Re: runcon in enforcing mode

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ian Pilcher <arequipeno@gmail.com>, selinux@vger.kernel.org
Subject: Re: runcon in enforcing mode
Date: Wed, 30 Jan 2019 16:38:21 -0500	[thread overview]
Message-ID: <9034023e-74af-8d08-edbf-8cd48b433075@tycho.nsa.gov> (raw)
In-Reply-To: <cc6dec3a-74e0-cf79-c46a-9377b83ccceb@gmail.com>

On 1/30/19 4:21 PM, Ian Pilcher wrote:
> Does $SUBJECT ever work?
> 
> I am trying to figure out why a script is failing when run by
> certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
> any executable is giving me a denial.
> 
> $ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
> runcon: ‘/bin/true’: Permission denied
> 
> type=AVC msg=audit(1548883146.502:300): avc:  denied  { entrypoint } for 
>   pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
> 
> Am I doing something wrong?

A key aspect of type enforcement is ensuring that a given domain can 
only be entered via an approved executable and can only execute 
authorized code.  Hence, the entrypoint check.  This means that if you 
want to experiment with running some other program in a domain, you must 
do one of the following:

1) Label the file in question with the authorized type, e.g.
cp /bin/true .
chcon -t certmonger_exec_t true
runcon system_u:system_r:certmonger_t:s0 ./true

2) Create and insert a local policy module allowing entrypoint to the 
type of the file,

-or-

3) Make the domain permissive or set the global enforcing mode to 
permissive.

You may also encounter other denials related to the transition since 
normally certmonger wouldn't be started this way.