SELinux Archive on lore.kernel.org
 help / Atom feed
* runcon in enforcing mode
@ 2019-01-30 21:21 Ian Pilcher
  2019-01-30 21:38 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Ian Pilcher @ 2019-01-30 21:21 UTC (permalink / raw)
  To: selinux

Does $SUBJECT ever work?

I am trying to figure out why a script is failing when run by
certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
any executable is giving me a denial.

$ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
runcon: ‘/bin/true’: Permission denied

type=AVC msg=audit(1548883146.502:300): avc:  denied  { entrypoint } for 
  pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

Am I doing something wrong?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: runcon in enforcing mode
  2019-01-30 21:21 runcon in enforcing mode Ian Pilcher
@ 2019-01-30 21:38 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2019-01-30 21:38 UTC (permalink / raw)
  To: Ian Pilcher, selinux

On 1/30/19 4:21 PM, Ian Pilcher wrote:
> Does $SUBJECT ever work?
> 
> I am trying to figure out why a script is failing when run by
> certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
> any executable is giving me a denial.
> 
> $ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
> runcon: ‘/bin/true’: Permission denied
> 
> type=AVC msg=audit(1548883146.502:300): avc:  denied  { entrypoint } for 
>   pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
> 
> Am I doing something wrong?

A key aspect of type enforcement is ensuring that a given domain can 
only be entered via an approved executable and can only execute 
authorized code.  Hence, the entrypoint check.  This means that if you 
want to experiment with running some other program in a domain, you must 
do one of the following:

1) Label the file in question with the authorized type, e.g.
cp /bin/true .
chcon -t certmonger_exec_t true
runcon system_u:system_r:certmonger_t:s0 ./true

2) Create and insert a local policy module allowing entrypoint to the 
type of the file,

-or-

3) Make the domain permissive or set the global enforcing mode to 
permissive.

You may also encounter other denials related to the transition since 
normally certmonger wouldn't be started this way.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-30 21:21 runcon in enforcing mode Ian Pilcher
2019-01-30 21:38 ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox