selinux category relabel (puppet)

selinux category relabel (puppet)

[Higgs, Stephen]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

Hello all,

If there is a more appropriate forum for this question please let me know:

I have a system that uses confined users by default and some files are managed by a puppet server.  When I run (via run_init) the puppet startup script, I get the following avc log:

avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file

I added "typeattribute puppet_t can_change_object_identity" and appropriate "allow" statements to the puppet_t type after reading the constraints in the targeted policy. However, it was the category "s0:c0.c1023" that was also preventing puppet from relabeling the crl.pem file.

I was able to fix this by manually relabeling the file to "s0" instead of "s0:c0.c1023". My question is, how *should* I handle this so puppet can handle the relabel of the category?

Stephen Higgs
ICF International

[-- Attachment #2: Type: text/html, Size: 22944 bytes --]

Re: selinux category relabel (puppet)

[Stephen Smalley]

On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
> Hello all,
> 
>  
> 
> If there is a more appropriate forum for this question please let me know:
> 
>  
> 
> I have a system that uses confined users by default and some files are
> managed by a puppet server.  When I run (via run_init) the puppet
> startup script, I get the following avc log:
> 
>  
> 
> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> 
> I added "typeattribute puppet_t can_change_object_identity" and
> appropriate "allow" statements to the puppet_t type after reading the
> constraints in the targeted policy. However, it was the category
> “s0:c0.c1023” that was also preventing puppet from relabeling the
> crl.pem file.
> 
> I was able to fix this by manually relabeling the file to "s0" instead
> of "s0:c0.c1023". My question is, how *should* I handle this so puppet
> can handle the relabel of the category?

It requires an appropriate attribute for the mcs or mls constraint that
is blocking access.  Which attribute depends on your policy; MCS in
particular has changed a lot over time in Fedora and RHEL.  What distro
& version?

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
> > Hello all,
> >
> >
> >
> > If there is a more appropriate forum for this question please let me know:
> >
> >
> >
> > I have a system that uses confined users by default and some files are
> > managed by a puppet server.  When I run (via run_init) the puppet
> > startup script, I get the following avc log:
> >
> >
> >
> > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> >
> > I added "typeattribute puppet_t can_change_object_identity" and
> > appropriate "allow" statements to the puppet_t type after reading the
> > constraints in the targeted policy. However, it was the category
> > "s0:c0.c1023" that was also preventing puppet from relabeling the
> > crl.pem file.
> >
> > I was able to fix this by manually relabeling the file to "s0" instead
> > of "s0:c0.c1023". My question is, how *should* I handle this so puppet
> > can handle the relabel of the category?
> 
> It requires an appropriate attribute for the mcs or mls constraint that is
> blocking access.  Which attribute depends on your policy; MCS in particular has
> changed a lot over time in Fedora and RHEL.  What distro & version?
> 

I'm using CentOS / RedHat 6.6, targeted reference policy 24.

Re: selinux category relabel (puppet)

[Stephen Smalley]

On 03/13/2015 01:52 PM, Higgs, Stephen wrote:
>> On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
>>> Hello all,
>>>
>>>
>>>
>>> If there is a more appropriate forum for this question please let me know:
>>>
>>>
>>>
>>> I have a system that uses confined users by default and some files are
>>> managed by a puppet server.  When I run (via run_init) the puppet
>>> startup script, I get the following avc log:
>>>
>>>
>>>
>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
>>>
>>> I added "typeattribute puppet_t can_change_object_identity" and
>>> appropriate "allow" statements to the puppet_t type after reading the
>>> constraints in the targeted policy. However, it was the category
>>> "s0:c0.c1023" that was also preventing puppet from relabeling the
>>> crl.pem file.
>>>
>>> I was able to fix this by manually relabeling the file to "s0" instead
>>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet
>>> can handle the relabel of the category?
>>
>> It requires an appropriate attribute for the mcs or mls constraint that is
>> blocking access.  Which attribute depends on your policy; MCS in particular has
>> changed a lot over time in Fedora and RHEL.  What distro & version?
>>
> 
> I'm using CentOS / RedHat 6.6, targeted reference policy 24.

So, selinux-policy-3.7.19-260.el6 or thereabouts?

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> >>> Hello all,
> >>>
> >>>
> >>>
> >>> If there is a more appropriate forum for this question please let me know:
> >>>
> >>>
> >>>
> >>> I have a system that uses confined users by default and some files
> >>> are managed by a puppet server.  When I run (via run_init) the
> >>> puppet startup script, I get the following avc log:
> >>>
> >>>
> >>>
> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> >>>
> >>> I added "typeattribute puppet_t can_change_object_identity" and
> >>> appropriate "allow" statements to the puppet_t type after reading
> >>> the constraints in the targeted policy. However, it was the category
> >>> "s0:c0.c1023" that was also preventing puppet from relabeling the
> >>> crl.pem file.
> >>>
> >>> I was able to fix this by manually relabeling the file to "s0"
> >>> instead of "s0:c0.c1023". My question is, how *should* I handle this
> >>> so puppet can handle the relabel of the category?
> >>
> >> It requires an appropriate attribute for the mcs or mls constraint
> >> that is blocking access.  Which attribute depends on your policy; MCS
> >> in particular has changed a lot over time in Fedora and RHEL.  What distro &
> version?
> >>
> >
> > I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> 
> So, selinux-policy-3.7.19-260.el6 or thereabouts?
> 

Yes, exactly selinux-policy- 3.7.19-260.el6_6.2 

Re: selinux category relabel (puppet)

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Mar 13, 2015 at 05:52:37PM +0000, Higgs, Stephen wrote:
> > On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
> > > Hello all,
> > >
> > >
> > >
> > > If there is a more appropriate forum for this question please let me know:
> > >
> > >
> > >
> > > I have a system that uses confined users by default and some files are
> > > managed by a puppet server.  When I run (via run_init) the puppet
> > > startup script, I get the following avc log:
> > >
> > >
> > >
> > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> > >
> > > I added "typeattribute puppet_t can_change_object_identity" and
> > > appropriate "allow" statements to the puppet_t type after reading the
> > > constraints in the targeted policy. However, it was the category
> > > "s0:c0.c1023" that was also preventing puppet from relabeling the
> > > crl.pem file.
> > >
> > > I was able to fix this by manually relabeling the file to "s0" instead
> > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet
> > > can handle the relabel of the category?
> > 
> > It requires an appropriate attribute for the mcs or mls constraint that is
> > blocking access.  Which attribute depends on your policy; MCS in particular has
> > changed a lot over time in Fedora and RHEL.  What distro & version?
> > 
> 
> I'm using CentOS / RedHat 6.6, targeted reference policy 24.

I do not see how it makes sense in the first place to relabelto s0:c0.c1023, might as well keep it s0.

Any idea why puppet is trying to relabelto s0:c0.c1023? Is that specified in your puppet configuration?

Also it may not even be constraint issue in the first place ( i doubt that puppet is mcs constrained ).

maybe you just need a rule like allow puppet_t puppet_var_lib_t:file relabelto;

what does audit2hy tell you when you pipe the avc denial into it's input stream?

> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJVAyY5AAoJENAR6kfG5xmcQQ4MAMw2osxY36pxWmoDyu7PD6YK
NPjYB9bSU0fErvgVTVsCcjVmTemfSzJO4LitapfZMvzK0Ppe1ArwxQcSrOC+52qf
BvMmiKVnqgwDYmsqEDJBhQqB3iQqqrdKWC0LzyjzTV9Tbop9Aarad7NXJJg3Js9u
btI0AKeaZ8vP9Sn0pJflzqaX+BjEhl0bJjYN9X6CQAWA8AsVopkZcfgpxYAuHw99
NQQxTsXABzH9aqDFdkD+EdgOBz46y9DebOePAW8w+uXuHU8S2abkPx2sVBj4YQO6
/R0kaNx1ltD/7Iq59xgig1Xq1pv1WhYCQkx8LmzAuip9UMl1b6wiBQtGjZFVMFoJ
E/CdA95GF7q3w+NcVhdrDLrKAldmRCsc3Y4j7wA4nQFna7Yys2HzOmn0yeQa224s
55/KyCN0hF39o3mo4zYlEf52wi+0cfNzTvwDpui0uR0uZwkggps8nc/Bno7ZZBLD
QSuu63MTbLCGtb1IKGZLRQAehoPBIYqeg0w6R0M1Lw==
=QarR
-----END PGP SIGNATURE-----

Re: selinux category relabel (puppet)

[Stephen Smalley]

On 03/13/2015 01:52 PM, Higgs, Stephen wrote:
>> On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
>>> Hello all,
>>>
>>>
>>>
>>> If there is a more appropriate forum for this question please let me know:
>>>
>>>
>>>
>>> I have a system that uses confined users by default and some files are
>>> managed by a puppet server.  When I run (via run_init) the puppet
>>> startup script, I get the following avc log:
>>>
>>>
>>>
>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
>>>
>>> I added "typeattribute puppet_t can_change_object_identity" and
>>> appropriate "allow" statements to the puppet_t type after reading the
>>> constraints in the targeted policy. However, it was the category
>>> "s0:c0.c1023" that was also preventing puppet from relabeling the
>>> crl.pem file.
>>>
>>> I was able to fix this by manually relabeling the file to "s0" instead
>>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet
>>> can handle the relabel of the category?
>>
>> It requires an appropriate attribute for the mcs or mls constraint that is
>> blocking access.  Which attribute depends on your policy; MCS in particular has
>> changed a lot over time in Fedora and RHEL.  What distro & version?
>>
> 
> I'm using CentOS / RedHat 6.6, targeted reference policy 24.

Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
serefpolicy-3.719/policy/mcs has this:

# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
        (( h1 dom h2 ) and ( l2 eq h2 ));

So no attributes are exempted from that constraint; your only option is
to run puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
so that its high level dominates any potential file level.

You should be able to do that with a range_transition rule, e.g.
range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
(assuming that the puppet entrypoint is labeled with puppet_exec_t).

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> >>> Hello all,
> >>>
> >>>
> >>>
> >>> If there is a more appropriate forum for this question please let me know:
> >>>
> >>>
> >>>
> >>> I have a system that uses confined users by default and some files
> >>> are managed by a puppet server.  When I run (via run_init) the
> >>> puppet startup script, I get the following avc log:
> >>>
> >>>
> >>>
> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> >>>
> >>> I added "typeattribute puppet_t can_change_object_identity" and
> >>> appropriate "allow" statements to the puppet_t type after reading
> >>> the constraints in the targeted policy. However, it was the category
> >>> "s0:c0.c1023" that was also preventing puppet from relabeling the
> >>> crl.pem file.
> >>>
> >>> I was able to fix this by manually relabeling the file to "s0"
> >>> instead of "s0:c0.c1023". My question is, how *should* I handle this
> >>> so puppet can handle the relabel of the category?
> >>
> >> It requires an appropriate attribute for the mcs or mls constraint
> >> that is blocking access.  Which attribute depends on your policy; MCS
> >> in particular has changed a lot over time in Fedora and RHEL.  What distro &
> version?
> >>
> >
> > I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> 
> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> serefpolicy-3.719/policy/mcs has this:
> 
> # New filesystem object labels must be dominated by the relabeling subject #
> clearance, also the objects are single-level.
> mlsconstrain file { create relabelto }
>         (( h1 dom h2 ) and ( l2 eq h2 ));
> 
> So no attributes are exempted from that constraint; your only option is to run
> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
> so that its high level dominates any potential file level.
> 
> You should be able to do that with a range_transition rule, e.g.
> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming
> that the puppet entrypoint is labeled with puppet_exec_t).

Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module:

   Compiling targeted puppet module
   /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
   puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041:
   range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
   #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
   /usr/bin/checkmodule:  error(s) encountered while parsing configuration
   make: *** [tmp/puppet.mod] Error 1

I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro.  Here is the policy module that I am trying to compile:

   module puppet 1.2;
   require {
           type puppet_t;
           type puppet_exec_t;
           type initrc_t;
           attribute can_change_object_identity;
           class process { transition }; 
   }
   typeattribute puppet_t can_change_object_identity;
   #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); 
   range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;

I feel like I'm close, but perhaps I'm missing how to import  the level definitions?

Re: selinux category relabel (puppet)

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 4170 bytes --]

On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote:
> > >>> Hello all,
> > >>>
> > >>>
> > >>>
> > >>> If there is a more appropriate forum for this question please let me know:
> > >>>
> > >>>
> > >>>
> > >>> I have a system that uses confined users by default and some files
> > >>> are managed by a puppet server.  When I run (via run_init) the
> > >>> puppet startup script, I get the following avc log:
> > >>>
> > >>>
> > >>>
> > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> > >>>
> > >>> I added "typeattribute puppet_t can_change_object_identity" and
> > >>> appropriate "allow" statements to the puppet_t type after reading
> > >>> the constraints in the targeted policy. However, it was the category
> > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the
> > >>> crl.pem file.
> > >>>
> > >>> I was able to fix this by manually relabeling the file to "s0"
> > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this
> > >>> so puppet can handle the relabel of the category?
> > >>
> > >> It requires an appropriate attribute for the mcs or mls constraint
> > >> that is blocking access.  Which attribute depends on your policy; MCS
> > >> in particular has changed a lot over time in Fedora and RHEL.  What distro &
> > version?
> > >>
> > >
> > > I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> > 
> > Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> > serefpolicy-3.719/policy/mcs has this:
> > 
> > # New filesystem object labels must be dominated by the relabeling subject #
> > clearance, also the objects are single-level.
> > mlsconstrain file { create relabelto }
> >         (( h1 dom h2 ) and ( l2 eq h2 ));
> > 
> > So no attributes are exempted from that constraint; your only option is to run
> > puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
> > so that its high level dominates any potential file level.
> > 
> > You should be able to do that with a range_transition rule, e.g.
> > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming
> > that the puppet entrypoint is labeled with puppet_exec_t).
> 
> Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module:
> 
>    Compiling targeted puppet module
>    /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
>    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041:
>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>    make: *** [tmp/puppet.mod] Error 1
> 
> I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro.  Here is the policy module that I am trying to compile:
> 
>    module puppet 1.2;
>    require {
>            type puppet_t;
>            type puppet_exec_t;
>            type initrc_t;
>            attribute can_change_object_identity;
>            class process { transition }; 
>    }
>    typeattribute puppet_t can_change_object_identity;
>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); 
>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;

Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023;

> 
> I feel like I'm close, but perhaps I'm missing how to import  the level definitions?
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: selinux category relabel (puppet)

[Miroslav Grepl]

[-- Attachment #1: Type: text/plain, Size: 4426 bytes --]

On 03/13/2015 10:31 PM, Dominick Grift wrote:
> On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote:
>>>>>> Hello all,
>>>>>>
>>>>>>
>>>>>>
>>>>>> If there is a more appropriate forum for this question please let me know:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have a system that uses confined users by default and some files
>>>>>> are managed by a puppet server.  When I run (via run_init) the
>>>>>> puppet startup script, I get the following avc log:
>>>>>>
>>>>>>
>>>>>>
>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
>>>>>>
>>>>>> I added "typeattribute puppet_t can_change_object_identity" and
>>>>>> appropriate "allow" statements to the puppet_t type after reading
>>>>>> the constraints in the targeted policy. However, it was the category
>>>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the
>>>>>> crl.pem file.
>>>>>>
>>>>>> I was able to fix this by manually relabeling the file to "s0"
>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this
>>>>>> so puppet can handle the relabel of the category?
>>>>> It requires an appropriate attribute for the mcs or mls constraint
>>>>> that is blocking access.  Which attribute depends on your policy; MCS
>>>>> in particular has changed a lot over time in Fedora and RHEL.  What distro &
>>> version?
>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
>>> serefpolicy-3.719/policy/mcs has this:
>>>
>>> # New filesystem object labels must be dominated by the relabeling subject #
>>> clearance, also the objects are single-level.
>>> mlsconstrain file { create relabelto }
>>>          (( h1 dom h2 ) and ( l2 eq h2 ));
>>>
>>> So no attributes are exempted from that constraint; your only option is to run
>>> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
>>> so that its high level dominates any potential file level.
Yes, there is no attribute on RHEL6.
>>>
>>> You should be able to do that with a range_transition rule, e.g.
>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming
>>> that the puppet entrypoint is labeled with puppet_exec_t).
>> Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module:
>>
>>     Compiling targeted puppet module
>>     /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
>>     puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041:
>>     range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
>>     #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>>     /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>     make: *** [tmp/puppet.mod] Error 1
>>
>> I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro.  Here is the policy module that I am trying to compile:
>>
>>     module puppet 1.2;
>>     require {
>>             type puppet_t;
>>             type puppet_exec_t;
>>             type initrc_t;
>>             attribute can_change_object_identity;
>>             class process { transition };
>>     }
>>     typeattribute puppet_t can_change_object_identity;
>>     #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>>     range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023;
>
>> I feel like I'm close, but perhaps I'm missing how to import  the level definitions?
Try this one

policy_module(mypol,1.0)

require{
  type puppet_t;
  type puppet_exec_t;
}

ifdef(`enable_mcs',`
     init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023)
')

>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


[-- Attachment #2: Type: text/html, Size: 6539 bytes --]

Re: selinux category relabel (puppet)

[Stephen Smalley]

On 03/13/2015 05:17 PM, Higgs, Stephen wrote:
>>>>> Hello all,
>>>>>
>>>>>
>>>>>
>>>>> If there is a more appropriate forum for this question please let me know:
>>>>>
>>>>>
>>>>>
>>>>> I have a system that uses confined users by default and some files
>>>>> are managed by a puppet server.  When I run (via run_init) the
>>>>> puppet startup script, I get the following avc log:
>>>>>
>>>>>
>>>>>
>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
>>>>>
>>>>> I added "typeattribute puppet_t can_change_object_identity" and
>>>>> appropriate "allow" statements to the puppet_t type after reading
>>>>> the constraints in the targeted policy. However, it was the category
>>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the
>>>>> crl.pem file.
>>>>>
>>>>> I was able to fix this by manually relabeling the file to "s0"
>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this
>>>>> so puppet can handle the relabel of the category?
>>>>
>>>> It requires an appropriate attribute for the mcs or mls constraint
>>>> that is blocking access.  Which attribute depends on your policy; MCS
>>>> in particular has changed a lot over time in Fedora and RHEL.  What distro &
>> version?
>>>>
>>>
>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
>>
>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
>> serefpolicy-3.719/policy/mcs has this:
>>
>> # New filesystem object labels must be dominated by the relabeling subject #
>> clearance, also the objects are single-level.
>> mlsconstrain file { create relabelto }
>>         (( h1 dom h2 ) and ( l2 eq h2 ));
>>
>> So no attributes are exempted from that constraint; your only option is to run
>> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023)
>> so that its high level dominates any potential file level.
>>
>> You should be able to do that with a range_transition rule, e.g.
>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming
>> that the puppet entrypoint is labeled with puppet_exec_t).
> 
> Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module:
> 
>    Compiling targeted puppet module
>    /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
>    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041:
>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>    make: *** [tmp/puppet.mod] Error 1
> 
> I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro.  Here is the policy module that I am trying to compile:
> 
>    module puppet 1.2;
>    require {
>            type puppet_t;
>            type puppet_exec_t;
>            type initrc_t;
>            attribute can_change_object_identity;
>            class process { transition }; 
>    }
>    typeattribute puppet_t can_change_object_identity;
>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); 
>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> 
> I feel like I'm close, but perhaps I'm missing how to import  the level definitions?

As Dominick suggested, whitespace unfortunately matters for the MLS
range specification - you need whitespace around the - (dash).
checkpolicy scanner issue introduced when IDENTIFIER was expanded to
include dash characters to support usage in filesystem type names and
user names IIRC.  Should probably refactor that.

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> >>>>> Hello all,
> >>>>>
> >>>>>
> >>>>>
> >>>>> If there is a more appropriate forum for this question please let me
> know:
> >>>>>
> >>>>>
> >>>>>
> >>>>> I have a system that uses confined users by default and some files
> >>>>> are managed by a puppet server.  When I run (via run_init) the
> >>>>> puppet startup script, I get the following avc log:
> >>>>>
> >>>>>
> >>>>>
> >>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> >>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> >>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023
> >>>>> tclass=file
> >>>>>
> >>>>> I added "typeattribute puppet_t can_change_object_identity" and
> >>>>> appropriate "allow" statements to the puppet_t type after reading
> >>>>> the constraints in the targeted policy. However, it was the
> >>>>> category "s0:c0.c1023" that was also preventing puppet from
> >>>>> relabeling the crl.pem file.
> >>>>>
> >>>>> I was able to fix this by manually relabeling the file to "s0"
> >>>>> instead of "s0:c0.c1023". My question is, how *should* I handle
> >>>>> this so puppet can handle the relabel of the category?
> >>>>
> >>>> It requires an appropriate attribute for the mcs or mls constraint
> >>>> that is blocking access.  Which attribute depends on your policy;
> >>>> MCS in particular has changed a lot over time in Fedora and RHEL.
> >>>> What distro &
> >> version?
> >>>>
> >>>
> >>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> >>
> >> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> >> serefpolicy-3.719/policy/mcs has this:
> >>
> >> # New filesystem object labels must be dominated by the relabeling
> >> subject # clearance, also the objects are single-level.
> >> mlsconstrain file { create relabelto }
> >>         (( h1 dom h2 ) and ( l2 eq h2 ));
> >>
> >> So no attributes are exempted from that constraint; your only option
> >> is to run puppet ranged (i.e. as
> >> system_u:system_r:puppet_t:s0-s0:c0.c1023)
> >> so that its high level dominates any potential file level.
> >>
> >> You should be able to do that with a range_transition rule, e.g.
> >> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> >> (assuming that the puppet entrypoint is labeled with puppet_exec_t).
> >
> > Thanks Stephen, this makes sense to me, but I can't get that statement to
> compile in my policy module:
> >
> >    Compiling targeted puppet module
> >    /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
> >    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition
> definition' at token ';' on line 1041:
> >    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> >    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> >    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> >    make: *** [tmp/puppet.mod] Error 1
> >
> > I did try checkmodule as well, and I tried using the
> init_ranged_daemon_domain macro.  Here is the policy module that I am
> trying to compile:
> >
> >    module puppet 1.2;
> >    require {
> >            type puppet_t;
> >            type puppet_exec_t;
> >            type initrc_t;
> >            attribute can_change_object_identity;
> >            class process { transition };
> >    }
> >    typeattribute puppet_t can_change_object_identity;
> >    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> >    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> >
> > I feel like I'm close, but perhaps I'm missing how to import  the level
> definitions?
> 
> As Dominick suggested, whitespace unfortunately matters for the MLS range
> specification - you need whitespace around the - (dash).
> checkpolicy scanner issue introduced when IDENTIFIER was expanded to include
> dash characters to support usage in filesystem type names and user names
> IIRC.  Should probably refactor that.
> 

Thanks everybody for your input, the format

   ifdef(`enable_mcs',`
        init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023)
   ')

did the trick, and compiled with the devel makefile.  For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required.

Thanks again,

Stephen

Re: selinux category relabel (puppet)

[Stephen Smalley]

On 03/16/2015 11:20 AM, Higgs, Stephen wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If there is a more appropriate forum for this question please let me
>> know:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have a system that uses confined users by default and some files
>>>>>>> are managed by a puppet server.  When I run (via run_init) the
>>>>>>> puppet startup script, I get the following avc log:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
>>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
>>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023
>>>>>>> tclass=file
>>>>>>>
>>>>>>> I added "typeattribute puppet_t can_change_object_identity" and
>>>>>>> appropriate "allow" statements to the puppet_t type after reading
>>>>>>> the constraints in the targeted policy. However, it was the
>>>>>>> category "s0:c0.c1023" that was also preventing puppet from
>>>>>>> relabeling the crl.pem file.
>>>>>>>
>>>>>>> I was able to fix this by manually relabeling the file to "s0"
>>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle
>>>>>>> this so puppet can handle the relabel of the category?
>>>>>>
>>>>>> It requires an appropriate attribute for the mcs or mls constraint
>>>>>> that is blocking access.  Which attribute depends on your policy;
>>>>>> MCS in particular has changed a lot over time in Fedora and RHEL.
>>>>>> What distro &
>>>> version?
>>>>>>
>>>>>
>>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
>>>>
>>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
>>>> serefpolicy-3.719/policy/mcs has this:
>>>>
>>>> # New filesystem object labels must be dominated by the relabeling
>>>> subject # clearance, also the objects are single-level.
>>>> mlsconstrain file { create relabelto }
>>>>         (( h1 dom h2 ) and ( l2 eq h2 ));
>>>>
>>>> So no attributes are exempted from that constraint; your only option
>>>> is to run puppet ranged (i.e. as
>>>> system_u:system_r:puppet_t:s0-s0:c0.c1023)
>>>> so that its high level dominates any potential file level.
>>>>
>>>> You should be able to do that with a range_transition rule, e.g.
>>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
>>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t).
>>>
>>> Thanks Stephen, this makes sense to me, but I can't get that statement to
>> compile in my policy module:
>>>
>>>    Compiling targeted puppet module
>>>    /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
>>>    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition
>> definition' at token ';' on line 1041:
>>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
>>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>>>    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>    make: *** [tmp/puppet.mod] Error 1
>>>
>>> I did try checkmodule as well, and I tried using the
>> init_ranged_daemon_domain macro.  Here is the policy module that I am
>> trying to compile:
>>>
>>>    module puppet 1.2;
>>>    require {
>>>            type puppet_t;
>>>            type puppet_exec_t;
>>>            type initrc_t;
>>>            attribute can_change_object_identity;
>>>            class process { transition };
>>>    }
>>>    typeattribute puppet_t can_change_object_identity;
>>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
>>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
>>>
>>> I feel like I'm close, but perhaps I'm missing how to import  the level
>> definitions?
>>
>> As Dominick suggested, whitespace unfortunately matters for the MLS range
>> specification - you need whitespace around the - (dash).
>> checkpolicy scanner issue introduced when IDENTIFIER was expanded to include
>> dash characters to support usage in filesystem type names and user names
>> IIRC.  Should probably refactor that.
>>
> 
> Thanks everybody for your input, the format
> 
>    ifdef(`enable_mcs',`
>         init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023)
>    ')
> 
> did the trick, and compiled with the devel makefile.  For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required.
> 
> Thanks again,

If you used the original range_transition rule I specified, including
the whitespace, then it should have compiled with checkmodule, but to
use the macroized version suggested by Miroslav, you have to build with
the devel Makefile which applies m4 and includes the interface files
that define the macros.

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> >>>>>>> Hello all,
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> If there is a more appropriate forum for this question please
> >>>>>>> let me
> >> know:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> I have a system that uses confined users by default and some
> >>>>>>> files are managed by a puppet server.  When I run (via run_init)
> >>>>>>> the puppet startup script, I get the following avc log:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet"
> name="crl.pem"
> >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023
> >>>>>>> tclass=file
> >>>>>>>
> >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and
> >>>>>>> appropriate "allow" statements to the puppet_t type after
> >>>>>>> reading the constraints in the targeted policy. However, it was
> >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from
> >>>>>>> relabeling the crl.pem file.
> >>>>>>>
> >>>>>>> I was able to fix this by manually relabeling the file to "s0"
> >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle
> >>>>>>> this so puppet can handle the relabel of the category?
> >>>>>>
> >>>>>> It requires an appropriate attribute for the mcs or mls
> >>>>>> constraint that is blocking access.  Which attribute depends on
> >>>>>> your policy; MCS in particular has changed a lot over time in Fedora
> and RHEL.
> >>>>>> What distro &
> >>>> version?
> >>>>>>
> >>>>>
> >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> >>>>
> >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> >>>> serefpolicy-3.719/policy/mcs has this:
> >>>>
> >>>> # New filesystem object labels must be dominated by the relabeling
> >>>> subject # clearance, also the objects are single-level.
> >>>> mlsconstrain file { create relabelto }
> >>>>         (( h1 dom h2 ) and ( l2 eq h2 ));
> >>>>
> >>>> So no attributes are exempted from that constraint; your only
> >>>> option is to run puppet ranged (i.e. as
> >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023)
> >>>> so that its high level dominates any potential file level.
> >>>>
> >>>> You should be able to do that with a range_transition rule, e.g.
> >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t).
> >>>
> >>> Thanks Stephen, this makes sense to me, but I can't get that
> >>> statement to
> >> compile in my policy module:
> >>>
> >>>    Compiling targeted puppet module
> >>>    /usr/bin/checkmodule:  loading policy configuration from
> tmp/puppet.tmp
> >>>    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition
> >> definition' at token ';' on line 1041:
> >>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> >>>    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> >>>    make: *** [tmp/puppet.mod] Error 1
> >>>
> >>> I did try checkmodule as well, and I tried using the
> >> init_ranged_daemon_domain macro.  Here is the policy module that I am
> >> trying to compile:
> >>>
> >>>    module puppet 1.2;
> >>>    require {
> >>>            type puppet_t;
> >>>            type puppet_exec_t;
> >>>            type initrc_t;
> >>>            attribute can_change_object_identity;
> >>>            class process { transition };
> >>>    }
> >>>    typeattribute puppet_t can_change_object_identity;
> >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> >>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> >>>
> >>> I feel like I'm close, but perhaps I'm missing how to import  the
> >>> level
> >> definitions?
> >>
> >> As Dominick suggested, whitespace unfortunately matters for the MLS
> >> range specification - you need whitespace around the - (dash).
> >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to
> >> include dash characters to support usage in filesystem type names and
> >> user names IIRC.  Should probably refactor that.
> >>
> >
> > Thanks everybody for your input, the format
> >
> >    ifdef(`enable_mcs',`
> >         init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 -
> s0:c0.c1023)
> >    ')
> >
> > did the trick, and compiled with the devel makefile.  For posterity, note that it
> did not compile with checkmodule, the spaces around the dash in the range
> level was required, and the ifdef format was also required.
> >
> > Thanks again,
> 
> If you used the original range_transition rule I specified, including the
> whitespace, then it should have compiled with checkmodule, but to use the
> macroized version suggested by Miroslav, you have to build with the devel
> Makefile which applies m4 and includes the interface files that define the
> macros.
> 

Sorry, I should have mentioned that I did try that, and I could not get it to work (please let me know if I am doing something wrong!):

module my_puppet_test 1.0;
require {
        type initrc_t;
        type puppet_t;
        type puppet_exec_t;
        class process { siginh noatsecure rlimitinh };
}
range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;

checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod
checkmodule:  loading policy configuration from my_puppet_test.te
my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition definition' at token ';' on line 10:
range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
checkmodule:  error(s) encountered while parsing configuration

Re: selinux category relabel (puppet)

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 6709 bytes --]

On Mon, Mar 16, 2015 at 04:17:57PM +0000, Higgs, Stephen wrote:
> > >>>>>>> Hello all,
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> If there is a more appropriate forum for this question please
> > >>>>>>> let me
> > >> know:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> I have a system that uses confined users by default and some
> > >>>>>>> files are managed by a puppet server.  When I run (via run_init)
> > >>>>>>> the puppet startup script, I get the following avc log:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet"
> > name="crl.pem"
> > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023
> > >>>>>>> tclass=file
> > >>>>>>>
> > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and
> > >>>>>>> appropriate "allow" statements to the puppet_t type after
> > >>>>>>> reading the constraints in the targeted policy. However, it was
> > >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from
> > >>>>>>> relabeling the crl.pem file.
> > >>>>>>>
> > >>>>>>> I was able to fix this by manually relabeling the file to "s0"
> > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle
> > >>>>>>> this so puppet can handle the relabel of the category?
> > >>>>>>
> > >>>>>> It requires an appropriate attribute for the mcs or mls
> > >>>>>> constraint that is blocking access.  Which attribute depends on
> > >>>>>> your policy; MCS in particular has changed a lot over time in Fedora
> > and RHEL.
> > >>>>>> What distro &
> > >>>> version?
> > >>>>>>
> > >>>>>
> > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> > >>>>
> > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> > >>>> serefpolicy-3.719/policy/mcs has this:
> > >>>>
> > >>>> # New filesystem object labels must be dominated by the relabeling
> > >>>> subject # clearance, also the objects are single-level.
> > >>>> mlsconstrain file { create relabelto }
> > >>>>         (( h1 dom h2 ) and ( l2 eq h2 ));
> > >>>>
> > >>>> So no attributes are exempted from that constraint; your only
> > >>>> option is to run puppet ranged (i.e. as
> > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023)
> > >>>> so that its high level dominates any potential file level.
> > >>>>
> > >>>> You should be able to do that with a range_transition rule, e.g.
> > >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> > >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t).
> > >>>
> > >>> Thanks Stephen, this makes sense to me, but I can't get that
> > >>> statement to
> > >> compile in my policy module:
> > >>>
> > >>>    Compiling targeted puppet module
> > >>>    /usr/bin/checkmodule:  loading policy configuration from
> > tmp/puppet.tmp
> > >>>    puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition
> > >> definition' at token ';' on line 1041:
> > >>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> > >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> > >>>    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > >>>    make: *** [tmp/puppet.mod] Error 1
> > >>>
> > >>> I did try checkmodule as well, and I tried using the
> > >> init_ranged_daemon_domain macro.  Here is the policy module that I am
> > >> trying to compile:
> > >>>
> > >>>    module puppet 1.2;
> > >>>    require {
> > >>>            type puppet_t;
> > >>>            type puppet_exec_t;
> > >>>            type initrc_t;
> > >>>            attribute can_change_object_identity;
> > >>>            class process { transition };
> > >>>    }
> > >>>    typeattribute puppet_t can_change_object_identity;
> > >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023);
> > >>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> > >>>
> > >>> I feel like I'm close, but perhaps I'm missing how to import  the
> > >>> level
> > >> definitions?
> > >>
> > >> As Dominick suggested, whitespace unfortunately matters for the MLS
> > >> range specification - you need whitespace around the - (dash).
> > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to
> > >> include dash characters to support usage in filesystem type names and
> > >> user names IIRC.  Should probably refactor that.
> > >>
> > >
> > > Thanks everybody for your input, the format
> > >
> > >    ifdef(`enable_mcs',`
> > >         init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 -
> > s0:c0.c1023)
> > >    ')
> > >
> > > did the trick, and compiled with the devel makefile.  For posterity, note that it
> > did not compile with checkmodule, the spaces around the dash in the range
> > level was required, and the ifdef format was also required.
> > >
> > > Thanks again,
> > 
> > If you used the original range_transition rule I specified, including the
> > whitespace, then it should have compiled with checkmodule, but to use the
> > macroized version suggested by Miroslav, you have to build with the devel
> > Makefile which applies m4 and includes the interface files that define the
> > macros.
> > 
> 
> Sorry, I should have mentioned that I did try that, and I could not get it to work (please let me know if I am doing something wrong!):
> 
> module my_puppet_test 1.0;
> require {
>         type initrc_t;
>         type puppet_t;
>         type puppet_exec_t;
>         class process { siginh noatsecure rlimitinh };
> }
> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> 
> checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod
> checkmodule:  loading policy configuration from my_puppet_test.te
> my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition definition' at token ';' on line 10:

I suppose you also need to require the mls identifiers. That is alway's something to get used to.

Reference policy hidden that in their macros. secilc also deals with this for you.

> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> checkmodule:  error(s) encountered while parsing configuration
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

RE: selinux category relabel (puppet)

[Higgs, Stephen]

> > > >>>>>>> Hello all,
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> If there is a more appropriate forum for this question
> > > >>>>>>> please let me
> > > >> know:
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> I have a system that uses confined users by default and some
> > > >>>>>>> files are managed by a puppet server.  When I run (via
> > > >>>>>>> run_init) the puppet startup script, I get the following avc log:
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet"
> > > name="crl.pem"
> > > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023
> > > >>>>>>> tclass=file
> > > >>>>>>>
> > > >>>>>>> I added "typeattribute puppet_t can_change_object_identity"
> > > >>>>>>> and appropriate "allow" statements to the puppet_t type
> > > >>>>>>> after reading the constraints in the targeted policy.
> > > >>>>>>> However, it was the category "s0:c0.c1023" that was also
> > > >>>>>>> preventing puppet from relabeling the crl.pem file.
> > > >>>>>>>
> > > >>>>>>> I was able to fix this by manually relabeling the file to "s0"
> > > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I
> > > >>>>>>> handle this so puppet can handle the relabel of the category?
> > > >>>>>>
> > > >>>>>> It requires an appropriate attribute for the mcs or mls
> > > >>>>>> constraint that is blocking access.  Which attribute depends
> > > >>>>>> on your policy; MCS in particular has changed a lot over time
> > > >>>>>> in Fedora
> > > and RHEL.
> > > >>>>>> What distro &
> > > >>>> version?
> > > >>>>>>
> > > >>>>>
> > > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
> > > >>>>
> > > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm,
> > > >>>> serefpolicy-3.719/policy/mcs has this:
> > > >>>>
> > > >>>> # New filesystem object labels must be dominated by the
> > > >>>> relabeling subject # clearance, also the objects are single-level.
> > > >>>> mlsconstrain file { create relabelto }
> > > >>>>         (( h1 dom h2 ) and ( l2 eq h2 ));
> > > >>>>
> > > >>>> So no attributes are exempted from that constraint; your only
> > > >>>> option is to run puppet ranged (i.e. as
> > > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023)
> > > >>>> so that its high level dominates any potential file level.
> > > >>>>
> > > >>>> You should be able to do that with a range_transition rule, e.g.
> > > >>>> range_transition initrc_t puppet_exec_t:process s0 -
> > > >>>> s0:c0.c0123; (assuming that the puppet entrypoint is labeled with
> puppet_exec_t).
> > > >>>
> > > >>> Thanks Stephen, this makes sense to me, but I can't get that
> > > >>> statement to
> > > >> compile in my policy module:
> > > >>>
> > > >>>    Compiling targeted puppet module
> > > >>>    /usr/bin/checkmodule:  loading policy configuration from
> > > tmp/puppet.tmp
> > > >>>    puppet.te":14:ERROR 'unknown level s0-s0 used in
> > > >>> range_transition
> > > >> definition' at token ';' on line 1041:
> > > >>>    range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023;
> > > >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-
> s0:c0.c1023);
> > > >>>    /usr/bin/checkmodule:  error(s) encountered while parsing
> configuration
> > > >>>    make: *** [tmp/puppet.mod] Error 1
> > > >>>
> > > >>> I did try checkmodule as well, and I tried using the
> > > >> init_ranged_daemon_domain macro.  Here is the policy module that
> > > >> I am trying to compile:
> > > >>>
> > > >>>    module puppet 1.2;
> > > >>>    require {
> > > >>>            type puppet_t;
> > > >>>            type puppet_exec_t;
> > > >>>            type initrc_t;
> > > >>>            attribute can_change_object_identity;
> > > >>>            class process { transition };
> > > >>>    }
> > > >>>    typeattribute puppet_t can_change_object_identity;
> > > >>>    #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-
> s0:c0.c1023);
> > > >>>    range_transition initrc_t puppet_exec_t:process
> > > >>> s0-s0:c0.c1023;
> > > >>>
> > > >>> I feel like I'm close, but perhaps I'm missing how to import
> > > >>> the level
> > > >> definitions?
> > > >>
> > > >> As Dominick suggested, whitespace unfortunately matters for the
> > > >> MLS range specification - you need whitespace around the - (dash).
> > > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded
> > > >> to include dash characters to support usage in filesystem type
> > > >> names and user names IIRC.  Should probably refactor that.
> > > >>
> > > >
> > > > Thanks everybody for your input, the format
> > > >
> > > >    ifdef(`enable_mcs',`
> > > >         init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 -
> > > s0:c0.c1023)
> > > >    ')
> > > >
> > > > did the trick, and compiled with the devel makefile.  For
> > > > posterity, note that it
> > > did not compile with checkmodule, the spaces around the dash in the
> > > range level was required, and the ifdef format was also required.
> > > >
> > > > Thanks again,
> > >
> > > If you used the original range_transition rule I specified,
> > > including the whitespace, then it should have compiled with
> > > checkmodule, but to use the macroized version suggested by Miroslav,
> > > you have to build with the devel Makefile which applies m4 and
> > > includes the interface files that define the macros.
> > >
> >
> > Sorry, I should have mentioned that I did try that, and I could not get it to
> work (please let me know if I am doing something wrong!):
> >
> > module my_puppet_test 1.0;
> > require {
> >         type initrc_t;
> >         type puppet_t;
> >         type puppet_exec_t;
> >         class process { siginh noatsecure rlimitinh }; }
> > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> >
> > checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod
> > checkmodule:  loading policy configuration from my_puppet_test.te
> > my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition
> definition' at token ';' on line 10:
> 
> I suppose you also need to require the mls identifiers. That is alway's something
> to get used to.
> 
> Reference policy hidden that in their macros. secilc also deals with this for you.
> 
> > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123;
> > checkmodule:  error(s) encountered while parsing configuration
> >
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-
> request@tycho.nsa.gov.
> 
> --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift

Thanks!  You are right, the following compiles with checkmodule:

module my_puppet_test 1.0;
require {
        type initrc_t;
        type puppet_t;
        type puppet_exec_t;
        sensitivity s0;
        class process { siginh };
        sensitivity s0;
        category c0;
        category c1023;
}
range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023;