From: Dominick Grift <dominick.grift@defensec.nl>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [SELinux-notebook PATCH v8] objects.md: some clarifications
Date: Wed, 22 Jul 2020 18:57:27 +0200 [thread overview]
Message-ID: <39629738-f5db-e784-1f57-e6b8958b73ac@defensec.nl> (raw)
In-Reply-To: <CAEjxPJ6kVLAd41X9s7216+Svdo7his_WcQW52R04CztDEYr7fg@mail.gmail.com>
On 7/22/20 6:48 PM, Stephen Smalley wrote:
> On Tue, Jul 21, 2020 at 4:14 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>> +context for both subjects and objects when their label is invalidated
>>> +by a policy reload (their SID is unchanged but the SID is
>>> +transparently remapped to the unlabeled context).
>>
>> I will note here that I suspect there is currently something broken
>> with libselinux / unlabeled sids
>>
>> libselinux consumers still use *invalidated* contexts associated with
>> inodes to compute access vectors.
>>
>> for example rpm will not consistently work until the filesystems are
>> relabeled after a new policy is loaded that invalidates contexts
>> currently associated with /bin/sh (entrypoint for setfscreatecon to
>> "rpm_script_t")
>>
>> systemd will not consistently work until the filesystems are relabeled
>> after a new policy loaded that invalidates contexts currently associated
>> with (i suspect) parent directories for socket activated sock files
>> (maybe setfscreatecon?)
>
> That's because userspace doesn't pass SIDs to the kernel (they aren't
> exported by the kernel); it passes security contexts, and the kernel
> refuses to accept invalid contexts. So a context previously used by
> userspace that is invalidated by a policy reload and then later passed
> in again to a kernel interface will produce an error. IIRC, the
Can we not just assume that if that happens, that the kernel should just
treat the context as if it were the context of the unlabeled isid.
I mean that is what it boils down to anyway: everything always needs a
valid context. so might as well treat invalid contexts as unlabeled
isids? Not sure how "state" is relevant here as invalid is invalid.
Regardless, this current behavior makes things less robust. I wont
pretent that I am qualified to judge whether addressing this is
technically possible or not.
> security_get_initial_context() and avc_get_initial_sid() interfaces
> were added to allow userspace object managers like SEPostgreSQL to get
> the context associated with an initial SID like the unlabeled SID for
> their own internal use/handling, but libselinux doesn't try to remap
> like that internally and it wouldn't always know whether the context
> was previously valid unless it maintained state on all calls.
>
next prev parent reply other threads:[~2020-07-22 16:57 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 7:09 [SELinux-notebook PATCH] onjects.md: some clarifications Dominick Grift
2020-07-10 7:14 ` [SELinux-notebook PATCH v2] objects.md: " Dominick Grift
2020-07-13 10:45 ` Richard Haines
2020-07-15 2:15 ` Paul Moore
2020-07-15 7:56 ` Dominick Grift
2020-07-16 11:18 ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-07-16 12:17 ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-07-17 1:36 ` Paul Moore
2020-07-17 6:41 ` Dominick Grift
2020-07-18 6:40 ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-07-19 9:44 ` [SELinux-notebook PATCH v6] " Dominick Grift
2020-07-21 17:44 ` Stephen Smalley
2020-07-21 19:51 ` [SELinux-notebook PATCH v7] " Dominick Grift
2020-07-21 20:02 ` [SELinux-notebook PATCH v8] " Dominick Grift
2020-07-21 20:14 ` Dominick Grift
2020-07-22 16:48 ` Stephen Smalley
2020-07-22 16:57 ` Dominick Grift [this message]
2020-07-22 17:32 ` Stephen Smalley
2020-07-23 8:13 ` Dominick Grift
2020-07-23 12:22 ` Stephen Smalley
2020-07-23 13:04 ` Dominick Grift
2020-07-23 13:24 ` Stephen Smalley
2020-07-23 13:37 ` Dominick Grift
2020-07-24 7:54 ` Dominick Grift
2020-07-24 12:23 ` Stephen Smalley
2020-07-24 12:29 ` Dominick Grift
2020-07-24 12:56 ` Stephen Smalley
2020-07-24 13:06 ` Dominick Grift
2020-07-24 13:26 ` Stephen Smalley
2020-07-24 13:30 ` Dominick Grift
2020-07-22 17:29 ` Dominick Grift
2020-07-22 15:11 ` Stephen Smalley
2020-07-23 7:50 ` [SELinux-notebook PATCH v9] " Dominick Grift
2020-07-23 12:00 ` Stephen Smalley
2020-07-27 13:43 ` Stephen Smalley
2020-07-28 2:17 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=39629738-f5db-e784-1f57-e6b8958b73ac@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).