* tomcat_t domain behavior
@ 2017-03-14 3:24 面和毅
2017-03-14 10:39 ` Gary Tierney
0 siblings, 1 reply; 6+ messages in thread
From: 面和毅 @ 2017-03-14 3:24 UTC (permalink / raw)
To: SELinux
Hi list,
I just found strange behavior on tomcat_t.
(I checked Fedora25, CentOS7).
During PoC for CVE-2017-5638(I know RedHat products are
not affected, just wanted to confirm SELinux behavior),
I found that tomcat_t can read shadow_t file, access to
admin_home_t directory, and so on.
I guess there is a suitable reason to allow those permission
to tomcat_t, but I just want to confirm the reason.
----- Quick test for tomcat_t -----;
I did just temporary test for checking tomcat_t behavior
on Fedora25.
1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
context as "tomcat_exec_t".
[root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
-rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
1072008 Mar 14 11:53 /root/tomcat_shell.sh
2. I added some cil policy just for this test.
[root@fedora25 ~]# cat tomcat_sh.cil
(typeattributeset entry_type tomcat_exec_t)
(roletype unconfined_r tomcat_t)
(typetransition unconfined_t tomcat_exec_t process tomcat_t)
3. load above module, and run tomcat_shell.sh
[root@fedora25 ~]# semodule -i tomcat_sh.cil
[root@fedora25 ~]# ./tomcat_shell.sh
[root@fedora25 ~]# id -Z
unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
4. access to shadow file, /root/ file, etc.
[root@fedora25 ~]# cat /etc/shadow
root:$6$h0wd.::0:99999:7:::
bin:*:17004:0:99999:7:::
daemon:*:17004:0:99999:7:::
--snip--
[root@fedora25 ~]# cat /root/tomcat_sh.cil
(typeattributeset entry_type tomcat_exec_t)
(roletype unconfined_r tomcat_t)
(typetransition unconfined_t tomcat_exec_t process tomcat_t)
[root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
138 Mar 14 12:01 /root/tomcat_sh.cil
----- End -----
So, can I ask the reason why we add these permission to tomcat_t?
Kind Regards,
OMO
--
Kazuki Omo: ka-omo@sios.com
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
http://www.secureoss.jp/
Tel: +819026581386
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: tomcat_t domain behavior
2017-03-14 3:24 tomcat_t domain behavior 面和毅
@ 2017-03-14 10:39 ` Gary Tierney
2017-03-14 11:20 ` Lukas Vrabec
0 siblings, 1 reply; 6+ messages in thread
From: Gary Tierney @ 2017-03-14 10:39 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 3959 bytes --]
On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
> Hi list,
>
> I just found strange behavior on tomcat_t.
> (I checked Fedora25, CentOS7).
>
> During PoC for CVE-2017-5638(I know RedHat products are
> not affected, just wanted to confirm SELinux behavior),
> I found that tomcat_t can read shadow_t file, access to
> admin_home_t directory, and so on.
>
> I guess there is a suitable reason to allow those permission
> to tomcat_t, but I just want to confirm the reason.
>
> ----- Quick test for tomcat_t -----;
> I did just temporary test for checking tomcat_t behavior
> on Fedora25.
>
> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
> context as "tomcat_exec_t".
>
> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
>
> 2. I added some cil policy just for this test.
> [root@fedora25 ~]# cat tomcat_sh.cil
> (typeattributeset entry_type tomcat_exec_t)
> (roletype unconfined_r tomcat_t)
> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>
> 3. load above module, and run tomcat_shell.sh
> [root@fedora25 ~]# semodule -i tomcat_sh.cil
> [root@fedora25 ~]# ./tomcat_shell.sh
> [root@fedora25 ~]# id -Z
> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
>
> 4. access to shadow file, /root/ file, etc.
> [root@fedora25 ~]# cat /etc/shadow
> root:$6$h0wd.::0:99999:7:::
> bin:*:17004:0:99999:7:::
> daemon:*:17004:0:99999:7:::
> --snip--
> [root@fedora25 ~]# cat /root/tomcat_sh.cil
> (typeattributeset entry_type tomcat_exec_t)
> (roletype unconfined_r tomcat_t)
> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
> 138 Mar 14 12:01 /root/tomcat_sh.cil
> ----- End -----
>
> So, can I ask the reason why we add these permission to tomcat_t?
These permissions aren't directly added to tomcat, they come from tomcat being an unconfined domain:
https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21
$ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ;
$ seinfo -ttomcat_t -x
tomcat_t
can_read_shadow_passwords
can_write_shadow_passwords
can_relabelto_shadow_passwords
can_change_object_identity
can_load_kernmodule
can_load_policy
can_setbool
can_setenforce
corenet_unconfined_type
corenet_unlabeled_type
devices_unconfined_type
domain
files_unconfined_type
filesystem_unconfined_type
kern_unconfined
kernel_system_state_reader
process_uncond_exempt
selinux_unconfined_type
storage_unconfined_type
unconfined_domain_type
dbusd_unconfined
daemon
syslog_client_type
sepgsql_unconfined_type
tomcat_domain
userdom_filetrans_type
x_domain
xserver_unconfined_type
I don't see why Tomcat would need to be an unconfined domain, though.
>
> Kind Regards,
>
> OMO
>
>
> --
> Kazuki Omo: ka-omo@sios.com
> OSS &Security Evangelist
> OSS Business Planning Dept.
> CISSP #366942
> http://www.secureoss.jp/
> Tel: +819026581386
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: tomcat_t domain behavior
2017-03-14 10:39 ` Gary Tierney
@ 2017-03-14 11:20 ` Lukas Vrabec
2017-03-14 12:35 ` 面和毅
0 siblings, 1 reply; 6+ messages in thread
From: Lukas Vrabec @ 2017-03-14 11:20 UTC (permalink / raw)
To: selinux
On 03/14/2017 11:39 AM, Gary Tierney wrote:
> On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
>> Hi list,
>>
>> I just found strange behavior on tomcat_t.
>> (I checked Fedora25, CentOS7).
>>
>> During PoC for CVE-2017-5638(I know RedHat products are
>> not affected, just wanted to confirm SELinux behavior),
>> I found that tomcat_t can read shadow_t file, access to
>> admin_home_t directory, and so on.
>>
>> I guess there is a suitable reason to allow those permission
>> to tomcat_t, but I just want to confirm the reason.
>>
>> ----- Quick test for tomcat_t -----;
>> I did just temporary test for checking tomcat_t behavior
>> on Fedora25.
>>
>> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
>> context as "tomcat_exec_t".
>>
>> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
>> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
>> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
>>
>> 2. I added some cil policy just for this test.
>> [root@fedora25 ~]# cat tomcat_sh.cil
>> (typeattributeset entry_type tomcat_exec_t)
>> (roletype unconfined_r tomcat_t)
>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>
>> 3. load above module, and run tomcat_shell.sh
>> [root@fedora25 ~]# semodule -i tomcat_sh.cil
>> [root@fedora25 ~]# ./tomcat_shell.sh
>> [root@fedora25 ~]# id -Z
>> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
>>
>> 4. access to shadow file, /root/ file, etc.
>> [root@fedora25 ~]# cat /etc/shadow
>> root:$6$h0wd.::0:99999:7:::
>> bin:*:17004:0:99999:7:::
>> daemon:*:17004:0:99999:7:::
>> --snip--
>> [root@fedora25 ~]# cat /root/tomcat_sh.cil
>> (typeattributeset entry_type tomcat_exec_t)
>> (roletype unconfined_r tomcat_t)
>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
>> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
>> 138 Mar 14 12:01 /root/tomcat_sh.cil
>> ----- End -----
>>
>> So, can I ask the reason why we add these permission to tomcat_t?
>
There is no reason to have tomcat_t domain in uconfined_domain.
> These permissions aren't directly added to tomcat, they come from tomcat being an unconfined domain:
> https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21
>
> $ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
> Found 1 semantic av rules:
> allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ;
>
> $ seinfo -ttomcat_t -x
> tomcat_t
> can_read_shadow_passwords
> can_write_shadow_passwords
> can_relabelto_shadow_passwords
> can_change_object_identity
> can_load_kernmodule
> can_load_policy
> can_setbool
> can_setenforce
> corenet_unconfined_type
> corenet_unlabeled_type
> devices_unconfined_type
> domain
> files_unconfined_type
> filesystem_unconfined_type
> kern_unconfined
> kernel_system_state_reader
> process_uncond_exempt
> selinux_unconfined_type
> storage_unconfined_type
> unconfined_domain_type
> dbusd_unconfined
> daemon
> syslog_client_type
> sepgsql_unconfined_type
> tomcat_domain
> userdom_filetrans_type
> x_domain
> xserver_unconfined_type
>
> I don't see why Tomcat would need to be an unconfined domain, though.
>
tomcat_t is in unconfined_domain_type attribute in Fedora 25 and
Centos7. This looks like bug when tomcat policy was written.
Could you please submit bug for Fedora and also RHEL? It should be fixed.
Lukas.
>>
>> Kind Regards,
>>
>> OMO
>>
>>
>> --
>> Kazuki Omo: ka-omo@sios.com
>> OSS &Security Evangelist
>> OSS Business Planning Dept.
>> CISSP #366942
>> http://www.secureoss.jp/
>> Tel: +819026581386
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: tomcat_t domain behavior
2017-03-14 11:20 ` Lukas Vrabec
@ 2017-03-14 12:35 ` 面和毅
2017-03-14 13:42 ` 面和毅
0 siblings, 1 reply; 6+ messages in thread
From: 面和毅 @ 2017-03-14 12:35 UTC (permalink / raw)
To: Lukas Vrabec; +Cc: SELinux
Dear Gary, Lukas,
Many Thanks.
I just submitted this issue on bugzilla for Fedora.
https://bugzilla.redhat.com/show_bug.cgi?id=1432055
After I install RHEL7.3(because I tested it on CentOS7), I'll submit
it on RHEL also.
Kind Regards,
OMO
2017-03-14 20:20 GMT+09:00 Lukas Vrabec <lvrabec@redhat.com>:
> On 03/14/2017 11:39 AM, Gary Tierney wrote:
>>
>> On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
>>>
>>> Hi list,
>>>
>>> I just found strange behavior on tomcat_t.
>>> (I checked Fedora25, CentOS7).
>>>
>>> During PoC for CVE-2017-5638(I know RedHat products are
>>> not affected, just wanted to confirm SELinux behavior),
>>> I found that tomcat_t can read shadow_t file, access to
>>> admin_home_t directory, and so on.
>>>
>>> I guess there is a suitable reason to allow those permission
>>> to tomcat_t, but I just want to confirm the reason.
>>>
>>> ----- Quick test for tomcat_t -----;
>>> I did just temporary test for checking tomcat_t behavior
>>> on Fedora25.
>>>
>>> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
>>> context as "tomcat_exec_t".
>>>
>>> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
>>> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
>>> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
>>>
>>> 2. I added some cil policy just for this test.
>>> [root@fedora25 ~]# cat tomcat_sh.cil
>>> (typeattributeset entry_type tomcat_exec_t)
>>> (roletype unconfined_r tomcat_t)
>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>>
>>> 3. load above module, and run tomcat_shell.sh
>>> [root@fedora25 ~]# semodule -i tomcat_sh.cil
>>> [root@fedora25 ~]# ./tomcat_shell.sh
>>> [root@fedora25 ~]# id -Z
>>> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
>>>
>>> 4. access to shadow file, /root/ file, etc.
>>> [root@fedora25 ~]# cat /etc/shadow
>>> root:$6$h0wd.::0:99999:7:::
>>> bin:*:17004:0:99999:7:::
>>> daemon:*:17004:0:99999:7:::
>>> --snip--
>>> [root@fedora25 ~]# cat /root/tomcat_sh.cil
>>> (typeattributeset entry_type tomcat_exec_t)
>>> (roletype unconfined_r tomcat_t)
>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
>>> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
>>> 138 Mar 14 12:01 /root/tomcat_sh.cil
>>> ----- End -----
>>>
>>> So, can I ask the reason why we add these permission to tomcat_t?
>>
>>
>
> There is no reason to have tomcat_t domain in uconfined_domain.
>
>
>> These permissions aren't directly added to tomcat, they come from tomcat
>> being an unconfined domain:
>>
>> https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21
>>
>> $ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
>> Found 1 semantic av rules:
>> allow files_unconfined_type file_type : file { ioctl read write create
>> getattr setattr lock relabelfrom relabelto append unlink link rename execute
>> swapon quotaon mounton execute_no_trans open audit_access } ;
>>
>> $ seinfo -ttomcat_t -x
>> tomcat_t
>> can_read_shadow_passwords
>> can_write_shadow_passwords
>> can_relabelto_shadow_passwords
>> can_change_object_identity
>> can_load_kernmodule
>> can_load_policy
>> can_setbool
>> can_setenforce
>> corenet_unconfined_type
>> corenet_unlabeled_type
>> devices_unconfined_type
>> domain
>> files_unconfined_type
>> filesystem_unconfined_type
>> kern_unconfined
>> kernel_system_state_reader
>> process_uncond_exempt
>> selinux_unconfined_type
>> storage_unconfined_type
>> unconfined_domain_type
>> dbusd_unconfined
>> daemon
>> syslog_client_type
>> sepgsql_unconfined_type
>> tomcat_domain
>> userdom_filetrans_type
>> x_domain
>> xserver_unconfined_type
>>
>> I don't see why Tomcat would need to be an unconfined domain, though.
>>
>
> tomcat_t is in unconfined_domain_type attribute in Fedora 25 and Centos7.
> This looks like bug when tomcat policy was written.
>
> Could you please submit bug for Fedora and also RHEL? It should be fixed.
>
> Lukas.
>
>>>
>>> Kind Regards,
>>>
>>> OMO
>>>
>>>
>>> --
>>> Kazuki Omo: ka-omo@sios.com
>>> OSS &Security Evangelist
>>> OSS Business Planning Dept.
>>> CISSP #366942
>>> http://www.secureoss.jp/
>>> Tel: +819026581386
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>
>>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
>
> --
> Lukas Vrabec
> SELinux Solutions
> Red Hat, Inc.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
--
Kazuki Omo: ka-omo@sios.com
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
Tel: +81364015149
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: tomcat_t domain behavior
2017-03-14 12:35 ` 面和毅
@ 2017-03-14 13:42 ` 面和毅
2017-06-09 11:56 ` 面和毅
0 siblings, 1 reply; 6+ messages in thread
From: 面和毅 @ 2017-03-14 13:42 UTC (permalink / raw)
To: Lukas Vrabec; +Cc: SELinux
Dear Lukas,
Thanks. I also submitted this issue on bugzilla for RHEL7.
https://bugzilla.redhat.com/show_bug.cgi?id=1432083
Kind Regards,
OMO
2017-03-14 21:35 GMT+09:00 面和毅 <ka-omo@sios.com>:
> Dear Gary, Lukas,
>
> Many Thanks.
>
> I just submitted this issue on bugzilla for Fedora.
> https://bugzilla.redhat.com/show_bug.cgi?id=1432055
>
> After I install RHEL7.3(because I tested it on CentOS7), I'll submit
> it on RHEL also.
>
> Kind Regards,
>
> OMO
>
> 2017-03-14 20:20 GMT+09:00 Lukas Vrabec <lvrabec@redhat.com>:
>> On 03/14/2017 11:39 AM, Gary Tierney wrote:
>>>
>>> On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
>>>>
>>>> Hi list,
>>>>
>>>> I just found strange behavior on tomcat_t.
>>>> (I checked Fedora25, CentOS7).
>>>>
>>>> During PoC for CVE-2017-5638(I know RedHat products are
>>>> not affected, just wanted to confirm SELinux behavior),
>>>> I found that tomcat_t can read shadow_t file, access to
>>>> admin_home_t directory, and so on.
>>>>
>>>> I guess there is a suitable reason to allow those permission
>>>> to tomcat_t, but I just want to confirm the reason.
>>>>
>>>> ----- Quick test for tomcat_t -----;
>>>> I did just temporary test for checking tomcat_t behavior
>>>> on Fedora25.
>>>>
>>>> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
>>>> context as "tomcat_exec_t".
>>>>
>>>> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
>>>> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
>>>> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
>>>>
>>>> 2. I added some cil policy just for this test.
>>>> [root@fedora25 ~]# cat tomcat_sh.cil
>>>> (typeattributeset entry_type tomcat_exec_t)
>>>> (roletype unconfined_r tomcat_t)
>>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>>>
>>>> 3. load above module, and run tomcat_shell.sh
>>>> [root@fedora25 ~]# semodule -i tomcat_sh.cil
>>>> [root@fedora25 ~]# ./tomcat_shell.sh
>>>> [root@fedora25 ~]# id -Z
>>>> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
>>>>
>>>> 4. access to shadow file, /root/ file, etc.
>>>> [root@fedora25 ~]# cat /etc/shadow
>>>> root:$6$h0wd.::0:99999:7:::
>>>> bin:*:17004:0:99999:7:::
>>>> daemon:*:17004:0:99999:7:::
>>>> --snip--
>>>> [root@fedora25 ~]# cat /root/tomcat_sh.cil
>>>> (typeattributeset entry_type tomcat_exec_t)
>>>> (roletype unconfined_r tomcat_t)
>>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>>> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
>>>> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
>>>> 138 Mar 14 12:01 /root/tomcat_sh.cil
>>>> ----- End -----
>>>>
>>>> So, can I ask the reason why we add these permission to tomcat_t?
>>>
>>>
>>
>> There is no reason to have tomcat_t domain in uconfined_domain.
>>
>>
>>> These permissions aren't directly added to tomcat, they come from tomcat
>>> being an unconfined domain:
>>>
>>> https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21
>>>
>>> $ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
>>> Found 1 semantic av rules:
>>> allow files_unconfined_type file_type : file { ioctl read write create
>>> getattr setattr lock relabelfrom relabelto append unlink link rename execute
>>> swapon quotaon mounton execute_no_trans open audit_access } ;
>>>
>>> $ seinfo -ttomcat_t -x
>>> tomcat_t
>>> can_read_shadow_passwords
>>> can_write_shadow_passwords
>>> can_relabelto_shadow_passwords
>>> can_change_object_identity
>>> can_load_kernmodule
>>> can_load_policy
>>> can_setbool
>>> can_setenforce
>>> corenet_unconfined_type
>>> corenet_unlabeled_type
>>> devices_unconfined_type
>>> domain
>>> files_unconfined_type
>>> filesystem_unconfined_type
>>> kern_unconfined
>>> kernel_system_state_reader
>>> process_uncond_exempt
>>> selinux_unconfined_type
>>> storage_unconfined_type
>>> unconfined_domain_type
>>> dbusd_unconfined
>>> daemon
>>> syslog_client_type
>>> sepgsql_unconfined_type
>>> tomcat_domain
>>> userdom_filetrans_type
>>> x_domain
>>> xserver_unconfined_type
>>>
>>> I don't see why Tomcat would need to be an unconfined domain, though.
>>>
>>
>> tomcat_t is in unconfined_domain_type attribute in Fedora 25 and Centos7.
>> This looks like bug when tomcat policy was written.
>>
>> Could you please submit bug for Fedora and also RHEL? It should be fixed.
>>
>> Lukas.
>>
>>>>
>>>> Kind Regards,
>>>>
>>>> OMO
>>>>
>>>>
>>>> --
>>>> Kazuki Omo: ka-omo@sios.com
>>>> OSS &Security Evangelist
>>>> OSS Business Planning Dept.
>>>> CISSP #366942
>>>> http://www.secureoss.jp/
>>>> Tel: +819026581386
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>
>>
>> --
>> Lukas Vrabec
>> SELinux Solutions
>> Red Hat, Inc.
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>
>
>
> --
> Kazuki Omo: ka-omo@sios.com
> OSS &Security Evangelist
> OSS Business Planning Dept.
> CISSP #366942
> Tel: +81364015149
--
Kazuki Omo: ka-omo@sios.com
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
Tel: +81364015149
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: tomcat_t domain behavior
2017-03-14 13:42 ` 面和毅
@ 2017-06-09 11:56 ` 面和毅
0 siblings, 0 replies; 6+ messages in thread
From: 面和毅 @ 2017-06-09 11:56 UTC (permalink / raw)
To: Lukas Vrabec; +Cc: SELinux
Hi,
It seems the bug is fixed on selinux-policy-3.13.1-145.el7.noarch.rpm. :-)
So I uploaded new article on our blog.
"CVE-2017-5638(Struts2) PoC with SELinux"
Now we can say SELinux can mitigate the Struts2(CVE-2017-5638)
if the policy is latest(3.13.1-145).
http://www.secureoss.jp/post/omok-selinux-struts2-20170607/
Kind Regards,
OMO
2017-03-14 22:42 GMT+09:00 面和毅 <ka-omo@sios.com>:
> Dear Lukas,
>
> Thanks. I also submitted this issue on bugzilla for RHEL7.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1432083
>
> Kind Regards,
>
> OMO
>
> 2017-03-14 21:35 GMT+09:00 面和毅 <ka-omo@sios.com>:
>> Dear Gary, Lukas,
>>
>> Many Thanks.
>>
>> I just submitted this issue on bugzilla for Fedora.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1432055
>>
>> After I install RHEL7.3(because I tested it on CentOS7), I'll submit
>> it on RHEL also.
>>
>> Kind Regards,
>>
>> OMO
>>
>> 2017-03-14 20:20 GMT+09:00 Lukas Vrabec <lvrabec@redhat.com>:
>>> On 03/14/2017 11:39 AM, Gary Tierney wrote:
>>>>
>>>> On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
>>>>>
>>>>> Hi list,
>>>>>
>>>>> I just found strange behavior on tomcat_t.
>>>>> (I checked Fedora25, CentOS7).
>>>>>
>>>>> During PoC for CVE-2017-5638(I know RedHat products are
>>>>> not affected, just wanted to confirm SELinux behavior),
>>>>> I found that tomcat_t can read shadow_t file, access to
>>>>> admin_home_t directory, and so on.
>>>>>
>>>>> I guess there is a suitable reason to allow those permission
>>>>> to tomcat_t, but I just want to confirm the reason.
>>>>>
>>>>> ----- Quick test for tomcat_t -----;
>>>>> I did just temporary test for checking tomcat_t behavior
>>>>> on Fedora25.
>>>>>
>>>>> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
>>>>> context as "tomcat_exec_t".
>>>>>
>>>>> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
>>>>> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
>>>>> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
>>>>>
>>>>> 2. I added some cil policy just for this test.
>>>>> [root@fedora25 ~]# cat tomcat_sh.cil
>>>>> (typeattributeset entry_type tomcat_exec_t)
>>>>> (roletype unconfined_r tomcat_t)
>>>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>>>>
>>>>> 3. load above module, and run tomcat_shell.sh
>>>>> [root@fedora25 ~]# semodule -i tomcat_sh.cil
>>>>> [root@fedora25 ~]# ./tomcat_shell.sh
>>>>> [root@fedora25 ~]# id -Z
>>>>> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
>>>>>
>>>>> 4. access to shadow file, /root/ file, etc.
>>>>> [root@fedora25 ~]# cat /etc/shadow
>>>>> root:$6$h0wd.::0:99999:7:::
>>>>> bin:*:17004:0:99999:7:::
>>>>> daemon:*:17004:0:99999:7:::
>>>>> --snip--
>>>>> [root@fedora25 ~]# cat /root/tomcat_sh.cil
>>>>> (typeattributeset entry_type tomcat_exec_t)
>>>>> (roletype unconfined_r tomcat_t)
>>>>> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
>>>>> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
>>>>> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
>>>>> 138 Mar 14 12:01 /root/tomcat_sh.cil
>>>>> ----- End -----
>>>>>
>>>>> So, can I ask the reason why we add these permission to tomcat_t?
>>>>
>>>>
>>>
>>> There is no reason to have tomcat_t domain in uconfined_domain.
>>>
>>>
>>>> These permissions aren't directly added to tomcat, they come from tomcat
>>>> being an unconfined domain:
>>>>
>>>> https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21
>>>>
>>>> $ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
>>>> Found 1 semantic av rules:
>>>> allow files_unconfined_type file_type : file { ioctl read write create
>>>> getattr setattr lock relabelfrom relabelto append unlink link rename execute
>>>> swapon quotaon mounton execute_no_trans open audit_access } ;
>>>>
>>>> $ seinfo -ttomcat_t -x
>>>> tomcat_t
>>>> can_read_shadow_passwords
>>>> can_write_shadow_passwords
>>>> can_relabelto_shadow_passwords
>>>> can_change_object_identity
>>>> can_load_kernmodule
>>>> can_load_policy
>>>> can_setbool
>>>> can_setenforce
>>>> corenet_unconfined_type
>>>> corenet_unlabeled_type
>>>> devices_unconfined_type
>>>> domain
>>>> files_unconfined_type
>>>> filesystem_unconfined_type
>>>> kern_unconfined
>>>> kernel_system_state_reader
>>>> process_uncond_exempt
>>>> selinux_unconfined_type
>>>> storage_unconfined_type
>>>> unconfined_domain_type
>>>> dbusd_unconfined
>>>> daemon
>>>> syslog_client_type
>>>> sepgsql_unconfined_type
>>>> tomcat_domain
>>>> userdom_filetrans_type
>>>> x_domain
>>>> xserver_unconfined_type
>>>>
>>>> I don't see why Tomcat would need to be an unconfined domain, though.
>>>>
>>>
>>> tomcat_t is in unconfined_domain_type attribute in Fedora 25 and Centos7.
>>> This looks like bug when tomcat policy was written.
>>>
>>> Could you please submit bug for Fedora and also RHEL? It should be fixed.
>>>
>>> Lukas.
>>>
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>> OMO
>>>>>
>>>>>
>>>>> --
>>>>> Kazuki Omo: ka-omo@sios.com
>>>>> OSS &Security Evangelist
>>>>> OSS Business Planning Dept.
>>>>> CISSP #366942
>>>>> http://www.secureoss.jp/
>>>>> Tel: +819026581386
>>>>> _______________________________________________
>>>>> Selinux mailing list
>>>>> Selinux@tycho.nsa.gov
>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>> To get help, send an email containing "help" to
>>>>> Selinux-request@tycho.nsa.gov.
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>>>
>>>
>>>
>>> --
>>> Lukas Vrabec
>>> SELinux Solutions
>>> Red Hat, Inc.
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>
>>
>>
>> --
>> Kazuki Omo: ka-omo@sios.com
>> OSS &Security Evangelist
>> OSS Business Planning Dept.
>> CISSP #366942
>> Tel: +81364015149
>
>
>
> --
> Kazuki Omo: ka-omo@sios.com
> OSS &Security Evangelist
> OSS Business Planning Dept.
> CISSP #366942
> Tel: +81364015149
--
Kazuki Omo: ka-omo@sios.com
OSS &Security Evangelist
OSS Business Planning Dept.
CISSP #366942
Tel: +81364015149
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-06-09 11:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-14 3:24 tomcat_t domain behavior 面和毅
2017-03-14 10:39 ` Gary Tierney
2017-03-14 11:20 ` Lukas Vrabec
2017-03-14 12:35 ` 面和毅
2017-03-14 13:42 ` 面和毅
2017-06-09 11:56 ` 面和毅
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.