[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: making a file context change work for initrc_t and unconfined_t



On Tue, 2012-02-07 at 22:39 +0000, Christina Plummer wrote:

> Hi there,

Hi

> To start with, I've run "sudo semanage -i likewise-cmds", where likewise-cmds 
> contains the following (based on what I found in the likewise.fc from git as 
> well as Dominick's notes above -- replacing /usr/sbin 
> with /opt/likewise/sbin, and all instances of "likewise-open" with "likewise"):
> 
> fcontext -a -t likewise_var_lib_t "/var/lib/likewise(/.*)?"
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.lsassd
> fcontext -a -t lwiod_var_socket_t /var/lib/likewise/.lwiod
> fcontext -a -t lwsmd_var_socket_t /var/lib/likewise/.lwsm
> fcontext -a -t lwsmd_var_lib_t /var/lib/likewise/.lwsmd-lock
> fcontext -a -t lwregd_var_socket_t /var/lib/likewise/.regsd
> fcontext -a -t netlogond_var_socket_t /var/lib/likewise/.netlogond
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/.ntlmd
> fcontext -a -t netlogond_var_lib_t /var/lib/likewise/krb5-affinity.conf
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/krb5cc_lsass(.*)?"
> fcontext -a -t eventlogd_var_lib_t /var/lib/likewise/db/lwi_events.db
> fcontext -a -t lsassd_var_lib_t /var/lib/likewise/db/sam.db
> fcontext -a -t lsassd_var_lib_t "/var/lib/likewise/db/lsass-adcache.filedb.
> (.*)?"
> fcontext -a -t lwregd_var_lib_t /var/lib/likewise/db/registry.db
> fcontext -a -t lsassd_var_socket_t /var/lib/likewise/rpc/lsass
> fcontext -a -t likewise_krb5_ad_t /etc/likewise/likewise-krb5-ad.conf
> fcontext -a -t likewise_etc_t "/etc/likewise(/.*)?"
> fcontext -a -t dcerpcd_exec_t /opt/likewise/sbin/dcerpcd
> fcontext -a -t eventlogd_exec_t /opt/likewise/sbin/eventlogd
> fcontext -a -t lsassd_exec_t /opt/likewise/sbin/lsassd
> fcontext -a -t lwiod_exec_t /opt/likewise/sbin/lwiod
> fcontext -a -t lwregd_exec_t /opt/likewise/sbin/lwregd
> fcontext -a -t lwsmd_exec_t /opt/likewise/sbin/lwsmd
> fcontext -a -t netlogond_exec_t /opt/likewise/sbin/netlogond

A lot of the above file context specifications are wrong because you
have not specified what classof object it is for.

The -f option allows you to specify what type of object the
specificationis for

example -f -- is a file, -f -d is a dir, -f -s is a sock file
(those are the most common objects but there are also character,
block,fifo and link files.

> I added some wildcards in there because some of the files get created with the 
> Active Directory domain name appended to them, namely:
> 
> /var/lib/likewise/krb5cc_lsass.MYDOMAIN.NET
> /var/lib/likewise/db/lsass-adcache.filedb.MYDOMAIN.NET

Yes that is good. Just append .* to the file name or so.


> After running "restorecon -R -F -v" on all those directories and rebooting, I 
> just got these denials:
> 
> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { open } for  
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

Looks like a init script (or a process running in the init script
domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on
device dm-4 to be exact)

/tmp should not be used by system wide services. I am not sure where and
if you can configure whatever created that file and tell it to use a
proper place like /var/lib/$APP but if possible then that is best

Also you should figure out what created this (was it some init script?).
It might be that some process was running in the init script domain due
to a mislabeled executable file (ps auxZ | grep initrc_t)

> type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc:  denied  { read } for  
> pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc:  denied  { lock } for  
> pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc:  denied  { unlink } 
> for  pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 
> scontext=system_u:system_r:lsassd_t:s0 
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> 
> There were also a bunch of getattr denials on stuff in /proc.

Yes i know.

> Those files in /tmp are owned by me, apparently created when I logged in.  They 
> might have been left over from before.  
> Otherwise, everything looks good so far.
> 
> I haven't tried building the additional "mylikewise" policy yet, but I can do 
> that next.  I can also start over on a fresh box if that would be helpful.

I can create a loadable module based off of the patch that i will attach
below that will take care of the file context specs as well as the
additional policy you might need to get this to work.

Would be great if you could apply that and see if that works for you.

Unfortunately it is a bit late currently here and i need my rest now but
i will work tomorrow on the loadable policy module and send it to the
list. So you should be able to apply it tomorrow.

> Thanks,
> Christina
> 

Thank you


>From 0fa4f19a431df14fbd2aeb3d12812a37536e65b4 Sat, 4 Feb 2012 19:04:08 +0100
From: Dominick Grift <dominick.grift@xxxxxxxxx>
Date: Sat, 4 Feb 2012 19:03:08 +0100
Subject: [PATCH] Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html

Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxx>

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..438843f 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -10,6 +10,16 @@
 /etc/rc\.d/init\.d/lwsmd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/netlogond		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/srvsvcd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/likewise		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/opt/likewise(-open)?/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/opt/likewise(-open)?/sbin/eventlogd			--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwiod				--	gen_context(system_u:object_r:lwiod_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwregd			--	gen_context(system_u:object_r:lwregd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwsmd				--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/opt/likewise(-open)?/sbin/netlogond			--	gen_context(system_u:object_r:netlogond_exec_t,s0)
+/opt/likewise(-open)?/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
 
 /usr/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
 /usr/sbin/eventlogd			--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
@@ -20,30 +30,35 @@
 /usr/sbin/netlogond			--	gen_context(system_u:object_r:netlogond_exec_t,s0)
 /usr/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
 
-/var/lib/likewise-open(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/\.lsassd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwiod		-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
-/var/lib/likewise-open/\.regsd		-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwsm		-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
-/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
-/var/lib/likewise-open/\.ntlmd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/krb5-affinity.conf --	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
-/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
-/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache\.db --	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket 	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
-/var/lib/likewise-open/run		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise(-open)?(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/\.eventlog	-s	gen_context(system_u:object_r:eventlogd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lsassd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwiod		-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.regsd		-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwsm		-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwsmd-lock	--	gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
+/var/lib/likewise(-open)?/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.ntlmd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.pstore\.lock	--	gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/var/lib/likewise(-open)?/krb5-affinity.conf --	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5cc\_lsass\..*		--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise(-open)?/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache\.filedb\..*	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/socket 	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise(-open)?/run		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
 
 /var/run/eventlogd.pid			--	gen_context(system_u:object_r:eventlogd_var_run_t,s0)
 /var/run/lsassd.pid			--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 81d98b3..a340496 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -74,6 +74,8 @@
 	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
 	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
 
+	kernel_read_system_state($1_t)
+
 	dev_read_rand($1_t)
 	dev_read_urand($1_t)
 
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 18dc6e5..4a373fa 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -84,6 +84,10 @@
 corenet_udp_sendrecv_generic_node(eventlogd_t)
 corenet_udp_sendrecv_generic_port(eventlogd_t)
 
+corenet_tcp_connect_epmap_port(eventlogd_t)
+corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+corenet_sendrecv_epmap_client_packets(eventlogd_t)
+
 #################################
 #
 # Likewise Authentication service local policy
@@ -124,6 +128,7 @@
 corenet_tcp_connect_epmap_port(lsassd_t)
 corenet_tcp_sendrecv_epmap_port(lsassd_t)
 
+domain_dontaudit_search_all_domains_state(lsassd_t)
 domain_obj_id_change_exemption(lsassd_t)
 
 files_manage_etc_files(lsassd_t)
@@ -155,14 +160,15 @@
 # Likewise I/O service local policy
 #
 
-allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:process setrlimit;
+allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
 allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
 
-allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
-allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
 
 stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
 stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
 
 corenet_all_recvfrom_netlabel(lwiod_t)
 corenet_all_recvfrom_unlabeled(lwiod_t)
@@ -187,8 +193,12 @@
 # Likewise Service Manager service local policy
 #
 
+allow lwsmd_t self:process setpgid;
+
 allow lwsmd_t likewise_domains:process signal;
 
+allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
+
 domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
 domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
 domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net