Re: (Userspace) AVC denial generated even if allowed by the policy?

From: Laurent Bigonville <bigon@debian.org>
To: selinux@tycho.nsa.gov
Subject: Re: (Userspace) AVC denial generated even if allowed by the policy?
Date: Mon, 23 Nov 2015 16:34:48 +0100	[thread overview]
Message-ID: <56533218.7090601@debian.org> (raw)
In-Reply-To: <5652636F.2060609@debian.org>

[-- Attachment #1: Type: text/plain, Size: 2576 bytes --]

Le 23/11/15 01:53, Laurent Bigonville a écrit :
> Hi,
>
> I'm still looking at adding SELinux support in the "at" daemon and I
> now have the following patch[0].
>
> With this patch, at seems to behave like the cron daemon, as explained
> in the commit log:
>
>     - When cron_userdomain_transition is set to off, a process for an
>       unconfined user will transition to unconfined_cronjob_t. For
> confined
>       user, the job is run as cronjob_t.
>
>     - When cron_userdomain_transition is set to on, the processes are run
>       under the user default context.
>
> But every time an AVC denial is generated (with
> cron_userdomain_transition set to off and the user running as staff_u,
> in permissive with unmodified refpolicy):
>
> avc:  denied  { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0
> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
>
> The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0
>
> But audit2{allow,why} are saying that this is already allowed in the
> policy
>
> Setting the cron_userdomain_transition boolean to on, I have the
> following avc:
>
> avc:  denied  { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0
> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
>
> The job runs as (id -Z): staff_u:sysadm_r:sysadm_t:s0
>
> So as said it seems to work, but I'm not sure why this AVC denial is
> generated.
>
> sesearch shows:
>
> $ sesearch -ATSC  -t user_cron_spool_t -c file -p entrypoint
> Found 6 semantic av rules:
>    allow files_unconfined_type file_type : file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton execute_no_trans entrypoint open
> audit_access } ;
> DT allow unconfined_t user_cron_spool_t : file entrypoint ; [
> cron_userdomain_transition ]
> DT allow user_t user_cron_spool_t : file entrypoint ; [
> cron_userdomain_transition ]
> EF allow cronjob_t user_cron_spool_t : file entrypoint ; [
> cron_userdomain_transition ]
> DT allow staff_t user_cron_spool_t : file entrypoint ; [
> cron_userdomain_transition ]
> DT allow sysadm_t user_cron_spool_t : file entrypoint ; [
> cron_userdomain_transition ]
>
> Did I overlooked something?
>
> Cheers,
>
> Laurent Bigonville
>
> [0]
> https://anonscm.debian.org/cgit/users/bigon/at.git/commit/?h=selinux&id=0112f006b74a36f7200e315575fd25d78e11b170

I'm attaching the patch to this mail for the people that cannot access
the website and FTR.

Cheers,

Laurent Bigonville


[-- Attachment #2: 0001-Allow-the-user-cronjobs-to-run-in-their-userdomain.patch --]
[-- Type: text/x-patch, Size: 4973 bytes --]

>From c8aa69e51d8781da782a50dbdf20b258288093d4 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Mon, 23 Nov 2015 12:25:13 +0100
Subject: [PATCH] Allow the user cronjobs to run in their userdomain

When cron_userdomain_transition boolean is set to on, the user cronjobs
are supposed to run in their domains. Without this patch the default
context is not properly computed:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    /usr/sbin/getdefaultcon: Invalid argument
    $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
    staff_u:sysadm_r:sysadm_t:s0

With this patch applied:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    user_u:user_r:user_t:s0
    $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
    staff_u:staff_r:staff_t:s0
---
 config/appconfig-mcs/staff_u_default_contexts      | 2 +-
 config/appconfig-mcs/user_u_default_contexts       | 2 +-
 config/appconfig-mls/staff_u_default_contexts      | 2 +-
 config/appconfig-mls/user_u_default_contexts       | 2 +-
 config/appconfig-standard/staff_u_default_contexts | 2 +-
 config/appconfig-standard/user_u_default_contexts  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..5606c4e 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index cacbc93..56d6071 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 881a292..5606c4e 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index cacbc93..56d6071 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index c2a5ea8..300694c 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t		staff_r:cronjob_t
+system_r:crond_t		staff_r:staff_t staff_r:cronjob_t
 system_r:xdm_t			staff_r:staff_t
 staff_r:staff_su_t		staff_r:staff_t
 staff_r:staff_sudo_t		staff_r:staff_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index f5bfac3..63b7eec 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
-system_r:crond_t		user_r:cronjob_t
+system_r:crond_t		user_r:user_t user_r:cronjob_t
 system_r:xdm_t			user_r:user_t
 user_r:user_su_t		user_r:user_t
 user_r:user_sudo_t		user_r:user_t
-- 
2.6.2

