_data_t, CDTml_file; type xferLow2Local_data_t, CDTml_file; type xferLocal2High_data_t, CDTml_file; type xferAdmin_t, CDTml_types, can_change_object_identity; type xferAdmin_exec_t, CDTml_types; type xfer_etc_t, CDTml_types; type xferVar_t, CDTml_types; type xferLib_t, CDTml_types; type xferAudit_t, CDTml_types, userdomain, process_user_target; type xferAudit_exec_t, CDTml_types; type xferSELinux_t, CDTml_types; type xferFilter_t, CDTml_types; type xferAV_t, CDTml_types; type xferAV_etc_t, CDTml_types; type xferAVfail_t, CDTml_types; type xferDWC_t, CDTml_types; type xferDWC_data_t, CDTml_file; type xferDWC_etc_t, CDTml_types; type xferHigh2Local_exec_t, CDTml_types, CDTml_exec; type xferLocal2Low_exec_t, CDTml_types, CDTml_exec; type xferLow2Local_exec_t, CDTml_types, CDTml_exec; type xferLocal2High_exec_t, CDTml_types, CDTml_exec; type xferAV_exec_t, CDTml_types, CDTml_exec; type xferDWC_exec_t, CDTml_types, CDTml_exec; ########################################################### # # Basic system accesses to CDTml types role object_r types { CDTml_types }; role system_r types { CDTml_types }; role unconfined_r types { CDTml_types }; # for aide, at least when run during install # commented out, because we should still be in permissive mode #allow unconfined_t CDTml_types:file map; #allow unconfined_t xferAudit_t:file { ioctl lock map }; allow { aide_t policykit_t readahead_t setfiles_t } { CDTml_file CDTml_types }:file { getattr ioctl map open read }; allow { aide_t policykit_t setfiles_t } { CDTml_file CDTml_types }:dir { getattr read open search }; allow setfiles_t { CDTml_file CDTml_types }:dir relabelto; allow setfiles_t { CDTml_file CDTml_types }:file relabelto; ########################################################### # # Having defined our types, define our roles, # and grant them access to our types role CDTml_low2local_r; role CDTml_local2high_r; role CDTml_high2local_r; role CDTml_local2low_r; role CDTml_auditor_r; allow system_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; allow unconfined_r { CDTml_low2local_r CDTml_local2high_r CDTml_high2local_r CDTml_local2low_r CDTml_auditor_r }; role CDTml_low2local_r types { xferLow2Local_t xferLow2Local_exec_t }; role CDTml_local2high_r types { xferLocal2High_t xferLocal2High_exec_t }; role CDTml_high2local_r types { xferHigh2Local_t xferHigh2Local_exec_t }; role CDTml_local2low_r types { xferLocal2Low_t xferLocal2Low_exec_t }; role CDTml_auditor_r types { xferAudit_t xferAudit_exec_t }; allow xferHigh2Local_t xferDWC_data_t:dir { add_name getattr open read search setattr write }; allow xferHigh2Local_t xferDWC_data_t:file { create getattr open setattr write }; allow xferDWC_t xferDWC_data_t:dir { getattr open read remove_name search write }; allow xferDWC_t xferDWC_data_t:file { getattr open read unlink }; allow xferDWC_t xferLocal2Low_data_t:dir { add_name getattr open read search setattr write }; allow xferDWC_t xferLocal2Low_data_t:file { create getattr open read setattr write }; allow xferLocal2Low_t xferLocal2Low_data_t:dir { getattr open read remove_name search write }; allow xferLocal2Low_t xferLocal2Low_data_t:file { getattr read unlink }; # perms for low to local, with or without AV allow xferLow2Local_t { xferLow2Local_data_t xferLocal2High_data_t }:dir { add_name getattr open read search setattr write }; allow xferLow2Local_t { xferLow2Local_data_t xferLocal2High_data_t }:file { create getattr open setattr write }; allow { xferLocal2High_t xferAV_t } xferLow2Local_data_t:dir { getattr open read remove_name search setattr write }; allow { xferLocal2High_t xferAV_t } xferLow2Local_data_t:file { getattr open read unlink }; # rules when AV is running allow xferAV_t xferLocal2High_data_t:dir { add_name getattr open read search setattr }; allow xferAV_t xferLocal2High_data_t:file { create getattr setattr write }; allow xferLocal2High_t xferLocal2High_data_t:dir { getattr open read remove_name search write }; allow xferLocal2High_t xferLocal2High_data_t:file { getattr open read unlink }; allow xferLow2Local_t xferAVfail_t:dir { getattr open read remove_name search }; allow xferLow2Local_t xferAVfail_t:file { getattr setattr unlink }; allow xferLow2Local_t xferLocal2High_data_t:dir { getattr open read search setattr }; allow xferLow2Local_t xferLocal2High_data_t:file getattr; allow xferAV_t xferAVfail_t:dir { add_name getattr open read search setattr write }; allow xferAV_t xferAVfail_t:file { create getattr setattr write }; allow xferLocal2Low_t nicSideLow_t:netif { ingress egress }; allow xferLow2Local_t nicSideLow_t:netif { ingress egress }; allow xferLocal2High_t nicSideHigh_t:netif { ingress egress }; allow xferHigh2Local_t nicSideHigh_t:netif { ingress egress }; allow { initrc_t unconfined_service_t syslogd_t systemd_logind_t systemd_tmpfiles_t } CDTml_types:file { getattr ioctl open read }; allow { initrc_t syslogd_t systemd_logind_t systemd_tmpfiles_t } CDTml_types:dir { getattr open read search }; allow { initrc_t syslogd_t systemd_tmpfiles_t } CDTml_types:lnk_file { getattr read }; # Define our process transitions - define them so that only # ICMC users can transition for High2Local, but all other # domains can be entered either via login or via systemd allow unconfined_t xferHigh2Local_exec_t:file { getattr execute open read }; allow xferHigh2Local_t xferHigh2Local_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow xferHigh2Local_t sshd_exec_t:file { entrypoint }; type_transition unconfined_t xferHigh2Local_exec_t:process xferHigh2Local_t; allow { sshd_t unconfined_t } xferHigh2Local_t:process transition; # init_t needs these, to start from systemd; unconfined_t needs for root # to start single processes; xferAdmin_t needs to start the startAll utility allow { init_t unconfined_t xferAdmin_t } xferLocal2Low_exec_t:file { getattr execute open read }; allow xferLocal2Low_t xferLocal2Low_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLocal2Low_exec_t:process xferLocal2Low_t ; allow { init_t unconfined_t xferAdmin_t } xferLocal2Low_t:process transition; allow { init_t unconfined_t xferAdmin_t } xferLow2Local_exec_t:file { getattr execute open read }; allow xferLow2Local_t xferLow2Local_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLow2Local_exec_t:process xferLow2Local_t ; allow { init_t unconfined_t xferAdmin_t } xferLow2Local_t:process transition; allow { init_t unconfined_t xferAdmin_t } xferLocal2High_exec_t:file { getattr execute open read }; allow xferLocal2High_t xferLocal2High_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition { init_t unconfined_t xferAdmin_t } xferLocal2High_exec_t:process xferLocal2High_t ; allow { init_t unconfined_t xferAdmin_t } xferLocal2High_t:process transition; # we need to allow auditors to transition to their domain allow { sshd_t unconfined_t } xferAudit_t:process transition; # define our file transitions: These ensure the Linear Assured Pipeline type_transition xferLow2Local_t xferLocal2High_data_t:file xferLocal2High_data_t; type_transition xferHigh2Local_t xferLocal2Low_data_t:file xferLocal2Low_data_t; # allow administrators to start and stop services, monitor them, etc. allow unconfined_t CDTml_types:file { getattr open read }; allow unconfined_t CDTml_types:dir { getattr search }; allow unconfined_t CDTml_types:process { getattr }; allow unconfined_t xferAdmin_exec_t:file { execute getattr open read }; # but limit who can do what with a type transition allow xferAdmin_t xferAdmin_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; type_transition unconfined_t xferAdmin_exec_t:process xferAdmin_t; allow unconfined_t xferAdmin_t:process transition; allow unconfined_t xferAdmin_exec_t:file { append relabelto }; allow unconfined_t { CDTml_types CDTml_file }:dir { getattr open read search }; # then let our own process relabel everything we own allow xferAdmin_t aide_log_t:dir { getattr open read relabelto search }; allow xferAdmin_t aide_log_t:file { getattr relabelto }; allow xferAdmin_t bin_t:dir { relabelfrom relabelto }; allow xferAdmin_t bin_t:file { relabelfrom relabelto }; allow xferAdmin_t boot_t:dir getattr; allow xferAdmin_t cgroup_t:dir { getattr search }; allow xferAdmin_t cgroup_t:filesystem getattr; allow xferAdmin_t default_context_t:file { getattr open read }; allow xferAdmin_t default_t:dir { getattr relabelfrom }; allow xferAdmin_t device_t:filesystem getattr; allow xferAdmin_t devpts_t:dir getattr; allow xferAdmin_t file_context_t:dir search; allow xferAdmin_t file_context_t:file { getattr map open read }; allow xferAdmin_t hugetlbfs_t:dir getattr; allow xferAdmin_t hugetlbfs_t:filesystem getattr; allow xferAdmin_t lib_t:dir relabelfrom; allow xferAdmin_t lib_t:file relabelfrom; allow xferAdmin_t self:dir relabelto; allow xferAdmin_t self:file relabelto; allow xferAdmin_t selinux_config_t:file { getattr open read }; allow xferAdmin_t setfiles_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t sysfs_t:dir getattr; allow xferAdmin_t sysfs_t:filesystem getattr; allow xferAdmin_t tmpfs_t:dir getattr; allow xferAdmin_t tmpfs_t:filesystem getattr; allow xferAdmin_t user_tmp_t:dir getattr; allow xferAdmin_t usr_t:dir relabelfrom; allow xferAdmin_t usr_t:file relabelfrom; allow xferAdmin_t xferAV_etc_t:file { getattr relabelto }; allow xferAdmin_t xferAV_exec_t:file { getattr relabelto }; allow xferAdmin_t xferAV_t:file { getattr relabelto }; allow xferAdmin_t xferAVfail_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferAdmin_exec_t:file relabelto; allow xferAdmin_t xferAudit_exec_t:file { getattr relabelto }; allow xferAdmin_t xferAudit_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferAudit_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferDWC_etc_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_exec_t:file { getattr relabelto }; allow xferAdmin_t xferDWC_t:file { getattr relabelto }; allow xferAdmin_t xferFilter_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLib_t:dir relabelto; allow xferAdmin_t xferLocal2High_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLocal2High_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2High_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2Low_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLocal2Low_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLocal2Low_t:file { getattr relabelto }; allow xferAdmin_t xferLow2Local_data_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferLow2Local_exec_t:file { getattr relabelto }; allow xferAdmin_t xferLow2Local_t:file { getattr relabelto }; allow xferAdmin_t xferRootH2L_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferRootL2H_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferRoot_t:dir relabelto; allow xferAdmin_t xferSELinux_t:dir { getattr open read relabelto search }; allow xferAdmin_t xferSELinux_t:file { getattr relabelto }; allow xferAdmin_t xferVar_t:dir { getattr open read relabelto search }; allow xferAdmin_t xfer_etc_t:dir { getattr open read relabelto search }; # # administrative functions, especially user creation allow xferAdmin_t chkpwd_exec_t:file { execute execute_no_trans map open read }; allow xferAdmin_t crack_db_t:file { getattr open read }; allow xferAdmin_t devtty_t:chr_file getattr; allow xferAdmin_t mail_spool_t:dir search; allow xferAdmin_t mail_spool_t:file open; allow xferAdmin_t passwd_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t passwd_file_t:file { ioctl lock }; allow xferAdmin_t self:file relabelfrom; allow xferAdmin_t useradd_exec_t:file { execute execute_no_trans getattr map open read }; allow xferAdmin_t xferAudit_exec_t:file relabelfrom; # finally, allow xferAdmin_t to start and stop things, too # (since the startall utility is now xfer_admin_t # NOTE: These were added above. # these may seem odd, but these allow the services to see each other's # process information - the dirs and files are in /proc - when running # any of the administrative status commands allow xferLocal2High_t xferLocal2Low_t:dir { getattr search }; allow xferLocal2High_t xferLocal2Low_t:file { open read }; allow xferLocal2High_t xferLow2Local_t:dir { getattr search }; allow xferLocal2High_t xferLow2Local_t:file { open read }; allow xferLocal2Low_t xferLocal2High_t:dir { getattr search }; allow xferLocal2Low_t xferLocal2High_t:file { open read }; allow xferLocal2Low_t xferLow2Local_t:dir { getattr search }; allow xferLocal2Low_t xferLow2Local_t:file { open read }; allow xferLow2Local_t xferLocal2High_t:dir { getattr search }; allow xferLow2Local_t xferLocal2High_t:file { open read }; allow xferLow2Local_t xferLocal2Low_t:dir { getattr search }; allow xferLow2Local_t xferLocal2Low_t:file { open read }; # do something similar for cron - part of creating the daily report allow system_cronjob_t xferLocal2High_t:dir { getattr search }; allow system_cronjob_t xferLocal2High_t:file { open read }; allow system_cronjob_t xferLocal2Low_t:dir { getattr search }; allow system_cronjob_t xferLocal2Low_t:file { open read }; allow system_cronjob_t xferLow2Local_t:dir { getattr search }; allow system_cronjob_t xferLow2Local_t:file { open read }; # allow init_t, etc., to start the services allow { xferAdmin_t init_t } CDTml_service:process { noatsecure rlimitinh siginh sigkill signull signal }; allow CDTml_service { xferAdmin_t init_t}:process { sigchld }; allow CDTml_service { xferAdmin_t init_t }:fd { use }; allow CDTml_service init_t:unix_stream_socket { connectto getattr ioctl read write }; allow CDTml_service init_tmp_t:file { append create getattr ioctl lock map open read write }; allow CDTml_service xferAdmin_t:fifo_file { getattr ioctl open read write }; allow CDTml_service xferAdmin_t:file { open read }; allow CDTml_service xferAdmin_t:key { link read search view }; allow CDTml_types xferVar_t:dir { add_name remove_name write }; allow CDTml_types xferVar_t:file { append create getattr ioctl lock map open read unlink write }; allow CDTml_types xferRoot_t:dir { getattr open read search }; allow { xferLow2Local_t xferLocal2High_t } xferRootL2H_t:dir { getattr open read search }; allow { xferHigh2Local_t xferLocal2Low_t } xferRootH2L_t:dir { getattr open read search }; ########################################################### # # General system access allow CDTml_types admin_home_t:dir { add_name getattr open read remove_name search write }; allow CDTml_types admin_home_t:file { append create getattr ioctl open read write }; allow CDTml_types bin_t:dir { getattr open read search }; allow CDTml_types bin_t:file { execute execute_no_trans getattr ioctl map open read }; allow CDTml_types bin_t:lnk_file { open read }; allow { CDTml_types xferAdmin_t } cert_t:file { getattr open read }; allow { CDTml_service xferAdmin_t } cert_t:dir { getattr open read search }; allow CDTml_types chronyd_unit_file_t:service { start status enable disable start stop }; allow CDTml_types cpu_online_t:file { getattr ioctl open read }; allow CDTml_types device_t:dir search; allow CDTml_types devlog_t:sock_file write; allow CDTml_types devpts_t:chr_file { getattr open read write }; allow CDTml_types devpts_t:filesystem { getattr }; allow CDTml_types devtty_t:chr_file { ioctl open read write }; allow CDTml_types etc_t:dir { add_name getattr open read remove_name search write }; allow CDTml_types etc_t:file { append create getattr ioctl link open read rename setattr unlink write }; allow CDTml_types etc_t:lnk_file { getattr open read }; allow CDTml_types faillog_t:file { getattr open read write }; allow CDTml_types fs_t:filesystem { getattr associate }; allow CDTml_file fs_t:filesystem { associate }; allow CDTml_types home_root_t:dir { add_name getattr write }; allow CDTml_types hostname_etc_t:file { append getattr ioctl open read write }; allow CDTml_types hostname_exec_t:file { getattr execute execute_no_trans ioctl map open read }; allow CDTml_types initrc_exec_t:file { entrypoint execute getattr ioctl map open read }; allow CDTml_types init_t:process sigchld; allow CDTml_types init_t:service { status stop start enable disable }; allow CDTml_types init_t:unix_stream_socket { connectto getattr ioctl read write }; allow CDTml_types init_var_run_t:dir { add_name create write }; allow CDTml_types init_var_run_t:fifo_file { create open read }; allow CDTml_types init_var_run_t:sock_file { write }; allow CDTml_types initrc_var_run_t:file { lock }; allow CDTml_types kernel_t:system module_request; allow CDTml_types kernel_t:unix_dgram_socket sendto; allow CDTml_types krb5_conf_t:file { getattr open read }; allow CDTml_types lastlog_t:file { append getattr ioctl lock open read write }; allow CDTml_types ld_so_cache_t:file { getattr map open read }; allow CDTml_types ld_so_t:file { execute map open read }; allow CDTml_types lib_t:dir { getattr open read search }; allow CDTml_types lib_t:file { execute ioctl getattr map open read }; allow CDTml_types lib_t:lnk_file read; allow CDTml_types locale_t:dir search; allow CDTml_types locale_t:file { getattr map open read }; allow CDTml_types locale_t:lnk_file read; allow CDTml_types local_login_t:fd use; allow CDTml_types local_login_t:process sigchld; allow CDTml_types mail_spool_t:dir { add_name write }; allow CDTml_types mail_spool_t:file { create setattr write }; allow CDTml_types CDTml_conf:file { append create getattr ioctl open read rename setattr unlink write }; allow CDTml_types mozilla_home_t:dir { add_name create setattr write }; allow CDTml_types net_conf_t:dir { add_name remove_name write }; allow CDTml_types net_conf_t:file { append create getattr open read rename setattr unlink write }; allow CDTml_types node_t:udp_socket node_bind; allow CDTml_types null_device_t:chr_file { ioctl read }; allow CDTml_types passwd_file_t:file { create getattr map open read rename setattr unlink write }; allow CDTml_types proc_t:dir { getattr open read search }; allow CDTml_types proc_t:file { getattr open read }; allow CDTml_types proc_t:filesystem getattr; allow CDTml_types ptmx_t:chr_file { ioctl open read write }; allow CDTml_types root_t:dir { getattr search }; allow CDTml_types security_t:dir { getattr open read search }; allow CDTml_types security_t:filesystem getattr; allow CDTml_types security_t:file { getattr open read write }; allow CDTml_types security_t:security { check_context compute_av }; allow CDTml_types self:capability { audit_write chown dac_override dac_read_search fowner fsetid net_admin net_raw setgid setuid sys_boot sys_ptrace }; allow CDTml_types self:fd use; allow CDTml_types self:fifo_file { getattr open read write }; allow CDTml_types self:file { getattr open read write }; allow CDTml_types self:key { read search view write }; allow CDTml_types self:lnk_file { read }; allow CDTml_types self:netlink_audit_socket { create nlmsg_relay read write }; allow CDTml_types self:passwd passwd; allow CDTml_types self:process { execmem fork noatsecure rlimitinh setfscreate sigchld siginh signal transition }; allow CDTml_types self:rawip_socket { create getopt setopt }; allow CDTml_types self:tcp_socket { connect create getattr getopt read setopt shutdown write }; allow CDTml_types self:udp_socket { bind connect create getattr ioctl read setopt write }; allow CDTml_types self:unix_dgram_socket { connect create write }; allow CDTml_types self:unix_stream_socket { connect create shutdown }; allow CDTml_types selinux_config_t:dir search; allow CDTml_types shadow_t:file { create getattr open map read rename setattr unlink write }; allow CDTml_types shell_exec_t:file { execute map read }; allow CDTml_types ssh_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types ssh_home_t:dir { add_name create remove_name search setattr write }; allow CDTml_types ssh_home_t:file { append create setattr unlink write }; allow CDTml_types ssh_keygen_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types ssh_port_t:tcp_socket { name_connect }; allow CDTml_types sysctl_net_t:file write; allow CDTml_types sysfs_t:dir search; allow CDTml_types syslog_conf_t:file { write }; allow CDTml_types system_dbusd_var_run_t:sock_file write; allow CDTml_types systemd_logind_t:fd use; allow CDTml_types systemd_logind_t:file { getattr open read }; allow CDTml_types systemd_unit_file_t:service { start stop enable disable status }; allow CDTml_types tmp_t:dir { add_name create getattr open read remove_name rmdir search setattr write }; allow CDTml_types tmp_t:file { append create getattr ioctl open read setattr unlink write }; allow CDTml_types tmp_t:sock_file { create unlink write }; allow CDTml_types tuned_t:dir { getattr search }; allow CDTml_types tuned_t:file { getattr open read }; allow CDTml_types udev_t:dir { getattr search }; allow CDTml_types udev_t:file { getattr open read }; allow CDTml_types unconfined_t:dir { getattr search }; allow CDTml_types unconfined_t:fifo_file { getattr ioctl open read write }; allow CDTml_types unconfined_t:file { getattr open read }; allow CDTml_types unconfined_t:key { link read search view }; allow CDTml_types user_home_dir_t:dir { add_name create getattr open read remove_name search setattr write }; allow CDTml_types user_home_dir_t:file { append create getattr ioctl open read rename setattr unlink write }; allow CDTml_types user_home_t:file { append create getattr open read rename setattr unlink write }; allow CDTml_types user_tmp_t:file write; allow CDTml_types user_tty_device_t:chr_file { getattr ioctl read write }; allow CDTml_types usr_t:dir { getattr open search }; allow CDTml_types usr_t:file { getattr ioctl open read }; allow CDTml_types var_log_t:file { getattr ioctl lock map open read }; allow CDTml_types var_run_t:dir search; allow CDTml_types var_run_t:file { lock open read }; allow CDTml_types var_run_t:lnk_file read; allow CDTml_types var_t:dir { add_name getattr search open write }; allow initrc_t CDTml_types:dir { getattr open read search }; allow initrc_t CDTml_types:file { getattr ioctl map open read }; allow syslogd_t CDTml_types:dir search; allow syslogd_t CDTml_types:file { getattr open read }; allow syslogd_t CDTml_types:lnk_file read; allow CDTml_types { abrt_t abrt_watch_log_t auditd_t crond_t dhcpc_t firewalld_t fsdaemon_t getty_t init_t initrc_var_run_t kernel_t local_login_t lsmd_t lvm_t policykit_t proc_t rhnsd_t rhsmcertd_t rngd_t rpcbind_t user_home_t var_log_t xferAdmin_t xferLib_t }:dir { getattr open read search }; allow CDTml_types { abrt_t abrt_watch_log_t auditd_t crond_t dhcpc_t firewalld_t fsdaemon_t getty_t init_t initrc_var_run_t kernel_t local_login_t lsmd_t lvm_t policykit_t rhnsd_t rhsmcertd_t rngd_t rpcbind_t }:file { open read }; allow CDTml_types { proc_t }:lnk_file { getattr open read }; allow CDTml_types { null_device_t user_devpts_t }:chr_file { append getattr ioctl open read write }; allow CDTml_types security_t:file { getattr open read }; allow CDTml_types self:key link; allow CDTml_types self:process { setrlimit setsched sigkill }; allow CDTml_types self:unix_stream_socket { accept bind listen }; allow CDTml_types setrans_var_run_t:dir search; allow CDTml_types shell_exec_t:file { execute_no_trans getattr open }; allow CDTml_types ssh_agent_exec_t:file { execute execute_no_trans map open read }; allow CDTml_types ssh_home_t:dir getattr; allow CDTml_types ssh_home_t:file { getattr open read }; allow CDTml_types sshd_t:dir { getattr search }; allow CDTml_types sshd_t:file { open read }; allow CDTml_types su_exec_t:file { execute execute_no_trans getattr map open read }; allow CDTml_types sysctl_kernel_t:dir search; allow CDTml_types sysctl_kernel_t:file { open read }; allow CDTml_types syslogd_t:dir { getattr search }; allow CDTml_types syslogd_t:file { open read }; allow CDTml_types system_dbusd_t:dir { getattr search }; allow CDTml_types system_dbusd_t:file { open read }; allow CDTml_types systemd_logind_sessions_t:fifo_file write; allow CDTml_types systemd_logind_t:dbus send_msg; allow CDTml_types systemd_logind_t:dir { getattr search }; ########################################################### # # For connecting to and using dbus, if necessary allow CDTml_types { system_dbusd_t self }:dbus send_msg; allow { system_dbusd_t dbusd_unconfined } CDTml_types:dbus send_msg; allow CDTml_types system_dbusd_var_lib_t:dir { getattr search open }; allow CDTml_types system_dbusd_var_lib_t:file { open { getattr read ioctl lock } }; allow CDTml_types var_lib_t:dir { getattr search open }; allow CDTml_types device_t:dir { getattr search open }; allow CDTml_types urandom_device_t:chr_file { getattr open read ioctl }; allow CDTml_types var_t:lnk_file { read }; allow CDTml_types var_run_t:lnk_file { read }; allow CDTml_types var_run_t:dir { add_name create getattr open read relabelto remove_name search setattr write }; allow CDTml_types system_dbusd_var_run_t:dir { getattr search open }; allow CDTml_types system_dbusd_var_run_t:sock_file { write }; allow CDTml_types system_dbusd_t:unix_stream_socket connectto; allow CDTml_types dbusd_etc_t:dir { getattr search open read }; allow CDTml_types dbusd_etc_t:file { open { getattr read ioctl lock } }; allow CDTml_types unconfined_service_t:dbus send_msg; allow unconfined_service_t CDTml_types:dbus send_msg; allow CDTml_types sshd_t:fd { use }; allow CDTml_types init_tmp_t:file { append create getattr ioctl open read write }; allow CDTml_types unconfined_t:fd { use }; allow unconfined_t CDTml_types:process { noatsecure rlimitinh siginh sigkill signal signull }; allow CDTml_types unconfined_t :process { sigchld }; allow CDTml_types self:dir { getattr open read search }; allow CDTml_types self:file { getattr ioctl open read }; allow CDTml_types self:fifo_file { ioctl }; allow CDTml_types self:netlink_route_socket { bind create getattr nlmsg_read read setopt write }; allow CDTml_types self:netlink_selinux_socket { bind create getattr nlmsg_read read setopt write }; allow CDTml_types self:unix_stream_socket { connectto getattr getopt ioctl read setopt write }; allow CDTml_types init_t:dbus send_msg; allow init_t CDTml_types:dbus send_msg; allow CDTml_types system_dbusd_t:dbus send_msg; allow CDTml_types system_dbusd_t:unix_stream_socket connectto; allow init_t CDTml_types:file { getattr ioctl open read }; allow init_t CDTml_types:dir { getattr open read search }; allow system_dbusd_t CDTml_types:file { getattr ioctl open read }; allow system_dbusd_t CDTml_types:dir { getattr open read search }; allow CDTml_types init_t:system { reload status }; allow CDTml_types policykit_t:dbus send_msg; allow policykit_t CDTml_types:dbus send_msg; allow CDTml_types systemd_hostnamed_t:dbus send_msg; allow systemd_hostnamed_t CDTml_types:dbus send_msg; allow systemd_logind_t CDTml_types:dbus send_msg; ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 20:26 ` Peter Whittaker @ 2021-02-13 20:39 ` Dominick Grift 2021-02-13 22:42 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-13 20:39 UTC (permalink / raw) To: Peter Whittaker; +Cc: Topi Miettinen, SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Sat, Feb 13, 2021 at 1:08 PM Topi Miettinen <toiwoton@gmail.com> wrote: >> On 13.2.2021 18.09, Dominick Grift wrote: >> > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> >> 1. Of the changes I have applied over the last 1-3 days, >> >> what is the minimum set required to achieve this? My >> >> immediate future includes bisection. >> > >> > Yes i guess work your way back and see... > > Well, this turned out to be more difficult than I had hoped. I made a > stupid decision when I was committing changes, amending previous > commits instead of letting them pile on. I did it to avoid excessive > commit history and that was a stupid choice - I cannot bisect what I > do not have - I won't do that again. > > I decided to take a different tack, and that has some interesting > results: I have two user types that must be able to connect to the > box, auditors and transfer initiators; my results so far have involved > transfer initiators, which work at the local console but not over SSH, > so I decided to duplicate what I have for transfer initiators and see > if I could get auditors to work. > > Long story short, I cannot: The key point seems to be that only some > of the contexts that become valid for > CDTml_high2local_u/xferHigh2Local_t (transfer initiators) become valid > for CDTml_auditor_u/xferAudit_t. I'll point that out below in the > journalctl extracts.... > >> >> 2. Why doesn't it work with SSH, when it does work with >> >> the console (yes, the ssh_sysadm_login is on)? >> > >> > see if the ssh daemon runs with the expected: >> > system_u:system_r:sshd_t:s0 context (ps auxZ | grep ssh) > > It does: See the shell output, below. Everything else checks out too, AFAICT. > >>> genconlist >>> getdefaultcon >> There's also `sedta` (Debian: setools package) which AFAICT walks >> through the login process (except for the part that tries to find out >> the default context for the user): > > The sedta utility is not available in my setools, which are still back > at version 3; I could build it, but I am worried about the overall > SELinux installation getting too far ahead of the version I need to > work with (long story, customer related). The same > limitations/concerns prevent me from doing much with > getconlist/getdefaultcon. > > I am going to have to bite the bullet and do most/all of my > development/test on very recent Fedora, then rebuild on the older RHEL > I have to work with. I'm not up for that this weekend, I'll look at > this for Monday. Which is a holiday. Sigh. > > In the meantime, I've run some comparisons with interesting results. > Apologies for the excess quantities of logs, etc., it seemed relevant. > > Remember that transfer users can login at the console and get the > right context, but do not get the correct context via SSH (though they > can login), while auditors can log in on both and get bogus contexts > on both. There are clues in the journalctl output, but I cannot > interpret them. > > WRT all of what follows, I've attached the current CDTml.te; yes, it > misses the domain type, but at this point, I want to identify why the > two different types of users are treated differently. This is all > under permissive mode. > > Shell commands to compare the two types of users, their policies, and > to verity that things are installed and labelled as expected: > > % seinfo -xuCDTml_high2local_u > CDTml_high2local_u > default level: s0 > range: s0 > roles: > object_r > CDTml_high2local_r > > % seinfo -xuCDTml_auditor_u > CDTml_auditor_u > default level: s0 > range: s0 > roles: > object_r > CDTml_auditor_r > > % seinfo -xrCDTml_high2local_r > CDTml_high2local_r > Dominated Roles: > CDTml_high2local_r > Types: > xferHigh2Local_t > xferHigh2Local_exec_t > > % seinfo -xrCDTml_auditor_r > CDTml_auditor_r > Dominated Roles: > CDTml_auditor_r > Types: > xferAudit_t > xferAudit_exec_t > > % seinfo -xtxferHigh2Local_t > xferHigh2Local_t > CDTml_types > process_user_target > userdomain > > % seinfo -xtxferAudit_t > xferAudit_t > CDTml_types > process_user_target > userdomain Where is "domain"? > > % semanage user -l (trimmed to just these two) > CDTml_auditor_u user s0 s0 > CDTml_auditor_r > CDTml_high2local_u user s0 s0 > CDTml_high2local_r > > % semanage login -l (trimmed to just these two) > %CDTml_high2local CDTml_high2local_u s0 * > %xferAuditGroup CDTml_auditor_u s0 * > > % ps auxZ |grep sshd > system_u:system_r:sshd_t:s0 root 1939 0.0 0.2 156816 5588 > ? Ss 13:25 0:00 sshd: pww [priv] > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pww 1942 0.0 > 0.1 156816 2512 ? S 13:25 0:00 sshd: pww@pts/0 > system_u:system_r:sshd_t:s0 root 2071 0.0 0.3 156816 5592 > ? Ss 13:30 0:00 sshd: pww [priv] > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pww 2074 0.0 > 0.1 156816 2512 ? S 13:30 0:00 sshd: pww@pts/1 > system_u:system_r:sshd_t:s0 root 58459 0.0 0.2 112936 4292 > ? Ss 14:10 0:00 /usr/sbin/sshd -D > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 61323 0.0 > 0.0 112808 952 pts/0 S+ 14:50 0:00 grep sshd > > % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_auditor_u > -rw-r--r--. root root system_u:object_r:default_context_t:s0 > /etc/selinux/targeted/contexts/users/CDTml_auditor_u > > % ls -lZ /etc/selinux/targeted/contexts/users/CDTml_high2local_u > -rw-r--r--. root root system_u:object_r:default_context_t:s0 > /etc/selinux/targeted/contexts/users/CDTml_high2local_u > > % cat /etc/selinux/targeted/contexts/users/CDTml_auditor_u > system_r:crond_t:s0 CDTml_audit_r:xferAudit_t:s0 > system_r:initrc_su_t:s0 CDTml_audit_r:xferAudit_t:s0 > system_r:local_login_t:s0 CDTml_audit_r:xferAudit_t:s0 > system_r:remote_login_t:s0 CDTml_audit_r:xferAudit_t:s0 > system_r:sshd_t:s0 CDTml_audit_r:xferAudit_t:s0 > CDTml_audit_r:xferAudit_t:s0 CDTml_audit_r:xferAudit_t:s0 > > % cat /etc/selinux/targeted/contexts/users/CDTml_high2local_u > system_r:crond_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:initrc_su_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:local_login_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:remote_login_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > system_r:sshd_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > CDTml_high2local_r:xferHigh2Local_t:s0 > > So far, everything compares cleanly: All file contents and contexts > are correct and, as far as the commands above are concerned, the two > user types and roles have similar properties. > > journalctl is where things are interesting; I'll add commentary to the > journalctl results IN CAPS (annoying but easy to pick out: > > THIS STARTS WITH MY INSTALLATION SCRIPT, which runs semodule to > install the PP and semanage to set up users and mappings; it also > creates the first Linux user of each type. > > INSTALLING THE RPM: Base groups are created > Feb 13 14:09:53 localhost.localdomain groupadd[57256]: group added to > /etc/group: name=CDTml_high2local, GID=2105 > Feb 13 14:09:53 localhost.localdomain groupadd[57256]: group added to > /etc/gshadow: name=CDTml_high2local > Feb 13 14:09:53 localhost.localdomain groupadd[57256]: new group: > name=CDTml_high2local, GID=2105 > Feb 13 14:09:53 localhost.localdomain groupadd[57261]: group added to > /etc/group: name=xferAuditGroup, GID=2200 > Feb 13 14:09:53 localhost.localdomain groupadd[57261]: group added to > /etc/gshadow: name=xferAuditGroup > Feb 13 14:09:53 localhost.localdomain groupadd[57261]: new group: > name=xferAuditGroup, GID=2200 > > CONTEXTS BECOMING VALID AS SEMODULE PROCESSES CDTml.pp: > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:system_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:system_r:xferAudit_t:s0-s0:c0.c1023 became valid (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:system_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:system_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:unconfined_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:unconfined_r:xferAudit_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:unconfined_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > system_u:unconfined_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became > valid (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > unconfined_u:system_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > unconfined_u:system_r:xferAudit_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > unconfined_u:system_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:39 localhost.localdomain kernel: SELinux: Context > unconfined_u:system_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became > valid (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > unconfined_u:unconfined_r:xferHigh2Local_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > unconfined_u:unconfined_r:xferAudit_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > unconfined_u:unconfined_r:xferAudit_exec_t:s0-s0:c0.c1023 became valid > (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > unconfined_u:unconfined_r:xferHigh2Local_exec_t:s0-s0:c0.c1023 became > valid (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > system_u:object_r:xferAudit_t:s0 became valid (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > system_u:object_r:xferAudit_exec_t:s0 became valid (mapped). > Feb 13 14:10:40 localhost.localdomain kernel: SELinux: Context > system_u:object_r:xferHigh2Local_exec_t:s0 became valid (mapped). > > CONTEXTS BECOMING VALID AS A RESULT OF SEMANAGE USER/LOGIN > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 became valid > (mapped). > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_exec_t:s0 became > valid (mapped). > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:object_r:tty_device_t:s0 became valid (mapped). > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:object_r:cache_home_t:s0 became valid (mapped). > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:object_r:config_home_t:s0 became valid (mapped). > Feb 13 14:10:53 localhost.localdomain kernel: SELinux: Context > CDTml_high2local_u:object_r:user_home_t:s0 became valid (mapped). > Feb 13 14:11:03 localhost.localdomain kernel: SELinux: Context > CDTml_auditor_u:CDTml_auditor_r:xferAudit_t:s0 became valid (mapped). > Feb 13 14:11:03 localhost.localdomain kernel: SELinux: Context > CDTml_auditor_u:CDTml_auditor_r:xferAudit_exec_t:s0 became valid > (mapped). > NOTE NOTE NOTE ^^^^ THERE ARE ONLY TWO CONTEXTS FOR auditors, VERSUS > SIX FOR transfer initiators. WHAT CAUSES THE MISS? > > USERS LOGGING IN - NOTE THE SSH REJECTION OF AN OTHERWISE CORRECT > CONTEXT FOR icmc01 > Feb 13 14:13:41 localhost.localdomain sshd[58993]: > pam_selinux(sshd:session): Username= icmc01 SELinux User= > CDTml_high2local_u Level= s0 > Feb 13 14:13:41 localhost.localdomain sshd[58993]: > pam_selinux(sshd:session): Selected Security Context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 > Feb 13 14:13:41 localhost.localdomain sshd[58993]: > pam_selinux(sshd:session): Checking if > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 mls range > valid for CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 > Feb 13 14:13:41 localhost.localdomain sshd[58993]: > pam_selinux(sshd:session): Security context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 is not > allowed for CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 > WHAT? ^^^ WHY NOT? > > Feb 13 14:14:08 localhost.localdomain sshd[59060]: > pam_selinux(sshd:session): Username= audit01 SELinux User= > CDTml_auditor_u Level= s0 > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Username= icmc01 SELinux User= > CDTml_high2local_u Level= s0 > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Set file context of tty /dev/tty1: > [system_u:object_r:tty_device_t:s0] -> > [CDTml_high2local_u:object_r:tty_device_t:s0] > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Set executable context: [] -> > [CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0] > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Security Context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Assigned > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Set key creation context to > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 > Feb 13 14:14:23 localhost.localdomain login[1936]: > pam_selinux(login:session): Key Creation Context > CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0 Assigned > Feb 13 14:14:28 localhost.localdomain login[1936]: > pam_selinux(login:session): Restore file context of tty /dev/tty1: > [CDTml_high2local_u:object_r:tty_device_t:s0] -> > [system_u:object_r:tty_device_t:s0] > Feb 13 14:14:28 localhost.localdomain login[1936]: > pam_selinux(login:session): Restore executable context: > [CDTml_high2local_u:CDTml_high2local_r:xferHigh2Local_t:s0] -> [] > Feb 13 14:14:33 localhost.localdomain login[59190]: > pam_selinux(login:session): Username= audit01 SELinux User= > CDTml_auditor_u Level= s0 > > At this point, I think audit01 fails to get their context because of > the six "missing" mappings, but I do not understand why SSHD is > rejecting the context for icmc01 that local login happily accepts. > > Thoughts? > > Thanks, > > P > > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 20:39 ` Dominick Grift @ 2021-02-13 22:42 ` Peter Whittaker 2021-02-14 7:30 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-13 22:42 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, SElinux list On Sat, Feb 13, 2021 at 3:41 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > Where is "domain"? > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > WRT all of what follows, I've attached the current CDTml.te; yes, it > > misses the domain type, but at this point, I want to identify why the > > two different types of users are treated differently. This is all > > under permissive mode. Yes, I may need it, but at this point I want to understand why one works and the other doesn't. P ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-13 22:42 ` Peter Whittaker @ 2021-02-14 7:30 ` Dominick Grift 2021-02-14 16:25 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-14 7:30 UTC (permalink / raw) To: Peter Whittaker; +Cc: Topi Miettinen, SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Sat, Feb 13, 2021 at 3:41 PM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> Where is "domain"? > >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> > WRT all of what follows, I've attached the current CDTml.te; yes, it >> > misses the domain type, but at this point, I want to identify why the >> > two different types of users are treated differently. This is all >> > under permissive mode. > > Yes, I may need it, but at this point I want to understand why one > works and the other doesn't. I know that the openssh-server in red-hat based distributions has custom selinux patches. > > P -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-14 7:30 ` Dominick Grift @ 2021-02-14 16:25 ` Peter Whittaker 2021-02-14 16:32 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Peter Whittaker @ 2021-02-14 16:25 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, SElinux list On Sun, Feb 14, 2021 at 2:32 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > > Yes, I may need it, but at this point I want to understand why one > > works and the other doesn't. > > I know that the openssh-server in red-hat based distributions has custom > selinux patches. Well. Just fixed it by accident. The relevant line of /etc/pam.d/sshd was session required pam_selinux.so open env_params In an attempt to debug the problem, I changed this to session required pam_selinux.so open select_context PAM did not ask me for a context, but did set the context correctly. session required pam_selinux.so open also worked fine. I need to do some research on this. The env_params option was a system default, I dislike changing system defaults unless I understand why. Now to figure why the auditor's context is failing to be set. P Peter Whittaker Director, Business Development www.SphyrnaSecurity.com +1 613 864 5337 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-14 16:25 ` Peter Whittaker @ 2021-02-14 16:32 ` Dominick Grift 2021-02-14 16:37 ` Dominick Grift 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-14 16:32 UTC (permalink / raw) To: Peter Whittaker; +Cc: Topi Miettinen, SElinux list Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > On Sun, Feb 14, 2021 at 2:32 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >> >> > Yes, I may need it, but at this point I want to understand why one >> > works and the other doesn't. >> >> I know that the openssh-server in red-hat based distributions has custom >> selinux patches. > > Well. Just fixed it by accident. The relevant line of /etc/pam.d/sshd was > > session required pam_selinux.so open env_params > > In an attempt to debug the problem, I changed this to > > session required pam_selinux.so open select_context > > PAM did not ask me for a context, but did set the context correctly. > > session required pam_selinux.so open > > also worked fine. oh right! ... yes corner case... to make it work with env_params you need: allow xferHigh2Local_t self:context contains; Sorry for overlooking that > > I need to do some research on this. The env_params option was a system > default, I dislike changing system defaults unless I understand why. > > Now to figure why the auditor's context is failing to be set. > > P > > Peter Whittaker > Director, Business Development > www.SphyrnaSecurity.com > +1 613 864 5337 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-14 16:32 ` Dominick Grift @ 2021-02-14 16:37 ` Dominick Grift 2021-02-14 17:02 ` Peter Whittaker 0 siblings, 1 reply; 19+ messages in thread From: Dominick Grift @ 2021-02-14 16:37 UTC (permalink / raw) To: Peter Whittaker; +Cc: Topi Miettinen, SElinux list Dominick Grift <dominick.grift@defensec.nl> writes: > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > >> On Sun, Feb 14, 2021 at 2:32 AM Dominick Grift >> <dominick.grift@defensec.nl> wrote: >>> Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: >>> >>> > Yes, I may need it, but at this point I want to understand why one >>> > works and the other doesn't. >>> >>> I know that the openssh-server in red-hat based distributions has custom >>> selinux patches. >> >> Well. Just fixed it by accident. The relevant line of /etc/pam.d/sshd was >> >> session required pam_selinux.so open env_params >> >> In an attempt to debug the problem, I changed this to >> >> session required pam_selinux.so open select_context >> >> PAM did not ask me for a context, but did set the context correctly. >> >> session required pam_selinux.so open >> >> also worked fine. > > oh right! ... yes corner case... > > to make it work with env_params you need: > > allow xferHigh2Local_t self:context contains; > > Sorry for overlooking that > >> >> I need to do some research on this. The env_params option was a system >> default, I dislike changing system defaults unless I understand why. >> >> Now to figure why the auditor's context is failing to be set. I think this patch is why you need "context containts" when you have "env_params" set: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch >> >> P >> >> Peter Whittaker >> Director, Business Development >> www.SphyrnaSecurity.com >> +1 613 864 5337 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Defining SELinux users, "Unable to get valid context...". Help! 2021-02-14 16:37 ` Dominick Grift @ 2021-02-14 17:02 ` Peter Whittaker 0 siblings, 0 replies; 19+ messages in thread From: Peter Whittaker @ 2021-02-14 17:02 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, SElinux list On Sun, Feb 14, 2021 at 11:39 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Dominick Grift <dominick.grift@defensec.nl> writes: > > Peter Whittaker <peterwhittaker@sphyrnasecurity.com> writes: > > > >> session required pam_selinux.so open > >> > >> also worked fine. > > > > oh right! ... yes corner case... > > > > to make it work with env_params you need: > > > > allow xferHigh2Local_t self:context contains; > > > > Sorry for overlooking that No worries! So many moving parts to keep track of. > >> I need to do some research on this. The env_params option was a system > >> default, I dislike changing system defaults unless I understand why. > >> > >> Now to figure why the auditor's context is failing to be set. > > I think this patch is why you need "context containts" when you have > "env_params" set: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch Interesting. This might argue for an OS upgrade.... What is driving me particularly nutty is that for this 7.9 Maipo box, I based my rules on a working set I wrote for a 7.8 Maipo box. Among other things, both use sshd 7.4p1. And yet the 7.8 box has 'env_params' and no 'contains' rules, and all SSH logins work as expected, while this 7.9 box has me clawing me at my eyes. P ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2021-02-14 17:03 UTC | newest] Thread overview: 19+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-02-11 20:12 Defining SELinux users, "Unable to get valid context...". Help! Peter Whittaker 2021-02-11 20:40 ` Fwd: " Peter Whittaker 2021-02-12 7:22 ` Dominick Grift 2021-02-12 7:54 ` Dominick Grift 2021-02-12 21:16 ` Peter Whittaker 2021-02-12 21:49 ` Dominick Grift 2021-02-12 22:43 ` Peter Whittaker 2021-02-13 7:22 ` Dominick Grift 2021-02-13 14:13 ` Peter Whittaker 2021-02-13 16:09 ` Dominick Grift 2021-02-13 18:06 ` Topi Miettinen 2021-02-13 20:26 ` Peter Whittaker 2021-02-13 20:39 ` Dominick Grift 2021-02-13 22:42 ` Peter Whittaker 2021-02-14 7:30 ` Dominick Grift 2021-02-14 16:25 ` Peter Whittaker 2021-02-14 16:32 ` Dominick Grift 2021-02-14 16:37 ` Dominick Grift 2021-02-14 17:02 ` Peter Whittaker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.