* strange pam selinux issue
@ 2020-03-04 7:29 Dominick Grift
2020-03-04 7:42 ` Dominick Grift
2020-03-04 14:40 ` Stephen Smalley
0 siblings, 2 replies; 15+ messages in thread
From: Dominick Grift @ 2020-03-04 7:29 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]
The easiest way to explain this is as follows.
Consider this scenario:
# seinfo -xuwheel.id
Users: 1
user wheel.id roles wheel.role level s0 range s0;
# selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
wheel.id:wheel.role:user.systemd.subj:s0
Now consider this scenario:
# echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil
# seinfo -xuwheel.id
Users: 1
user wheel.id roles { wheel.role sys.role } level s0 range s0;
Here is the issue:
# selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
wheel.id:sys.role:sys.isid:s0
Some semi irrelevant background:
I am designing an improved "targeted" policy. Common targeted policies
are inefficient because they have several "unconfined" domains.
Unconfined domains are expensive because they have a lot of rules associated with them.
They're essentially all the same. Just duplicates.
I decided to have just one unconfined domain: "the system", and everything that is not targeted ends up in the system domain.
So now I want to have a confined login shell with role access to the system a'la: staff_u:staff_r:staff_t -> staff_u:unconfined_r:unconfined_t
pam_selinux seemingly cannot deal with this scenario as shown above. pam_selinux has many other issues. One of them is its concept of
"default_type". There is no such thing as a "default_type" and implying that there is a "default_type" causes issues.
There are other issues related to this as well: the env_params option depends on the "context contains" access vector being present.
It will not work even if you have handle_unknown=allow set.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: strange pam selinux issue 2020-03-04 7:29 strange pam selinux issue Dominick Grift @ 2020-03-04 7:42 ` Dominick Grift 2020-03-04 14:22 ` Stephen Smalley 2020-03-04 14:40 ` Stephen Smalley 1 sibling, 1 reply; 15+ messages in thread From: Dominick Grift @ 2020-03-04 7:42 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 1074 bytes --] On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote: > The easiest way to explain this is as follows. > > Consider this scenario: > > # seinfo -xuwheel.id > > Users: 1 > user wheel.id roles wheel.role level s0 range s0; > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > wheel.id:wheel.role:user.systemd.subj:s0 > > Now consider this scenario: > > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil > > # seinfo -xuwheel.id > > Users: 1 > user wheel.id roles { wheel.role sys.role } level s0 range s0; > > Here is the issue: > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > wheel.id:sys.role:sys.isid:s0 For completeness: # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id sys.role:login.subj:s0 wheel.role:user.subj:s0 sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0 sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 7:42 ` Dominick Grift @ 2020-03-04 14:22 ` Stephen Smalley 2020-03-04 14:36 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2020-03-04 14:22 UTC (permalink / raw) To: SElinux list On Wed, Mar 4, 2020 at 2:44 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote: > > The easiest way to explain this is as follows. > > > > Consider this scenario: > > > > # seinfo -xuwheel.id > > > > Users: 1 > > user wheel.id roles wheel.role level s0 range s0; > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > wheel.id:wheel.role:user.systemd.subj:s0 > > > > Now consider this scenario: > > > > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil > > > > # seinfo -xuwheel.id > > > > Users: 1 > > user wheel.id roles { wheel.role sys.role } level s0 range s0; > > > > Here is the issue: > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > wheel.id:sys.role:sys.isid:s0 > > For completeness: > > # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id > sys.role:login.subj:s0 wheel.role:user.subj:s0 > sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0 > sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0 Are you using libselinux with or without the commit to stop using security_compute_user()? If still using security_compute_user(), what does compute_user sys.id:sys.role:sys.isid:s0 wheel.id display? If you don't have compute_user (it is in libselinux/utils but not sure Fedora packages it), you can also just strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 and see what it read back from /sys/fs/selinux/user. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:22 ` Stephen Smalley @ 2020-03-04 14:36 ` Dominick Grift 2020-03-04 14:40 ` Dominick Grift 2020-03-04 14:46 ` Stephen Smalley 0 siblings, 2 replies; 15+ messages in thread From: Dominick Grift @ 2020-03-04 14:36 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list [-- Attachment #1: Type: text/plain, Size: 2775 bytes --] On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > On Wed, Mar 4, 2020 at 2:44 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: > > > > On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote: > > > The easiest way to explain this is as follows. > > > > > > Consider this scenario: > > > > > > # seinfo -xuwheel.id > > > > > > Users: 1 > > > user wheel.id roles wheel.role level s0 range s0; > > > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > > wheel.id:wheel.role:user.systemd.subj:s0 > > > > > > Now consider this scenario: > > > > > > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil > > > > > > # seinfo -xuwheel.id > > > > > > Users: 1 > > > user wheel.id roles { wheel.role sys.role } level s0 range s0; > > > > > > Here is the issue: > > > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > > wheel.id:sys.role:sys.isid:s0 > > > > For completeness: > > > > # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id > > sys.role:login.subj:s0 wheel.role:user.subj:s0 > > sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0 > > sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0 > > Are you using libselinux with or without the commit to stop using > security_compute_user()? > If still using security_compute_user(), what does compute_user > sys.id:sys.role:sys.isid:s0 wheel.id display? > If you don't have compute_user (it is in libselinux/utils but not sure > Fedora packages it), you can also just > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > and see what it read back from /sys/fs/selinux/user. Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... I am not if my libselinux has or has not security_compute_user(): # rpm -qa libselinux libselinux-3.0-3.fc32.x86_64 openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) close(3) = 0 openat(AT_FDCWD, "/etc/selinux/dssp3-mcs/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0 read(3, "sys.role:sys.isid:s0\n", 4096) = 21 close(3) = 0 openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3 write(3, "wheel.id:sys.role:sys.isid:s0\0", 30) = 30 close(3) = 0 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 write(1, "wheel.id:sys.role:sys.isid:s0\n", 30) = 30 -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:36 ` Dominick Grift @ 2020-03-04 14:40 ` Dominick Grift 2020-03-04 14:46 ` Stephen Smalley 1 sibling, 0 replies; 15+ messages in thread From: Dominick Grift @ 2020-03-04 14:40 UTC (permalink / raw) To: Stephen Smalley, SElinux list [-- Attachment #1: Type: text/plain, Size: 3249 bytes --] On Wed, Mar 04, 2020 at 03:36:50PM +0100, Dominick Grift wrote: > On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > On Wed, Mar 4, 2020 at 2:44 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > > > > > > On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote: > > > > The easiest way to explain this is as follows. > > > > > > > > Consider this scenario: > > > > > > > > # seinfo -xuwheel.id > > > > > > > > Users: 1 > > > > user wheel.id roles wheel.role level s0 range s0; > > > > > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > > > wheel.id:wheel.role:user.systemd.subj:s0 > > > > > > > > Now consider this scenario: > > > > > > > > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil > > > > > > > > # seinfo -xuwheel.id > > > > > > > > Users: 1 > > > > user wheel.id roles { wheel.role sys.role } level s0 range s0; > > > > > > > > Here is the issue: > > > > > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > > > wheel.id:sys.role:sys.isid:s0 > > > > > > For completeness: > > > > > > # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id > > > sys.role:login.subj:s0 wheel.role:user.subj:s0 > > > sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0 > > > sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0 > > > > Are you using libselinux with or without the commit to stop using > > security_compute_user()? > > If still using security_compute_user(), what does compute_user > > sys.id:sys.role:sys.isid:s0 wheel.id display? > > If you don't have compute_user (it is in libselinux/utils but not sure > > Fedora packages it), you can also just > > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > and see what it read back from /sys/fs/selinux/user. > > Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > I am not if my libselinux has or has not security_compute_user(): Scratch that, the reference to /sys/fs/selinux/user in the trace below implies that security_compute_user() is still there > > # rpm -qa libselinux > libselinux-3.0-3.fc32.x86_64 > > openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > close(3) = 0 > openat(AT_FDCWD, "/etc/selinux/dssp3-mcs/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0 > read(3, "sys.role:sys.isid:s0\n", 4096) = 21 > close(3) = 0 > openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3 > write(3, "wheel.id:sys.role:sys.isid:s0\0", 30) = 30 > close(3) = 0 > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 > write(1, "wheel.id:sys.role:sys.isid:s0\n", 30) = 30 > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:36 ` Dominick Grift 2020-03-04 14:40 ` Dominick Grift @ 2020-03-04 14:46 ` Stephen Smalley 2020-03-04 15:10 ` Stephen Smalley 2020-03-05 17:33 ` Petr Lautrbach 1 sibling, 2 replies; 15+ messages in thread From: Stephen Smalley @ 2020-03-04 14:46 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > Are you using libselinux with or without the commit to stop using > > security_compute_user()? > > If still using security_compute_user(), what does compute_user > > sys.id:sys.role:sys.isid:s0 wheel.id display? > > If you don't have compute_user (it is in libselinux/utils but not sure > > Fedora packages it), you can also just > > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > and see what it read back from /sys/fs/selinux/user. > > Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > I am not if my libselinux has or has not security_compute_user(): > > # rpm -qa libselinux > libselinux-3.0-3.fc32.x86_64 > > openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) This shows that your libselinux is still calling security_compute_user() from get_ordered_context_list(). In this case, because the source context is allowed to transition to many other contexts, the result returned via /sys/fs/selinux/user would exceed the maximum size supported by the kernel interface (one page of contexts), and therefore it fails. Then get_ordered_context_list() falls back to the failsafe_context. If you update to libselinux git, you will stop using security_compute_user() and hence /sys/fs/selinux/user entirely. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:46 ` Stephen Smalley @ 2020-03-04 15:10 ` Stephen Smalley 2020-03-05 17:33 ` Petr Lautrbach 1 sibling, 0 replies; 15+ messages in thread From: Stephen Smalley @ 2020-03-04 15:10 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list On Wed, Mar 4, 2020 at 9:46 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > This shows that your libselinux is still calling > security_compute_user() from get_ordered_context_list(). > In this case, because the source context is allowed to transition to > many other contexts, the result returned via > /sys/fs/selinux/user would exceed the maximum size supported by the > kernel interface (one page of contexts), > and therefore it fails. Then get_ordered_context_list() falls back to > the failsafe_context. > > If you update to libselinux git, you will stop using > security_compute_user() and hence /sys/fs/selinux/user entirely. BTW, Fedora ran into this limit some time ago and prune outbound transitions from init_t and perhaps other "unconfined" domains to workaround it. But getting rid of security_compute_user() and /sys/fs/selinux/user is the better solution. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:46 ` Stephen Smalley 2020-03-04 15:10 ` Stephen Smalley @ 2020-03-05 17:33 ` Petr Lautrbach 2020-03-05 17:39 ` Dominick Grift 1 sibling, 1 reply; 15+ messages in thread From: Petr Lautrbach @ 2020-03-05 17:33 UTC (permalink / raw) To: SElinux list; +Cc: Dominick Grift, Stephen Smalley Stephen Smalley <stephen.smalley.work@gmail.com> writes: > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: >> > Are you using libselinux with or without the commit to stop using >> > security_compute_user()? >> > If still using security_compute_user(), what does compute_user >> > sys.id:sys.role:sys.isid:s0 wheel.id display? >> > If you don't have compute_user (it is in libselinux/utils but not sure >> > Fedora packages it), you can also just >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 >> > and see what it read back from /sys/fs/selinux/user. >> >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... >> I am not if my libselinux has or has not security_compute_user(): >> >> # rpm -qa libselinux >> libselinux-3.0-3.fc32.x86_64 >> >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > This shows that your libselinux is still calling > security_compute_user() from get_ordered_context_list(). > In this case, because the source context is allowed to transition to > many other contexts, the result returned via > /sys/fs/selinux/user would exceed the maximum size supported by the > kernel interface (one page of contexts), > and therefore it fails. Then get_ordered_context_list() falls back to > the failsafe_context. > > If you update to libselinux git, you will stop using > security_compute_user() and hence /sys/fs/selinux/user entirely. FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 [2] with the security_compute_user() patch applied. [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-05 17:33 ` Petr Lautrbach @ 2020-03-05 17:39 ` Dominick Grift 2020-03-05 17:50 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Dominick Grift @ 2020-03-05 17:39 UTC (permalink / raw) To: Petr Lautrbach; +Cc: SElinux list, Stephen Smalley [-- Attachment #1: Type: text/plain, Size: 2398 bytes --] On Thu, Mar 05, 2020 at 06:33:55PM +0100, Petr Lautrbach wrote: > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > >> > Are you using libselinux with or without the commit to stop using > >> > security_compute_user()? > >> > If still using security_compute_user(), what does compute_user > >> > sys.id:sys.role:sys.isid:s0 wheel.id display? > >> > If you don't have compute_user (it is in libselinux/utils but not sure > >> > Fedora packages it), you can also just > >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > >> > and see what it read back from /sys/fs/selinux/user. > >> > >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > >> I am not if my libselinux has or has not security_compute_user(): > >> > >> # rpm -qa libselinux > >> libselinux-3.0-3.fc32.x86_64 > >> > >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > > > This shows that your libselinux is still calling > > security_compute_user() from get_ordered_context_list(). > > In this case, because the source context is allowed to transition to > > many other contexts, the result returned via > > /sys/fs/selinux/user would exceed the maximum size supported by the > > kernel interface (one page of contexts), > > and therefore it fails. Then get_ordered_context_list() falls back to > > the failsafe_context. > > > > If you update to libselinux git, you will stop using > > security_compute_user() and hence /sys/fs/selinux/user entirely. > > FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 > [2] with the security_compute_user() patch applied. > > [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 > [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 Thanks, trying it out > > -- > () ascii ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-05 17:39 ` Dominick Grift @ 2020-03-05 17:50 ` Dominick Grift 2020-03-05 18:00 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Dominick Grift @ 2020-03-05 17:50 UTC (permalink / raw) To: Petr Lautrbach, SElinux list, Stephen Smalley [-- Attachment #1: Type: text/plain, Size: 3111 bytes --] On Thu, Mar 05, 2020 at 06:39:41PM +0100, Dominick Grift wrote: > On Thu, Mar 05, 2020 at 06:33:55PM +0100, Petr Lautrbach wrote: > > > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > > > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > > > <dominick.grift@defensec.nl> wrote: > > >> > > >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > >> > Are you using libselinux with or without the commit to stop using > > >> > security_compute_user()? > > >> > If still using security_compute_user(), what does compute_user > > >> > sys.id:sys.role:sys.isid:s0 wheel.id display? > > >> > If you don't have compute_user (it is in libselinux/utils but not sure > > >> > Fedora packages it), you can also just > > >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > >> > and see what it read back from /sys/fs/selinux/user. > > >> > > >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > > >> I am not if my libselinux has or has not security_compute_user(): > > >> > > >> # rpm -qa libselinux > > >> libselinux-3.0-3.fc32.x86_64 > > >> > > >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > > >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > > > > > This shows that your libselinux is still calling > > > security_compute_user() from get_ordered_context_list(). > > > In this case, because the source context is allowed to transition to > > > many other contexts, the result returned via > > > /sys/fs/selinux/user would exceed the maximum size supported by the > > > kernel interface (one page of contexts), > > > and therefore it fails. Then get_ordered_context_list() falls back to > > > the failsafe_context. > > > > > > If you update to libselinux git, you will stop using > > > security_compute_user() and hence /sys/fs/selinux/user entirely. > > > > FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 > > [2] with the security_compute_user() patch applied. > > > > [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 > > [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 > > Thanks, trying it out [root@myguest ~]# strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 wheel.id:wheel.role:user.systemd.subj:s0 wheel.id:sys.role:sys.isid:s0 So that result looks promising, but when I login I still get wheel.id:sys.role:sys.isid:s0 Is that some compatibility related thing, or does something else need to be rebuilt against this libselinux for it to work? > > > > -- > > () ascii ribbon campaign - against html e-mail > > /\ www.asciiribbon.org - against proprietary attachments > > > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-05 17:50 ` Dominick Grift @ 2020-03-05 18:00 ` Dominick Grift 0 siblings, 0 replies; 15+ messages in thread From: Dominick Grift @ 2020-03-05 18:00 UTC (permalink / raw) To: Petr Lautrbach, SElinux list, Stephen Smalley [-- Attachment #1: Type: text/plain, Size: 3523 bytes --] On Thu, Mar 05, 2020 at 06:50:00PM +0100, Dominick Grift wrote: > On Thu, Mar 05, 2020 at 06:39:41PM +0100, Dominick Grift wrote: > > On Thu, Mar 05, 2020 at 06:33:55PM +0100, Petr Lautrbach wrote: > > > > > > Stephen Smalley <stephen.smalley.work@gmail.com> writes: > > > > > > > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > > > > <dominick.grift@defensec.nl> wrote: > > > >> > > > >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > > >> > Are you using libselinux with or without the commit to stop using > > > >> > security_compute_user()? > > > >> > If still using security_compute_user(), what does compute_user > > > >> > sys.id:sys.role:sys.isid:s0 wheel.id display? > > > >> > If you don't have compute_user (it is in libselinux/utils but not sure > > > >> > Fedora packages it), you can also just > > > >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > > >> > and see what it read back from /sys/fs/selinux/user. > > > >> > > > >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > > > >> I am not if my libselinux has or has not security_compute_user(): > > > >> > > > >> # rpm -qa libselinux > > > >> libselinux-3.0-3.fc32.x86_64 > > > >> > > > >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > > > >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > > > > > > > This shows that your libselinux is still calling > > > > security_compute_user() from get_ordered_context_list(). > > > > In this case, because the source context is allowed to transition to > > > > many other contexts, the result returned via > > > > /sys/fs/selinux/user would exceed the maximum size supported by the > > > > kernel interface (one page of contexts), > > > > and therefore it fails. Then get_ordered_context_list() falls back to > > > > the failsafe_context. > > > > > > > > If you update to libselinux git, you will stop using > > > > security_compute_user() and hence /sys/fs/selinux/user entirely. > > > > > > FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 > > > [2] with the security_compute_user() patch applied. > > > > > > [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 > > > [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 > > > > Thanks, trying it out > > [root@myguest ~]# strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > wheel.id:wheel.role:user.systemd.subj:s0 > wheel.id:sys.role:sys.isid:s0 > > So that result looks promising, but when I login I still get wheel.id:sys.role:sys.isid:s0 > Is that some compatibility related thing, or does something else need to be rebuilt against this libselinux for it to work? Never mind , seems i needed a reboot. works now, Thanks! > > > > > > > -- > > > () ascii ribbon campaign - against html e-mail > > > /\ www.asciiribbon.org - against proprietary attachments > > > > > > > -- > > gpg --locate-keys dominick.grift@defensec.nl > > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > > Dominick Grift > > > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 7:29 strange pam selinux issue Dominick Grift 2020-03-04 7:42 ` Dominick Grift @ 2020-03-04 14:40 ` Stephen Smalley 2020-03-04 14:47 ` Dominick Grift 1 sibling, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2020-03-04 14:40 UTC (permalink / raw) To: SElinux list On Wed, Mar 4, 2020 at 2:30 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Some semi irrelevant background: > > I am designing an improved "targeted" policy. Common targeted policies > are inefficient because they have several "unconfined" domains. > Unconfined domains are expensive because they have a lot of rules associated with them. > They're essentially all the same. Just duplicates. Why can't you just define a single unconfined attribute with associated allow rules, and then define multiple domains that have that attribute? Where is the duplication occurring? Name-based type transitions? IMHO, those should be used far more sparsely than they are presently in Fedora and there has been some optimization recently in how they are internally represented. > I decided to have just one unconfined domain: "the system", and everything that is not targeted ends up in the system domain. > So now I want to have a confined login shell with role access to the system a'la: staff_u:staff_r:staff_t -> staff_u:unconfined_r:unconfined_t > pam_selinux seemingly cannot deal with this scenario as shown above. pam_selinux has many other issues. One of them is its concept of > "default_type". There is no such thing as a "default_type" and implying that there is a "default_type" causes issues. default_type was to support providing a default type to use when only a role was specified to e.g. newrole or pam_selinux. Not sure that's a problem. > There are other issues related to this as well: the env_params option depends on the "context contains" access vector being present. > It will not work even if you have handle_unknown=allow set. Probably needs to be converted to using selinux_check_access(). ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:40 ` Stephen Smalley @ 2020-03-04 14:47 ` Dominick Grift 2020-03-04 15:19 ` Stephen Smalley 0 siblings, 1 reply; 15+ messages in thread From: Dominick Grift @ 2020-03-04 14:47 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list [-- Attachment #1: Type: text/plain, Size: 2770 bytes --] On Wed, Mar 04, 2020 at 09:40:17AM -0500, Stephen Smalley wrote: > On Wed, Mar 4, 2020 at 2:30 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: > > Some semi irrelevant background: > > > > I am designing an improved "targeted" policy. Common targeted policies > > are inefficient because they have several "unconfined" domains. > > Unconfined domains are expensive because they have a lot of rules associated with them. > > They're essentially all the same. Just duplicates. > > Why can't you just define a single unconfined attribute with > associated allow rules, and then define multiple domains that > have that attribute? Where is the duplication occurring? Name-based > type transitions? IMHO, those should be used far more > sparsely than they are presently in Fedora and there has been some > optimization recently in how they are internally represented. Practically yes name-based type transitions but other than that it makes the experience much simpler if you have just one unconfined system domain. I actually kind of got that idea from you when you mentioned the three domain model. It works reasonably nicely with exception of this pam_selinux issue. > > > I decided to have just one unconfined domain: "the system", and everything that is not targeted ends up in the system domain. > > So now I want to have a confined login shell with role access to the system a'la: staff_u:staff_r:staff_t -> staff_u:unconfined_r:unconfined_t > > pam_selinux seemingly cannot deal with this scenario as shown above. pam_selinux has many other issues. One of them is its concept of > > "default_type". There is no such thing as a "default_type" and implying that there is a "default_type" causes issues. > > default_type was to support providing a default type to use when only > a role was specified to e.g. newrole or pam_selinux. Not sure that's > a problem. Its also used by pam_selinux env_params (which in turn is used by ssh for "ssh user/role/level@host") The problem is that the default_type for ssh and sudo sessions may differ (ie. default_type is not really a default_type) Ex. joe's default type for sudo might be joe_r:joe_t, but for ssh it might be joe_r:joe_ssh_t > > > There are other issues related to this as well: the env_params option depends on the "context contains" access vector being present. > > It will not work even if you have handle_unknown=allow set. > > Probably needs to be converted to using selinux_check_access(). We hit that same isssue when we revisted mdp a while ago. Removing the env_params was a quick fix for that then. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 14:47 ` Dominick Grift @ 2020-03-04 15:19 ` Stephen Smalley 2020-03-04 15:28 ` Dominick Grift 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2020-03-04 15:19 UTC (permalink / raw) To: Stephen Smalley, SElinux list On Wed, Mar 4, 2020 at 9:47 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Practically yes name-based type transitions but other than that it makes the experience much simpler if you have just one unconfined system domain. > I actually kind of got that idea from you when you mentioned the three domain model. Not sure that was me but whatever. > Its also used by pam_selinux env_params (which in turn is used by ssh for "ssh user/role/level@host") > The problem is that the default_type for ssh and sudo sessions may differ (ie. default_type is not really a default_type) Fair enough; originally it was only used by newrole and only if a type wasn't explicitly specified via -t. Maybe get_default_context_with_role(3) would be better since it can take into account the caller context. > > Probably needs to be converted to using selinux_check_access(). > > We hit that same isssue when we revisted mdp a while ago. Removing the env_params was a quick fix for that then. Well, the right fix is to use selinux_check_access(). ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: strange pam selinux issue 2020-03-04 15:19 ` Stephen Smalley @ 2020-03-04 15:28 ` Dominick Grift 0 siblings, 0 replies; 15+ messages in thread From: Dominick Grift @ 2020-03-04 15:28 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list [-- Attachment #1: Type: text/plain, Size: 1535 bytes --] On Wed, Mar 04, 2020 at 10:19:54AM -0500, Stephen Smalley wrote: > On Wed, Mar 4, 2020 at 9:47 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: > > Practically yes name-based type transitions but other than that it makes the experience much simpler if you have just one unconfined system domain. > > I actually kind of got that idea from you when you mentioned the three domain model. > > Not sure that was me but whatever. That is what I thought when you mentioned it, but I am glad you did because I was a bit too focussed on least privilege. A bit of corner cutting here and there can be a good thing. Besides it is fun to explore alternatives. > > > Its also used by pam_selinux env_params (which in turn is used by ssh for "ssh user/role/level@host") > > The problem is that the default_type for ssh and sudo sessions may differ (ie. default_type is not really a default_type) > > Fair enough; originally it was only used by newrole and only if a type > wasn't explicitly specified via -t. Maybe > get_default_context_with_role(3) > would be better since it can take into account the caller context. > > > > Probably needs to be converted to using selinux_check_access(). > > > > We hit that same isssue when we revisted mdp a while ago. Removing the env_params was a quick fix for that then. > > Well, the right fix is to use selinux_check_access(). -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-03-05 18:00 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-04 7:29 strange pam selinux issue Dominick Grift 2020-03-04 7:42 ` Dominick Grift 2020-03-04 14:22 ` Stephen Smalley 2020-03-04 14:36 ` Dominick Grift 2020-03-04 14:40 ` Dominick Grift 2020-03-04 14:46 ` Stephen Smalley 2020-03-04 15:10 ` Stephen Smalley 2020-03-05 17:33 ` Petr Lautrbach 2020-03-05 17:39 ` Dominick Grift 2020-03-05 17:50 ` Dominick Grift 2020-03-05 18:00 ` Dominick Grift 2020-03-04 14:40 ` Stephen Smalley 2020-03-04 14:47 ` Dominick Grift 2020-03-04 15:19 ` Stephen Smalley 2020-03-04 15:28 ` Dominick Grift
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).