* selinux category relabel (puppet)
@ 2015-03-13 13:52 Higgs, Stephen
2015-03-13 17:40 ` Stephen Smalley
0 siblings, 1 reply; 16+ messages in thread
From: Higgs, Stephen @ 2015-03-13 13:52 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 977 bytes --]
Hello all,
If there is a more appropriate forum for this question please let me know:
I have a system that uses confined users by default and some files are managed by a puppet server. When I run (via run_init) the puppet startup script, I get the following avc log:
avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
I added "typeattribute puppet_t can_change_object_identity" and appropriate "allow" statements to the puppet_t type after reading the constraints in the targeted policy. However, it was the category "s0:c0.c1023" that was also preventing puppet from relabeling the crl.pem file.
I was able to fix this by manually relabeling the file to "s0" instead of "s0:c0.c1023". My question is, how *should* I handle this so puppet can handle the relabel of the category?
Stephen Higgs
ICF International
[-- Attachment #2: Type: text/html, Size: 22944 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: selinux category relabel (puppet) 2015-03-13 13:52 selinux category relabel (puppet) Higgs, Stephen @ 2015-03-13 17:40 ` Stephen Smalley 2015-03-13 17:52 ` Higgs, Stephen 0 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2015-03-13 17:40 UTC (permalink / raw) To: Higgs, Stephen, selinux On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > Hello all, > > > > If there is a more appropriate forum for this question please let me know: > > > > I have a system that uses confined users by default and some files are > managed by a puppet server. When I run (via run_init) the puppet > startup script, I get the following avc log: > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > I added "typeattribute puppet_t can_change_object_identity" and > appropriate "allow" statements to the puppet_t type after reading the > constraints in the targeted policy. However, it was the category > “s0:c0.c1023” that was also preventing puppet from relabeling the > crl.pem file. > > I was able to fix this by manually relabeling the file to "s0" instead > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > can handle the relabel of the category? It requires an appropriate attribute for the mcs or mls constraint that is blocking access. Which attribute depends on your policy; MCS in particular has changed a lot over time in Fedora and RHEL. What distro & version? ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-13 17:40 ` Stephen Smalley @ 2015-03-13 17:52 ` Higgs, Stephen 2015-03-13 17:54 ` Stephen Smalley ` (2 more replies) 0 siblings, 3 replies; 16+ messages in thread From: Higgs, Stephen @ 2015-03-13 17:52 UTC (permalink / raw) To: Stephen Smalley, selinux > On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > > Hello all, > > > > > > > > If there is a more appropriate forum for this question please let me know: > > > > > > > > I have a system that uses confined users by default and some files are > > managed by a puppet server. When I run (via run_init) the puppet > > startup script, I get the following avc log: > > > > > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > > > I added "typeattribute puppet_t can_change_object_identity" and > > appropriate "allow" statements to the puppet_t type after reading the > > constraints in the targeted policy. However, it was the category > > "s0:c0.c1023" that was also preventing puppet from relabeling the > > crl.pem file. > > > > I was able to fix this by manually relabeling the file to "s0" instead > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > > can handle the relabel of the category? > > It requires an appropriate attribute for the mcs or mls constraint that is > blocking access. Which attribute depends on your policy; MCS in particular has > changed a lot over time in Fedora and RHEL. What distro & version? > I'm using CentOS / RedHat 6.6, targeted reference policy 24. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 17:52 ` Higgs, Stephen @ 2015-03-13 17:54 ` Stephen Smalley 2015-03-13 17:58 ` Higgs, Stephen 2015-03-13 18:02 ` Dominick Grift 2015-03-13 18:04 ` Stephen Smalley 2 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2015-03-13 17:54 UTC (permalink / raw) To: Higgs, Stephen, selinux On 03/13/2015 01:52 PM, Higgs, Stephen wrote: >> On 03/13/2015 09:52 AM, Higgs, Stephen wrote: >>> Hello all, >>> >>> >>> >>> If there is a more appropriate forum for this question please let me know: >>> >>> >>> >>> I have a system that uses confined users by default and some files are >>> managed by a puppet server. When I run (via run_init) the puppet >>> startup script, I get the following avc log: >>> >>> >>> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>> >>> I added "typeattribute puppet_t can_change_object_identity" and >>> appropriate "allow" statements to the puppet_t type after reading the >>> constraints in the targeted policy. However, it was the category >>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>> crl.pem file. >>> >>> I was able to fix this by manually relabeling the file to "s0" instead >>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet >>> can handle the relabel of the category? >> >> It requires an appropriate attribute for the mcs or mls constraint that is >> blocking access. Which attribute depends on your policy; MCS in particular has >> changed a lot over time in Fedora and RHEL. What distro & version? >> > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. So, selinux-policy-3.7.19-260.el6 or thereabouts? ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-13 17:54 ` Stephen Smalley @ 2015-03-13 17:58 ` Higgs, Stephen 0 siblings, 0 replies; 16+ messages in thread From: Higgs, Stephen @ 2015-03-13 17:58 UTC (permalink / raw) To: Stephen Smalley, selinux > >>> Hello all, > >>> > >>> > >>> > >>> If there is a more appropriate forum for this question please let me know: > >>> > >>> > >>> > >>> I have a system that uses confined users by default and some files > >>> are managed by a puppet server. When I run (via run_init) the > >>> puppet startup script, I get the following avc log: > >>> > >>> > >>> > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > >>> > >>> I added "typeattribute puppet_t can_change_object_identity" and > >>> appropriate "allow" statements to the puppet_t type after reading > >>> the constraints in the targeted policy. However, it was the category > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > >>> crl.pem file. > >>> > >>> I was able to fix this by manually relabeling the file to "s0" > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > >>> so puppet can handle the relabel of the category? > >> > >> It requires an appropriate attribute for the mcs or mls constraint > >> that is blocking access. Which attribute depends on your policy; MCS > >> in particular has changed a lot over time in Fedora and RHEL. What distro & > version? > >> > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > So, selinux-policy-3.7.19-260.el6 or thereabouts? > Yes, exactly selinux-policy- 3.7.19-260.el6_6.2 ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 17:52 ` Higgs, Stephen 2015-03-13 17:54 ` Stephen Smalley @ 2015-03-13 18:02 ` Dominick Grift 2015-03-13 18:04 ` Stephen Smalley 2 siblings, 0 replies; 16+ messages in thread From: Dominick Grift @ 2015-03-13 18:02 UTC (permalink / raw) To: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Mar 13, 2015 at 05:52:37PM +0000, Higgs, Stephen wrote: > > On 03/13/2015 09:52 AM, Higgs, Stephen wrote: > > > Hello all, > > > > > > > > > > > > If there is a more appropriate forum for this question please let me know: > > > > > > > > > > > > I have a system that uses confined users by default and some files are > > > managed by a puppet server. When I run (via run_init) the puppet > > > startup script, I get the following avc log: > > > > > > > > > > > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > > > > > I added "typeattribute puppet_t can_change_object_identity" and > > > appropriate "allow" statements to the puppet_t type after reading the > > > constraints in the targeted policy. However, it was the category > > > "s0:c0.c1023" that was also preventing puppet from relabeling the > > > crl.pem file. > > > > > > I was able to fix this by manually relabeling the file to "s0" instead > > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet > > > can handle the relabel of the category? > > > > It requires an appropriate attribute for the mcs or mls constraint that is > > blocking access. Which attribute depends on your policy; MCS in particular has > > changed a lot over time in Fedora and RHEL. What distro & version? > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. I do not see how it makes sense in the first place to relabelto s0:c0.c1023, might as well keep it s0. Any idea why puppet is trying to relabelto s0:c0.c1023? Is that specified in your puppet configuration? Also it may not even be constraint issue in the first place ( i doubt that puppet is mcs constrained ). maybe you just need a rule like allow puppet_t puppet_var_lib_t:file relabelto; what does audit2hy tell you when you pipe the avc denial into it's input stream? > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJVAyY5AAoJENAR6kfG5xmcQQ4MAMw2osxY36pxWmoDyu7PD6YK NPjYB9bSU0fErvgVTVsCcjVmTemfSzJO4LitapfZMvzK0Ppe1ArwxQcSrOC+52qf BvMmiKVnqgwDYmsqEDJBhQqB3iQqqrdKWC0LzyjzTV9Tbop9Aarad7NXJJg3Js9u btI0AKeaZ8vP9Sn0pJflzqaX+BjEhl0bJjYN9X6CQAWA8AsVopkZcfgpxYAuHw99 NQQxTsXABzH9aqDFdkD+EdgOBz46y9DebOePAW8w+uXuHU8S2abkPx2sVBj4YQO6 /R0kaNx1ltD/7Iq59xgig1Xq1pv1WhYCQkx8LmzAuip9UMl1b6wiBQtGjZFVMFoJ E/CdA95GF7q3w+NcVhdrDLrKAldmRCsc3Y4j7wA4nQFna7Yys2HzOmn0yeQa224s 55/KyCN0hF39o3mo4zYlEf52wi+0cfNzTvwDpui0uR0uZwkggps8nc/Bno7ZZBLD QSuu63MTbLCGtb1IKGZLRQAehoPBIYqeg0w6R0M1Lw== =QarR -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 17:52 ` Higgs, Stephen 2015-03-13 17:54 ` Stephen Smalley 2015-03-13 18:02 ` Dominick Grift @ 2015-03-13 18:04 ` Stephen Smalley 2015-03-13 21:17 ` Higgs, Stephen 2 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2015-03-13 18:04 UTC (permalink / raw) To: Higgs, Stephen, selinux On 03/13/2015 01:52 PM, Higgs, Stephen wrote: >> On 03/13/2015 09:52 AM, Higgs, Stephen wrote: >>> Hello all, >>> >>> >>> >>> If there is a more appropriate forum for this question please let me know: >>> >>> >>> >>> I have a system that uses confined users by default and some files are >>> managed by a puppet server. When I run (via run_init) the puppet >>> startup script, I get the following avc log: >>> >>> >>> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>> >>> I added "typeattribute puppet_t can_change_object_identity" and >>> appropriate "allow" statements to the puppet_t type after reading the >>> constraints in the targeted policy. However, it was the category >>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>> crl.pem file. >>> >>> I was able to fix this by manually relabeling the file to "s0" instead >>> of "s0:c0.c1023". My question is, how *should* I handle this so puppet >>> can handle the relabel of the category? >> >> It requires an appropriate attribute for the mcs or mls constraint that is >> blocking access. Which attribute depends on your policy; MCS in particular has >> changed a lot over time in Fedora and RHEL. What distro & version? >> > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, serefpolicy-3.719/policy/mcs has this: # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); So no attributes are exempted from that constraint; your only option is to run puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) so that its high level dominates any potential file level. You should be able to do that with a range_transition rule, e.g. range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming that the puppet entrypoint is labeled with puppet_exec_t). ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-13 18:04 ` Stephen Smalley @ 2015-03-13 21:17 ` Higgs, Stephen 2015-03-13 21:31 ` Dominick Grift 2015-03-16 12:55 ` Stephen Smalley 0 siblings, 2 replies; 16+ messages in thread From: Higgs, Stephen @ 2015-03-13 21:17 UTC (permalink / raw) To: Stephen Smalley, selinux > >>> Hello all, > >>> > >>> > >>> > >>> If there is a more appropriate forum for this question please let me know: > >>> > >>> > >>> > >>> I have a system that uses confined users by default and some files > >>> are managed by a puppet server. When I run (via run_init) the > >>> puppet startup script, I get the following avc log: > >>> > >>> > >>> > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > >>> > >>> I added "typeattribute puppet_t can_change_object_identity" and > >>> appropriate "allow" statements to the puppet_t type after reading > >>> the constraints in the targeted policy. However, it was the category > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > >>> crl.pem file. > >>> > >>> I was able to fix this by manually relabeling the file to "s0" > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > >>> so puppet can handle the relabel of the category? > >> > >> It requires an appropriate attribute for the mcs or mls constraint > >> that is blocking access. Which attribute depends on your policy; MCS > >> in particular has changed a lot over time in Fedora and RHEL. What distro & > version? > >> > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > serefpolicy-3.719/policy/mcs has this: > > # New filesystem object labels must be dominated by the relabeling subject # > clearance, also the objects are single-level. > mlsconstrain file { create relabelto } > (( h1 dom h2 ) and ( l2 eq h2 )); > > So no attributes are exempted from that constraint; your only option is to run > puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) > so that its high level dominates any potential file level. > > You should be able to do that with a range_transition rule, e.g. > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming > that the puppet entrypoint is labeled with puppet_exec_t). Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: Compiling targeted puppet module /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/puppet.mod] Error 1 I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: module puppet 1.2; require { type puppet_t; type puppet_exec_t; type initrc_t; attribute can_change_object_identity; class process { transition }; } typeattribute puppet_t can_change_object_identity; #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; I feel like I'm close, but perhaps I'm missing how to import the level definitions? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 21:17 ` Higgs, Stephen @ 2015-03-13 21:31 ` Dominick Grift 2015-03-16 12:43 ` Miroslav Grepl 2015-03-16 12:55 ` Stephen Smalley 1 sibling, 1 reply; 16+ messages in thread From: Dominick Grift @ 2015-03-13 21:31 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 4170 bytes --] On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote: > > >>> Hello all, > > >>> > > >>> > > >>> > > >>> If there is a more appropriate forum for this question please let me know: > > >>> > > >>> > > >>> > > >>> I have a system that uses confined users by default and some files > > >>> are managed by a puppet server. When I run (via run_init) the > > >>> puppet startup script, I get the following avc log: > > >>> > > >>> > > >>> > > >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > > >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file > > >>> > > >>> I added "typeattribute puppet_t can_change_object_identity" and > > >>> appropriate "allow" statements to the puppet_t type after reading > > >>> the constraints in the targeted policy. However, it was the category > > >>> "s0:c0.c1023" that was also preventing puppet from relabeling the > > >>> crl.pem file. > > >>> > > >>> I was able to fix this by manually relabeling the file to "s0" > > >>> instead of "s0:c0.c1023". My question is, how *should* I handle this > > >>> so puppet can handle the relabel of the category? > > >> > > >> It requires an appropriate attribute for the mcs or mls constraint > > >> that is blocking access. Which attribute depends on your policy; MCS > > >> in particular has changed a lot over time in Fedora and RHEL. What distro & > > version? > > >> > > > > > > I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > > > Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > serefpolicy-3.719/policy/mcs has this: > > > > # New filesystem object labels must be dominated by the relabeling subject # > > clearance, also the objects are single-level. > > mlsconstrain file { create relabelto } > > (( h1 dom h2 ) and ( l2 eq h2 )); > > > > So no attributes are exempted from that constraint; your only option is to run > > puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) > > so that its high level dominates any potential file level. > > > > You should be able to do that with a range_transition rule, e.g. > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming > > that the puppet entrypoint is labeled with puppet_exec_t). > > Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: > > Compiling targeted puppet module > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/puppet.mod] Error 1 > > I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: > > module puppet 1.2; > require { > type puppet_t; > type puppet_exec_t; > type initrc_t; > attribute can_change_object_identity; > class process { transition }; > } > typeattribute puppet_t can_change_object_identity; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023; > > I feel like I'm close, but perhaps I'm missing how to import the level definitions? > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift [-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 21:31 ` Dominick Grift @ 2015-03-16 12:43 ` Miroslav Grepl 0 siblings, 0 replies; 16+ messages in thread From: Miroslav Grepl @ 2015-03-16 12:43 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 4426 bytes --] On 03/13/2015 10:31 PM, Dominick Grift wrote: > On Fri, Mar 13, 2015 at 09:17:36PM +0000, Higgs, Stephen wrote: >>>>>> Hello all, >>>>>> >>>>>> >>>>>> >>>>>> If there is a more appropriate forum for this question please let me know: >>>>>> >>>>>> >>>>>> >>>>>> I have a system that uses confined users by default and some files >>>>>> are managed by a puppet server. When I run (via run_init) the >>>>>> puppet startup script, I get the following avc log: >>>>>> >>>>>> >>>>>> >>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>>>>> >>>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>>> appropriate "allow" statements to the puppet_t type after reading >>>>>> the constraints in the targeted policy. However, it was the category >>>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>>>>> crl.pem file. >>>>>> >>>>>> I was able to fix this by manually relabeling the file to "s0" >>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this >>>>>> so puppet can handle the relabel of the category? >>>>> It requires an appropriate attribute for the mcs or mls constraint >>>>> that is blocking access. Which attribute depends on your policy; MCS >>>>> in particular has changed a lot over time in Fedora and RHEL. What distro & >>> version? >>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >>> serefpolicy-3.719/policy/mcs has this: >>> >>> # New filesystem object labels must be dominated by the relabeling subject # >>> clearance, also the objects are single-level. >>> mlsconstrain file { create relabelto } >>> (( h1 dom h2 ) and ( l2 eq h2 )); >>> >>> So no attributes are exempted from that constraint; your only option is to run >>> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) >>> so that its high level dominates any potential file level. Yes, there is no attribute on RHEL6. >>> >>> You should be able to do that with a range_transition rule, e.g. >>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming >>> that the puppet entrypoint is labeled with puppet_exec_t). >> Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: >> >> Compiling targeted puppet module >> /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp >> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: >> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> make: *** [tmp/puppet.mod] Error 1 >> >> I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: >> >> module puppet 1.2; >> require { >> type puppet_t; >> type puppet_exec_t; >> type initrc_t; >> attribute can_change_object_identity; >> class process { transition }; >> } >> typeattribute puppet_t can_change_object_identity; >> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > Not sure but try spaces here (s0 - s0): range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023; > >> I feel like I'm close, but perhaps I'm missing how to import the level definitions? Try this one policy_module(mypol,1.0) require{ type puppet_t; type puppet_exec_t; } ifdef(`enable_mcs',` init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) ') >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. [-- Attachment #2: Type: text/html, Size: 6539 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-13 21:17 ` Higgs, Stephen 2015-03-13 21:31 ` Dominick Grift @ 2015-03-16 12:55 ` Stephen Smalley 2015-03-16 15:20 ` Higgs, Stephen 1 sibling, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2015-03-16 12:55 UTC (permalink / raw) To: Higgs, Stephen, selinux On 03/13/2015 05:17 PM, Higgs, Stephen wrote: >>>>> Hello all, >>>>> >>>>> >>>>> >>>>> If there is a more appropriate forum for this question please let me know: >>>>> >>>>> >>>>> >>>>> I have a system that uses confined users by default and some files >>>>> are managed by a puppet server. When I run (via run_init) the >>>>> puppet startup script, I get the following avc log: >>>>> >>>>> >>>>> >>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file >>>>> >>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>> appropriate "allow" statements to the puppet_t type after reading >>>>> the constraints in the targeted policy. However, it was the category >>>>> "s0:c0.c1023" that was also preventing puppet from relabeling the >>>>> crl.pem file. >>>>> >>>>> I was able to fix this by manually relabeling the file to "s0" >>>>> instead of "s0:c0.c1023". My question is, how *should* I handle this >>>>> so puppet can handle the relabel of the category? >>>> >>>> It requires an appropriate attribute for the mcs or mls constraint >>>> that is blocking access. Which attribute depends on your policy; MCS >>>> in particular has changed a lot over time in Fedora and RHEL. What distro & >> version? >>>> >>> >>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >> >> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >> serefpolicy-3.719/policy/mcs has this: >> >> # New filesystem object labels must be dominated by the relabeling subject # >> clearance, also the objects are single-level. >> mlsconstrain file { create relabelto } >> (( h1 dom h2 ) and ( l2 eq h2 )); >> >> So no attributes are exempted from that constraint; your only option is to run >> puppet ranged (i.e. as system_u:system_r:puppet_t:s0-s0:c0.c1023) >> so that its high level dominates any potential file level. >> >> You should be able to do that with a range_transition rule, e.g. >> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; (assuming >> that the puppet entrypoint is labeled with puppet_exec_t). > > Thanks Stephen, this makes sense to me, but I can't get that statement to compile in my policy module: > > Compiling targeted puppet module > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition definition' at token ';' on line 1041: > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/puppet.mod] Error 1 > > I did try checkmodule as well, and I tried using the init_ranged_daemon_domain macro. Here is the policy module that I am trying to compile: > > module puppet 1.2; > require { > type puppet_t; > type puppet_exec_t; > type initrc_t; > attribute can_change_object_identity; > class process { transition }; > } > typeattribute puppet_t can_change_object_identity; > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > I feel like I'm close, but perhaps I'm missing how to import the level definitions? As Dominick suggested, whitespace unfortunately matters for the MLS range specification - you need whitespace around the - (dash). checkpolicy scanner issue introduced when IDENTIFIER was expanded to include dash characters to support usage in filesystem type names and user names IIRC. Should probably refactor that. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-16 12:55 ` Stephen Smalley @ 2015-03-16 15:20 ` Higgs, Stephen 2015-03-16 15:55 ` Stephen Smalley 0 siblings, 1 reply; 16+ messages in thread From: Higgs, Stephen @ 2015-03-16 15:20 UTC (permalink / raw) To: Stephen Smalley, selinux > >>>>> Hello all, > >>>>> > >>>>> > >>>>> > >>>>> If there is a more appropriate forum for this question please let me > know: > >>>>> > >>>>> > >>>>> > >>>>> I have a system that uses confined users by default and some files > >>>>> are managed by a puppet server. When I run (via run_init) the > >>>>> puppet startup script, I get the following avc log: > >>>>> > >>>>> > >>>>> > >>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" > >>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > >>>>> tclass=file > >>>>> > >>>>> I added "typeattribute puppet_t can_change_object_identity" and > >>>>> appropriate "allow" statements to the puppet_t type after reading > >>>>> the constraints in the targeted policy. However, it was the > >>>>> category "s0:c0.c1023" that was also preventing puppet from > >>>>> relabeling the crl.pem file. > >>>>> > >>>>> I was able to fix this by manually relabeling the file to "s0" > >>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > >>>>> this so puppet can handle the relabel of the category? > >>>> > >>>> It requires an appropriate attribute for the mcs or mls constraint > >>>> that is blocking access. Which attribute depends on your policy; > >>>> MCS in particular has changed a lot over time in Fedora and RHEL. > >>>> What distro & > >> version? > >>>> > >>> > >>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > >> > >> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > >> serefpolicy-3.719/policy/mcs has this: > >> > >> # New filesystem object labels must be dominated by the relabeling > >> subject # clearance, also the objects are single-level. > >> mlsconstrain file { create relabelto } > >> (( h1 dom h2 ) and ( l2 eq h2 )); > >> > >> So no attributes are exempted from that constraint; your only option > >> is to run puppet ranged (i.e. as > >> system_u:system_r:puppet_t:s0-s0:c0.c1023) > >> so that its high level dominates any potential file level. > >> > >> You should be able to do that with a range_transition rule, e.g. > >> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > >> (assuming that the puppet entrypoint is labeled with puppet_exec_t). > > > > Thanks Stephen, this makes sense to me, but I can't get that statement to > compile in my policy module: > > > > Compiling targeted puppet module > > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > > puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > definition' at token ';' on line 1041: > > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/puppet.mod] Error 1 > > > > I did try checkmodule as well, and I tried using the > init_ranged_daemon_domain macro. Here is the policy module that I am > trying to compile: > > > > module puppet 1.2; > > require { > > type puppet_t; > > type puppet_exec_t; > > type initrc_t; > > attribute can_change_object_identity; > > class process { transition }; > > } > > typeattribute puppet_t can_change_object_identity; > > #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > > > I feel like I'm close, but perhaps I'm missing how to import the level > definitions? > > As Dominick suggested, whitespace unfortunately matters for the MLS range > specification - you need whitespace around the - (dash). > checkpolicy scanner issue introduced when IDENTIFIER was expanded to include > dash characters to support usage in filesystem type names and user names > IIRC. Should probably refactor that. > Thanks everybody for your input, the format ifdef(`enable_mcs',` init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) ') did the trick, and compiled with the devel makefile. For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required. Thanks again, Stephen ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-16 15:20 ` Higgs, Stephen @ 2015-03-16 15:55 ` Stephen Smalley 2015-03-16 16:17 ` Higgs, Stephen 0 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2015-03-16 15:55 UTC (permalink / raw) To: Higgs, Stephen, selinux On 03/16/2015 11:20 AM, Higgs, Stephen wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> >>>>>>> >>>>>>> If there is a more appropriate forum for this question please let me >> know: >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have a system that uses confined users by default and some files >>>>>>> are managed by a puppet server. When I run (via run_init) the >>>>>>> puppet startup script, I get the following avc log: >>>>>>> >>>>>>> >>>>>>> >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem" >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 >>>>>>> tclass=file >>>>>>> >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and >>>>>>> appropriate "allow" statements to the puppet_t type after reading >>>>>>> the constraints in the targeted policy. However, it was the >>>>>>> category "s0:c0.c1023" that was also preventing puppet from >>>>>>> relabeling the crl.pem file. >>>>>>> >>>>>>> I was able to fix this by manually relabeling the file to "s0" >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle >>>>>>> this so puppet can handle the relabel of the category? >>>>>> >>>>>> It requires an appropriate attribute for the mcs or mls constraint >>>>>> that is blocking access. Which attribute depends on your policy; >>>>>> MCS in particular has changed a lot over time in Fedora and RHEL. >>>>>> What distro & >>>> version? >>>>>> >>>>> >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. >>>> >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, >>>> serefpolicy-3.719/policy/mcs has this: >>>> >>>> # New filesystem object labels must be dominated by the relabeling >>>> subject # clearance, also the objects are single-level. >>>> mlsconstrain file { create relabelto } >>>> (( h1 dom h2 ) and ( l2 eq h2 )); >>>> >>>> So no attributes are exempted from that constraint; your only option >>>> is to run puppet ranged (i.e. as >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) >>>> so that its high level dominates any potential file level. >>>> >>>> You should be able to do that with a range_transition rule, e.g. >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t). >>> >>> Thanks Stephen, this makes sense to me, but I can't get that statement to >> compile in my policy module: >>> >>> Compiling targeted puppet module >>> /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition >> definition' at token ';' on line 1041: >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration >>> make: *** [tmp/puppet.mod] Error 1 >>> >>> I did try checkmodule as well, and I tried using the >> init_ranged_daemon_domain macro. Here is the policy module that I am >> trying to compile: >>> >>> module puppet 1.2; >>> require { >>> type puppet_t; >>> type puppet_exec_t; >>> type initrc_t; >>> attribute can_change_object_identity; >>> class process { transition }; >>> } >>> typeattribute puppet_t can_change_object_identity; >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; >>> >>> I feel like I'm close, but perhaps I'm missing how to import the level >> definitions? >> >> As Dominick suggested, whitespace unfortunately matters for the MLS range >> specification - you need whitespace around the - (dash). >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to include >> dash characters to support usage in filesystem type names and user names >> IIRC. Should probably refactor that. >> > > Thanks everybody for your input, the format > > ifdef(`enable_mcs',` > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - s0:c0.c1023) > ') > > did the trick, and compiled with the devel makefile. For posterity, note that it did not compile with checkmodule, the spaces around the dash in the range level was required, and the ifdef format was also required. > > Thanks again, If you used the original range_transition rule I specified, including the whitespace, then it should have compiled with checkmodule, but to use the macroized version suggested by Miroslav, you have to build with the devel Makefile which applies m4 and includes the interface files that define the macros. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-16 15:55 ` Stephen Smalley @ 2015-03-16 16:17 ` Higgs, Stephen 2015-03-16 17:09 ` Dominick Grift 0 siblings, 1 reply; 16+ messages in thread From: Higgs, Stephen @ 2015-03-16 16:17 UTC (permalink / raw) To: Stephen Smalley, selinux > >>>>>>> Hello all, > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> If there is a more appropriate forum for this question please > >>>>>>> let me > >> know: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> I have a system that uses confined users by default and some > >>>>>>> files are managed by a puppet server. When I run (via run_init) > >>>>>>> the puppet startup script, I get the following avc log: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" > name="crl.pem" > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > >>>>>>> tclass=file > >>>>>>> > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and > >>>>>>> appropriate "allow" statements to the puppet_t type after > >>>>>>> reading the constraints in the targeted policy. However, it was > >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from > >>>>>>> relabeling the crl.pem file. > >>>>>>> > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > >>>>>>> this so puppet can handle the relabel of the category? > >>>>>> > >>>>>> It requires an appropriate attribute for the mcs or mls > >>>>>> constraint that is blocking access. Which attribute depends on > >>>>>> your policy; MCS in particular has changed a lot over time in Fedora > and RHEL. > >>>>>> What distro & > >>>> version? > >>>>>> > >>>>> > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > >>>> > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > >>>> serefpolicy-3.719/policy/mcs has this: > >>>> > >>>> # New filesystem object labels must be dominated by the relabeling > >>>> subject # clearance, also the objects are single-level. > >>>> mlsconstrain file { create relabelto } > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > >>>> > >>>> So no attributes are exempted from that constraint; your only > >>>> option is to run puppet ranged (i.e. as > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > >>>> so that its high level dominates any potential file level. > >>>> > >>>> You should be able to do that with a range_transition rule, e.g. > >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t). > >>> > >>> Thanks Stephen, this makes sense to me, but I can't get that > >>> statement to > >> compile in my policy module: > >>> > >>> Compiling targeted puppet module > >>> /usr/bin/checkmodule: loading policy configuration from > tmp/puppet.tmp > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > >> definition' at token ';' on line 1041: > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration > >>> make: *** [tmp/puppet.mod] Error 1 > >>> > >>> I did try checkmodule as well, and I tried using the > >> init_ranged_daemon_domain macro. Here is the policy module that I am > >> trying to compile: > >>> > >>> module puppet 1.2; > >>> require { > >>> type puppet_t; > >>> type puppet_exec_t; > >>> type initrc_t; > >>> attribute can_change_object_identity; > >>> class process { transition }; > >>> } > >>> typeattribute puppet_t can_change_object_identity; > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > >>> > >>> I feel like I'm close, but perhaps I'm missing how to import the > >>> level > >> definitions? > >> > >> As Dominick suggested, whitespace unfortunately matters for the MLS > >> range specification - you need whitespace around the - (dash). > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to > >> include dash characters to support usage in filesystem type names and > >> user names IIRC. Should probably refactor that. > >> > > > > Thanks everybody for your input, the format > > > > ifdef(`enable_mcs',` > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > s0:c0.c1023) > > ') > > > > did the trick, and compiled with the devel makefile. For posterity, note that it > did not compile with checkmodule, the spaces around the dash in the range > level was required, and the ifdef format was also required. > > > > Thanks again, > > If you used the original range_transition rule I specified, including the > whitespace, then it should have compiled with checkmodule, but to use the > macroized version suggested by Miroslav, you have to build with the devel > Makefile which applies m4 and includes the interface files that define the > macros. > Sorry, I should have mentioned that I did try that, and I could not get it to work (please let me know if I am doing something wrong!): module my_puppet_test 1.0; require { type initrc_t; type puppet_t; type puppet_exec_t; class process { siginh noatsecure rlimitinh }; } range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod checkmodule: loading policy configuration from my_puppet_test.te my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition definition' at token ';' on line 10: range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; checkmodule: error(s) encountered while parsing configuration ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: selinux category relabel (puppet) 2015-03-16 16:17 ` Higgs, Stephen @ 2015-03-16 17:09 ` Dominick Grift 2015-03-17 15:00 ` Higgs, Stephen 0 siblings, 1 reply; 16+ messages in thread From: Dominick Grift @ 2015-03-16 17:09 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 6709 bytes --] On Mon, Mar 16, 2015 at 04:17:57PM +0000, Higgs, Stephen wrote: > > >>>>>>> Hello all, > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> If there is a more appropriate forum for this question please > > >>>>>>> let me > > >> know: > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> I have a system that uses confined users by default and some > > >>>>>>> files are managed by a puppet server. When I run (via run_init) > > >>>>>>> the puppet startup script, I get the following avc log: > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" > > name="crl.pem" > > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > > >>>>>>> tclass=file > > >>>>>>> > > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" and > > >>>>>>> appropriate "allow" statements to the puppet_t type after > > >>>>>>> reading the constraints in the targeted policy. However, it was > > >>>>>>> the category "s0:c0.c1023" that was also preventing puppet from > > >>>>>>> relabeling the crl.pem file. > > >>>>>>> > > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I handle > > >>>>>>> this so puppet can handle the relabel of the category? > > >>>>>> > > >>>>>> It requires an appropriate attribute for the mcs or mls > > >>>>>> constraint that is blocking access. Which attribute depends on > > >>>>>> your policy; MCS in particular has changed a lot over time in Fedora > > and RHEL. > > >>>>>> What distro & > > >>>> version? > > >>>>>> > > >>>>> > > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > >>>> > > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > >>>> serefpolicy-3.719/policy/mcs has this: > > >>>> > > >>>> # New filesystem object labels must be dominated by the relabeling > > >>>> subject # clearance, also the objects are single-level. > > >>>> mlsconstrain file { create relabelto } > > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > > >>>> > > >>>> So no attributes are exempted from that constraint; your only > > >>>> option is to run puppet ranged (i.e. as > > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > > >>>> so that its high level dominates any potential file level. > > >>>> > > >>>> You should be able to do that with a range_transition rule, e.g. > > >>>> range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > >>>> (assuming that the puppet entrypoint is labeled with puppet_exec_t). > > >>> > > >>> Thanks Stephen, this makes sense to me, but I can't get that > > >>> statement to > > >> compile in my policy module: > > >>> > > >>> Compiling targeted puppet module > > >>> /usr/bin/checkmodule: loading policy configuration from > > tmp/puppet.tmp > > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in range_transition > > >> definition' at token ';' on line 1041: > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration > > >>> make: *** [tmp/puppet.mod] Error 1 > > >>> > > >>> I did try checkmodule as well, and I tried using the > > >> init_ranged_daemon_domain macro. Here is the policy module that I am > > >> trying to compile: > > >>> > > >>> module puppet 1.2; > > >>> require { > > >>> type puppet_t; > > >>> type puppet_exec_t; > > >>> type initrc_t; > > >>> attribute can_change_object_identity; > > >>> class process { transition }; > > >>> } > > >>> typeattribute puppet_t can_change_object_identity; > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0-s0:c0.c1023); > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > >>> > > >>> I feel like I'm close, but perhaps I'm missing how to import the > > >>> level > > >> definitions? > > >> > > >> As Dominick suggested, whitespace unfortunately matters for the MLS > > >> range specification - you need whitespace around the - (dash). > > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded to > > >> include dash characters to support usage in filesystem type names and > > >> user names IIRC. Should probably refactor that. > > >> > > > > > > Thanks everybody for your input, the format > > > > > > ifdef(`enable_mcs',` > > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > > s0:c0.c1023) > > > ') > > > > > > did the trick, and compiled with the devel makefile. For posterity, note that it > > did not compile with checkmodule, the spaces around the dash in the range > > level was required, and the ifdef format was also required. > > > > > > Thanks again, > > > > If you used the original range_transition rule I specified, including the > > whitespace, then it should have compiled with checkmodule, but to use the > > macroized version suggested by Miroslav, you have to build with the devel > > Makefile which applies m4 and includes the interface files that define the > > macros. > > > > Sorry, I should have mentioned that I did try that, and I could not get it to work (please let me know if I am doing something wrong!): > > module my_puppet_test 1.0; > require { > type initrc_t; > type puppet_t; > type puppet_exec_t; > class process { siginh noatsecure rlimitinh }; > } > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod > checkmodule: loading policy configuration from my_puppet_test.te > my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition definition' at token ';' on line 10: I suppose you also need to require the mls identifiers. That is alway's something to get used to. Reference policy hidden that in their macros. secilc also deals with this for you. > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > checkmodule: error(s) encountered while parsing configuration > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift [-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: selinux category relabel (puppet) 2015-03-16 17:09 ` Dominick Grift @ 2015-03-17 15:00 ` Higgs, Stephen 0 siblings, 0 replies; 16+ messages in thread From: Higgs, Stephen @ 2015-03-17 15:00 UTC (permalink / raw) To: Dominick Grift, selinux > > > >>>>>>> Hello all, > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> If there is a more appropriate forum for this question > > > >>>>>>> please let me > > > >> know: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> I have a system that uses confined users by default and some > > > >>>>>>> files are managed by a puppet server. When I run (via > > > >>>>>>> run_init) the puppet startup script, I get the following avc log: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> avc: denied { relabelto } for pid=30707 comm="puppet" > > > name="crl.pem" > > > >>>>>>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0 > > > >>>>>>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 > > > >>>>>>> tclass=file > > > >>>>>>> > > > >>>>>>> I added "typeattribute puppet_t can_change_object_identity" > > > >>>>>>> and appropriate "allow" statements to the puppet_t type > > > >>>>>>> after reading the constraints in the targeted policy. > > > >>>>>>> However, it was the category "s0:c0.c1023" that was also > > > >>>>>>> preventing puppet from relabeling the crl.pem file. > > > >>>>>>> > > > >>>>>>> I was able to fix this by manually relabeling the file to "s0" > > > >>>>>>> instead of "s0:c0.c1023". My question is, how *should* I > > > >>>>>>> handle this so puppet can handle the relabel of the category? > > > >>>>>> > > > >>>>>> It requires an appropriate attribute for the mcs or mls > > > >>>>>> constraint that is blocking access. Which attribute depends > > > >>>>>> on your policy; MCS in particular has changed a lot over time > > > >>>>>> in Fedora > > > and RHEL. > > > >>>>>> What distro & > > > >>>> version? > > > >>>>>> > > > >>>>> > > > >>>>> I'm using CentOS / RedHat 6.6, targeted reference policy 24. > > > >>>> > > > >>>> Hmmm...looking at selinux-policy-3.7.19-260.el6.src.rpm, > > > >>>> serefpolicy-3.719/policy/mcs has this: > > > >>>> > > > >>>> # New filesystem object labels must be dominated by the > > > >>>> relabeling subject # clearance, also the objects are single-level. > > > >>>> mlsconstrain file { create relabelto } > > > >>>> (( h1 dom h2 ) and ( l2 eq h2 )); > > > >>>> > > > >>>> So no attributes are exempted from that constraint; your only > > > >>>> option is to run puppet ranged (i.e. as > > > >>>> system_u:system_r:puppet_t:s0-s0:c0.c1023) > > > >>>> so that its high level dominates any potential file level. > > > >>>> > > > >>>> You should be able to do that with a range_transition rule, e.g. > > > >>>> range_transition initrc_t puppet_exec_t:process s0 - > > > >>>> s0:c0.c0123; (assuming that the puppet entrypoint is labeled with > puppet_exec_t). > > > >>> > > > >>> Thanks Stephen, this makes sense to me, but I can't get that > > > >>> statement to > > > >> compile in my policy module: > > > >>> > > > >>> Compiling targeted puppet module > > > >>> /usr/bin/checkmodule: loading policy configuration from > > > tmp/puppet.tmp > > > >>> puppet.te":14:ERROR 'unknown level s0-s0 used in > > > >>> range_transition > > > >> definition' at token ';' on line 1041: > > > >>> range_transition initrc_t puppet_exec_t:process s0-s0:c0.c1023; > > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0- > s0:c0.c1023); > > > >>> /usr/bin/checkmodule: error(s) encountered while parsing > configuration > > > >>> make: *** [tmp/puppet.mod] Error 1 > > > >>> > > > >>> I did try checkmodule as well, and I tried using the > > > >> init_ranged_daemon_domain macro. Here is the policy module that > > > >> I am trying to compile: > > > >>> > > > >>> module puppet 1.2; > > > >>> require { > > > >>> type puppet_t; > > > >>> type puppet_exec_t; > > > >>> type initrc_t; > > > >>> attribute can_change_object_identity; > > > >>> class process { transition }; > > > >>> } > > > >>> typeattribute puppet_t can_change_object_identity; > > > >>> #init_ranged_daemon_domain(puppet_t,puppet_exec_t,s0- > s0:c0.c1023); > > > >>> range_transition initrc_t puppet_exec_t:process > > > >>> s0-s0:c0.c1023; > > > >>> > > > >>> I feel like I'm close, but perhaps I'm missing how to import > > > >>> the level > > > >> definitions? > > > >> > > > >> As Dominick suggested, whitespace unfortunately matters for the > > > >> MLS range specification - you need whitespace around the - (dash). > > > >> checkpolicy scanner issue introduced when IDENTIFIER was expanded > > > >> to include dash characters to support usage in filesystem type > > > >> names and user names IIRC. Should probably refactor that. > > > >> > > > > > > > > Thanks everybody for your input, the format > > > > > > > > ifdef(`enable_mcs',` > > > > init_ranged_daemon_domain(puppet_t, puppet_exec_t, s0 - > > > s0:c0.c1023) > > > > ') > > > > > > > > did the trick, and compiled with the devel makefile. For > > > > posterity, note that it > > > did not compile with checkmodule, the spaces around the dash in the > > > range level was required, and the ifdef format was also required. > > > > > > > > Thanks again, > > > > > > If you used the original range_transition rule I specified, > > > including the whitespace, then it should have compiled with > > > checkmodule, but to use the macroized version suggested by Miroslav, > > > you have to build with the devel Makefile which applies m4 and > > > includes the interface files that define the macros. > > > > > > > Sorry, I should have mentioned that I did try that, and I could not get it to > work (please let me know if I am doing something wrong!): > > > > module my_puppet_test 1.0; > > require { > > type initrc_t; > > type puppet_t; > > type puppet_exec_t; > > class process { siginh noatsecure rlimitinh }; } > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > > > checkmodule -M -m my_puppet_test.te -o my_puppet_test.mod > > checkmodule: loading policy configuration from my_puppet_test.te > > my_puppet_test.te:10:ERROR 'unknown level s0 used in range_transition > definition' at token ';' on line 10: > > I suppose you also need to require the mls identifiers. That is alway's something > to get used to. > > Reference policy hidden that in their macros. secilc also deals with this for you. > > > range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c0123; > > checkmodule: error(s) encountered while parsing configuration > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to Selinux- > request@tycho.nsa.gov. > > -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 > Dominick Grift Thanks! You are right, the following compiles with checkmodule: module my_puppet_test 1.0; require { type initrc_t; type puppet_t; type puppet_exec_t; sensitivity s0; class process { siginh }; sensitivity s0; category c0; category c1023; } range_transition initrc_t puppet_exec_t:process s0 - s0:c0.c1023; ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2015-03-17 15:01 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-03-13 13:52 selinux category relabel (puppet) Higgs, Stephen 2015-03-13 17:40 ` Stephen Smalley 2015-03-13 17:52 ` Higgs, Stephen 2015-03-13 17:54 ` Stephen Smalley 2015-03-13 17:58 ` Higgs, Stephen 2015-03-13 18:02 ` Dominick Grift 2015-03-13 18:04 ` Stephen Smalley 2015-03-13 21:17 ` Higgs, Stephen 2015-03-13 21:31 ` Dominick Grift 2015-03-16 12:43 ` Miroslav Grepl 2015-03-16 12:55 ` Stephen Smalley 2015-03-16 15:20 ` Higgs, Stephen 2015-03-16 15:55 ` Stephen Smalley 2015-03-16 16:17 ` Higgs, Stephen 2015-03-16 17:09 ` Dominick Grift 2015-03-17 15:00 ` Higgs, Stephen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.