security_bounded_transition fails

security_bounded_transition fails

[Hannu Savolainen]

Hi,

I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.

However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".

Is there any policy rule that could be used to fix this or is this just not supported?

Best regards,

Hannu

Re: security_bounded_transition fails

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Dec 18, 2015 at 06:12:21AM +0000, Hannu Savolainen wrote:
> Hi,
> 
> I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.
> 
> However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".
> 
> Is there any policy rule that could be used to fix this or is this just not supported?

I believe that the parent domain should have the same permissions as the child
domain (because the child is bounded to the parent).

This can be pretty painful to deal with.

For example: if the child domain should be able to bind tcp_socket to
http_port_t type port objects then so should the parent.

That one would be relatively easy to identify. There are other
instances though that are harder to spot.

Eventually, once you dealt with all the requirements, those bounded
messages should dissapear.

> 
> Best regards,
> 
> Hannu
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWc8fHAAoJENAR6kfG5xmcNIYL/0QwzDxZvDbwNZTSVK/9mtYx
ODf2f2YON6DED/3hrX1bFvC/5Gho3j5Wobp/Muh25kRRPP+49JN0FmtePIClWNVE
4Jp971AMwHF2XvYjwH4876rXIyjEfj0s2yA4f3ULB1XbPKg3go8Pwj1EHeb0k9qw
uXEODV1a/5IFoDZ2p76rieQCpdSgu0L8tWr2YOJWb8iKY1hG7FPjwLqxRma8jNrv
7vX9q+Vmb1b+06jX2ooqJ1z4tB8LruqWImxqIGUCcNvqKCAIhDyByqLprVZfA7S7
9Hvrqed1xxXSpv5Lq84ycm85Ny2S60vvaJz32lqe7nEQPC/ep2O40j3/USqqSPpS
8sVwRNAWowE2OCJ7ePRPig6kFuH5nN4/Xvb9yZr3/o26eIhqMhFEmN5dzBywSSan
YLsgOWj8FNoterdFGZaiE8r+wKGXZ3ua5zwqlOX/BOIHOKkLnUSwQcDdUgUTipEn
r8keY7+tjOIEIQftNon3rVvzCeQcTaJfheZj0mEQOA==
=m57I
-----END PGP SIGNATURE-----

Re: security_bounded_transition fails

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Dec 18, 2015 at 09:46:03AM +0100, Dominick Grift wrote:
> On Fri, Dec 18, 2015 at 06:12:21AM +0000, Hannu Savolainen wrote:
> > Hi,
> > 
> > I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.
> > 
> > However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".
> > 
> > Is there any policy rule that could be used to fix this or is this just not supported?
> 
> I believe that the parent domain should have the same permissions as the child
> domain (because the child is bounded to the parent).
> 
> This can be pretty painful to deal with.
> 
> For example: if the child domain should be able to bind tcp_socket to
> http_port_t type port objects then so should the parent.
> 
> That one would be relatively easy to identify. There are other
> instances though that are harder to spot.
> 
> Eventually, once you dealt with all the requirements, those bounded
> messages should dissapear.

Here is one more not so straightforward example.

You may have a auto type transition rule in place that tells selinux that the
parent should run the child's executable file with a auto type
transition to the child domain.

That means that the child's executable file type should be a entry
object to the child domain type.

You allowed for example:

allow child_t child_exec_t:file entrypoint;

That means that child_exec_t now also must be a entry object to the
parent domain type:

allow parent_t child_exec_t:file entrypoint;

Else the transition might not work because the parent must have all the
permissions that the child has.

> 
> > 
> > Best regards,
> > 
> > Hannu
> > 
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> Dominick Grift

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWc94EAAoJENAR6kfG5xmcLD8L/0M4k0o66EvwUNdDpGasV71j
f74DgZpBaJnrIWqGIBG6TwNy7ZPqbuFn931jds5GLc40lLXRRl4f2E/yBtfrrmzH
O0lcTzWK4HUKrYULQY0pg8uBUV9E2EDs4umi603bXfarzB8Aio4PhooRIIOaOBBS
vdSfqQER6FcYGdHtoFFsdvcAYNhLLLbH6q0LcHtYym3zQ02Fmmv1NJroQOaV08wr
sA6LI97nmLt285YnRODm/AJwTj21FUsSKcntDRFX99doy09EGOeEjv7vU9tZPaze
nxtsSEEYqjjGQAOE9NWXcGDFwBWw4udgNvYH5S88XZvhhto9w8BDF2x+czPTX6MC
32h4qTI3wkZ8GTaws2AsghupA521cHs6Uhh4S1qen5shywzBOQJroNJiM/FhzvnC
m7IGK4EwvBty2cRld/yforBKsSRiwsvVgsarPJQfEKmO+3W4ivLCZyB5ucRYxqiI
69DpQ7NeNyJ3bSQswWpCnPj8MNwMQIkTFjjDGVO7cg==
=YeKh
-----END PGP SIGNATURE-----

Re: security_bounded_transition fails

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Dec 18, 2015 at 11:20:56AM +0100, Dominick Grift wrote:
> On Fri, Dec 18, 2015 at 09:46:03AM +0100, Dominick Grift wrote:
> > On Fri, Dec 18, 2015 at 06:12:21AM +0000, Hannu Savolainen wrote:
> > > Hi,
> > > 
> > > I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.
> > > 
> > > However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".
> > > 
> > > Is there any policy rule that could be used to fix this or is this just not supported?
> > 
> > I believe that the parent domain should have the same permissions as the child
> > domain (because the child is bounded to the parent).
> > 
> > This can be pretty painful to deal with.
> > 
> > For example: if the child domain should be able to bind tcp_socket to
> > http_port_t type port objects then so should the parent.
> > 
> > That one would be relatively easy to identify. There are other
> > instances though that are harder to spot.
> > 
> > Eventually, once you dealt with all the requirements, those bounded
> > messages should dissapear.
> 
> Here is one more not so straightforward example.
> 
> You may have a auto type transition rule in place that tells selinux that the
> parent should run the child's executable file with a auto type
> transition to the child domain.
> 
> That means that the child's executable file type should be a entry
> object to the child domain type.
> 
> You allowed for example:
> 
> allow child_t child_exec_t:file entrypoint;
> 
> That means that child_exec_t now also must be a entry object to the
> parent domain type:
> 
> allow parent_t child_exec_t:file entrypoint;
> 
> Else the transition might not work because the parent must have all the
> permissions that the child has.
> 

Also you should have a type_bounds statement in place if you do not have
one already:

http://selinuxproject.org/page/Bounds_Rules

> > 
> > > 
> > > Best regards,
> > > 
> > > Hannu
> > > 
> > > 
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@tycho.nsa.gov
> > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > 
> > -- 
> > 02DFF788
> > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> > Dominick Grift
> 
> -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> Dominick Grift

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWc+OoAAoJENAR6kfG5xmc6foMAKJMOYO/zj8/2vjsSQo9p4Tg
voiLu5CtyMcPdHWie7C023Y0hMn6d3Pb76FoQeC3T+MUhKvmpRTJ/Ai1UBbjE/xQ
MJx2dxDK9h6x2/JjdCRPo4WoZVFgQEhZvHJOcq6S54sJK0M91Pl1jIyFcTBks8YS
vrluuqrTE7T4/Sv1uV8Bd2rU3VY6Q0oFO+PQXTml1bmelUa1eHpseG5r3MTliZoD
FWmCSqrfZUQHc2oLecyLFn4MuNS21mj1e0pzRMXXrqTvzzcNcUryzEOdvVpik04a
gQlmD5YDIyFfY9Hbhosc5Pv0/ayu/AfZe1SjAJk6yiVNWyeRCvYbtpzhPl/Z1lhf
CQf6Fbrzby/rrBpkh2mlBTS5sgPizPIkM/nU9dnaz6Kb9po0WZSNqREvFqkISjK6
QVK05g7FnMwiva6Sxhc0B1y3fN7hjohgQ/uDyo3L8CxGquPMrV8NL60RM3urhHwJ
kx5dvI4ueNk/t8F31FgQhtYfn6ccZgs737Fb9L6pmg==
=l8j2
-----END PGP SIGNATURE-----

Re: security_bounded_transition fails

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Dec 18, 2015 at 11:27:13AM +0000, Hannu Savolainen wrote:
> Many thanks,
> 
> Adding the allow rules seem to be enough (have to verify that one more time next week). Fortunately the typebounds rule doesn't seem to be necessary since it triggered avalanche of dependency problems everywhere.
> 
> Best regards,
> 
> Hannu

Cc: selinux list

I suspect though that you eventually really need to add the typebounds
statement.

Also one thing to keep in mind is that what I said before also applies
to permissions where the bounded domain is the target. This, atleast to
me, in the beginning was a little confusing.

Example:

if you have this requirement:

allow somedomain_t child_t:processs signal;

then this is required:

allow somedomain_t { child_t parent_t }:process signal;

> -----Original Message-----
> From: Dominick Grift [mailto:dac.override@gmail.com] 
> Sent: 18 December, 2015 12:45
> To: Hannu Savolainen; selinux@tycho.nsa.gov
> Subject: Re: security_bounded_transition fails
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On Fri, Dec 18, 2015 at 11:20:56AM +0100, Dominick Grift wrote:
> > On Fri, Dec 18, 2015 at 09:46:03AM +0100, Dominick Grift wrote:
> > > On Fri, Dec 18, 2015 at 06:12:21AM +0000, Hannu Savolainen wrote:
> > > > Hi,
> > > > 
> > > > I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.
> > > > 
> > > > However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".
> > > > 
> > > > Is there any policy rule that could be used to fix this or is this just not supported?
> > > 
> > > I believe that the parent domain should have the same permissions as 
> > > the child domain (because the child is bounded to the parent).
> > > 
> > > This can be pretty painful to deal with.
> > > 
> > > For example: if the child domain should be able to bind tcp_socket 
> > > to http_port_t type port objects then so should the parent.
> > > 
> > > That one would be relatively easy to identify. There are other 
> > > instances though that are harder to spot.
> > > 
> > > Eventually, once you dealt with all the requirements, those bounded 
> > > messages should dissapear.
> > 
> > Here is one more not so straightforward example.
> > 
> > You may have a auto type transition rule in place that tells selinux 
> > that the parent should run the child's executable file with a auto 
> > type transition to the child domain.
> > 
> > That means that the child's executable file type should be a entry 
> > object to the child domain type.
> > 
> > You allowed for example:
> > 
> > allow child_t child_exec_t:file entrypoint;
> > 
> > That means that child_exec_t now also must be a entry object to the 
> > parent domain type:
> > 
> > allow parent_t child_exec_t:file entrypoint;
> > 
> > Else the transition might not work because the parent must have all 
> > the permissions that the child has.
> > 
> 
> Also you should have a type_bounds statement in place if you do not have one already:
> 
> http://selinuxproject.org/page/Bounds_Rules
> 
> > > 
> > > > 
> > > > Best regards,
> > > > 
> > > > Hannu
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Selinux mailing list
> > > > Selinux@tycho.nsa.gov
> > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > > 
> > > --
> > > 02DFF788
> > > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF7
> > > 88
> > > Dominick Grift
> > 
> > --
> > 02DFF788
> > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> > Dominick Grift
> 
> - --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> Dominick Grift
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQGcBAEBCgAGBQJWc+OoAAoJENAR6kfG5xmc6foMAKJMOYO/zj8/2vjsSQo9p4Tg
> voiLu5CtyMcPdHWie7C023Y0hMn6d3Pb76FoQeC3T+MUhKvmpRTJ/Ai1UBbjE/xQ
> MJx2dxDK9h6x2/JjdCRPo4WoZVFgQEhZvHJOcq6S54sJK0M91Pl1jIyFcTBks8YS
> vrluuqrTE7T4/Sv1uV8Bd2rU3VY6Q0oFO+PQXTml1bmelUa1eHpseG5r3MTliZoD
> FWmCSqrfZUQHc2oLecyLFn4MuNS21mj1e0pzRMXXrqTvzzcNcUryzEOdvVpik04a
> gQlmD5YDIyFfY9Hbhosc5Pv0/ayu/AfZe1SjAJk6yiVNWyeRCvYbtpzhPl/Z1lhf
> CQf6Fbrzby/rrBpkh2mlBTS5sgPizPIkM/nU9dnaz6Kb9po0WZSNqREvFqkISjK6
> QVK05g7FnMwiva6Sxhc0B1y3fN7hjohgQ/uDyo3L8CxGquPMrV8NL60RM3urhHwJ
> kx5dvI4ueNk/t8F31FgQhtYfn6ccZgs737Fb9L6pmg==
> =l8j2
> -----END PGP SIGNATURE-----

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWdCCYAAoJENAR6kfG5xmcm6wL/08Jp2AuCBt+VPfhNxSB7Ugn
V3hMQvqQpa0JlVUYQXXkL1203pYFxk00Us1j7YCBoNw5EbfyzkMd4uqrBvBDqv4H
S6Q5UOR0/H1gyFPqWvM2qY6DdVBUrC7U2ss5DQCPTf+OJC65QcxewDTTYTnIRhm1
NWyPUiIE3aO5NZ1U0xo4jXW+sKoLPC6oKZo8HKI3N77tkN0BDuDmSphED4P/gez5
FF6/R049pFLEHoGAhgQvIxlx8V99ZQM2FUcHoRf0Jq7+1F5v5A5Y19sRj/ppTGLB
r2g0T0qTFHKymSQsxdMiP/mdm7YpvtMmSCMUB5xX++jWHGBoB00NnGvPjuwL6D5I
p3mV0TmUMK+c5oXJMlLQP66UKro8sG7iMSKoup8ypUbvmWdd1rdTvBIzJRUraZhn
bzUjxQGrg6fHaNX7XME+n689SgBnv48yCYZwhu7ahjcFfil6ESlGZA4E3jSX2K1f
9yloGB150R0RMzc1Xl5XMol0Mhktd1ary0FiYfPWBA==
=lhPU
-----END PGP SIGNATURE-----

Re: security_bounded_transition fails

[Stephen Smalley]

On 12/18/2015 10:05 AM, Dominick Grift wrote:
> On Fri, Dec 18, 2015 at 11:27:13AM +0000, Hannu Savolainen wrote:
>> Many thanks,
>
>> Adding the allow rules seem to be enough (have to verify that one more time next week). Fortunately the typebounds rule doesn't seem to be necessary since it triggered avalanche of dependency problems everywhere.
>
>> Best regards,
>
>> Hannu
>
> Cc: selinux list
>
> I suspect though that you eventually really need to add the typebounds
> statement.

typebounds is required for a multi-threaded process to setcon().

And note that setcon() only changes the context of the current thread, 
not all threads in the process.

Re: security_bounded_transition fails

[Stephen Smalley]

On 12/18/2015 01:12 AM, Hannu Savolainen wrote:
> Hi,
>
> I'm having a problem with a multithreaded application. It does lengthy  initialization in advance under relatively privileged context and then switches to a less privileged one after the moment when the actual request arrives. After that it will create a chrooted container and join all threads to a new SELinux context.
>
> However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context".
>
> Is there any policy rule that could be used to fix this or is this just not supported?

First, it is easier and safer to perform the privileged initialization 
and switch to the unprivileged context _before_ spawning other threads. 
  Then you won't have this problem at all.

If for some reason you cannot do that, then the requirement for a 
multi-threaded process is that you can only setcon to a domain bounded 
by your current domain, where these bounding relationships are defined 
through the use of the typebounds statement in policy.  The 
child/bounded domain is then restricted to a subset of the permissions 
of the parent/boundary domain, so you cannot allow the child/bounded 
domain any permission not allowed to the parent/boundary domain.