FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-26-2011, 06:51 PM
Miroslav Grepl
 
Default sshd constraint violation issue

Together with Dan Walsh, Jan Chadima we made some changes in the openssh
package.

But we have the following issue with the following code

...

if (internal-sftp)
setuid()
getexecon(&scon)
setcon(scon)
freecon(scon)

...

We have

allow sshd_t unpriv_userdomainrocess dyntransition

rule but we get a constraint violation with the following AVC msg

type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
for
pid=555 comm="sshd"
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0

because of

constrain process dyntransition
(
u1 == u2 and r1 == r2
)

My question is why dyntrans is not allowed to change USER or ROLE.


https://bugzilla.redhat.com/show_bug.cgi?id=729648

Regards,
Miroslav
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 12:33 PM
Stephen Smalley
 
Default sshd constraint violation issue

On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
> Together with Dan Walsh, Jan Chadima we made some changes in the openssh
> package.
>
> But we have the following issue with the following code
>
> ...
>
> if (internal-sftp)
> setuid()
> getexecon(&scon)
> setcon(scon)
> freecon(scon)
>
> ...
>
> We have
>
> allow sshd_t unpriv_userdomainrocess dyntransition
>
> rule but we get a constraint violation with the following AVC msg
>
> type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
> for
> pid=555 comm="sshd"
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0
>
> because of
>
> constrain process dyntransition
> (
> u1 == u2 and r1 == r2
> )
>
> My question is why dyntrans is not allowed to change USER or ROLE.
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=729648

I think just because we haven't previously had a system program using
setcon(3) to switch its user/role.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 02:38 PM
Daniel J Walsh
 
Default sshd constraint violation issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2011 11:10 AM, Miroslav Grepl wrote:
> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>> On 08/29/11 08:33, Stephen Smalley wrote:
>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>> Together with Dan Walsh, Jan Chadima we made some changes in
>>>> the openssh package.
>>>>
>>>> But we have the following issue with the following code
>>>>
>>>> ...
>>>>
>>>> if (internal-sftp) setuid() getexecon(&scon) setcon(scon)
>>>> freecon(scon)
>>>>
>>>> ...
>>>>
>>>> We have
>>>>
>>>> allow sshd_t unpriv_userdomainrocess dyntransition
>>>>
>>>> rule but we get a constraint violation with the following AVC
>>>> msg
>>>>
>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
>>>> dyntransition } for pid=555 comm="sshd"
>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>
>>>> because of
>>>>
>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 )
>>>>
>>>> My question is why dyntrans is not allowed to change USER or
>>>> ROLE.
>>>>
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>> I think just because we haven't previously had a system program
>>> using setcon(3) to switch its user/role.
>> Also because the theory we would be reproducing privilege
>> bracketed domains, so you'd be going to a different privilege in
>> eg httpd_t -> httpd_mycgi_t, and that would not require user or
>> role changes.
>>
> Ok, I understand. Thanks.
>
> Could we add an attribute to break this?


Or say it is ok for a userdomain?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5bpH4ACgkQrlYvE4MpobNJygCgu041R+N6K3 DGbBkf1/QDYF9k
5WwAoN0aYPYXRlAqxIMnBgwzA14OhcKG
=ZoX4
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 02:43 PM
Stephen Smalley
 
Default sshd constraint violation issue

On Mon, 2011-08-29 at 10:36 -0400, Christopher J. PeBenito wrote:
> On 08/29/11 11:10, Miroslav Grepl wrote:
> > On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
> >> On 08/29/11 08:33, Stephen Smalley wrote:
> >>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
> >>>> Together with Dan Walsh, Jan Chadima we made some changes in the
> >>>> openssh
> >>>> package.
> >>>>
> >>>> But we have the following issue with the following code
> >>>>
> >>>> ...
> >>>>
> >>>> if (internal-sftp)
> >>>> setuid()
> >>>> getexecon(&scon)
> >>>> setcon(scon)
> >>>> freecon(scon)
> >>>>
> >>>> ...
> >>>>
> >>>> We have
> >>>>
> >>>> allow sshd_t unpriv_userdomainrocess dyntransition
> >>>>
> >>>> rule but we get a constraint violation with the following AVC msg
> >>>>
> >>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
> >>>> dyntransition }
> >>>> for
> >>>> pid=555 comm="sshd"
> >>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> >>>> tcontext=staff_u:staff_r:staff_t:s0
> >>>>
> >>>> because of
> >>>>
> >>>> constrain process dyntransition
> >>>> (
> >>>> u1 == u2 and r1 == r2
> >>>> )
> >>>>
> >>>> My question is why dyntrans is not allowed to change USER or ROLE.
> >>>>
> >>>>
> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
> >>> I think just because we haven't previously had a system program using
> >>> setcon(3) to switch its user/role.
> >> Also because the theory we would be reproducing privilege bracketed
> >> domains, so you'd be going to a different privilege in eg httpd_t ->
> >> httpd_mycgi_t, and that would not require user or role changes.
> >>
> > Ok, I understand. Thanks.
> >
> > Could we add an attribute to break this?
>
> Yes, we could add one. The question is if we want the same attribute as
> the regular transition or a new one. i.e. I'm thinking
>
> constran process dyntranstion
> (
> u1 == u2
> or ( t1 == can_change_process_identity and t2 == process_user_target )
> );
>
> constran process dyntranstion
> (
> r1 == r2
> or ( t1 == can_change_process_identity and t2 == process_user_target )
> );
>
> do we want can_change_process_identity attribute or a new one?

If so, then might as well just coalesce into the existing constraint on
transition permission.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 02:45 PM
Daniel J Walsh
 
Default sshd constraint violation issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2011 10:38 AM, Daniel J Walsh wrote:
> On 08/29/2011 11:10 AM, Miroslav Grepl wrote:
>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>>> On 08/29/11 08:33, Stephen Smalley wrote:
>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>>> in the openssh package.
>>>>>
>>>>> But we have the following issue with the following code
>>>>>
>>>>> ...
>>>>>
>>>>> if (internal-sftp) setuid() getexecon(&scon) setcon(scon)
>>>>> freecon(scon)
>>>>>
>>>>> ...
>>>>>
>>>>> We have
>>>>>
>>>>> allow sshd_t unpriv_userdomainrocess dyntransition
>>>>>
>>>>> rule but we get a constraint violation with the following
>>>>> AVC msg
>>>>>
>>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
>>>>> dyntransition } for pid=555 comm="sshd"
>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>>
>>>>> because of
>>>>>
>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 )
>>>>>
>>>>> My question is why dyntrans is not allowed to change USER
>>>>> or ROLE.
>>>>>
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>>> I think just because we haven't previously had a system
>>>> program using setcon(3) to switch its user/role.
>>> Also because the theory we would be reproducing privilege
>>> bracketed domains, so you'd be going to a different privilege
>>> in eg httpd_t -> httpd_mycgi_t, and that would not require user
>>> or role changes.
>>>
>> Ok, I understand. Thanks.
>
>> Could we add an attribute to break this?
>
>
> Or say it is ok for a userdomain?
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

onstrain process dyntransition
(
(u1 == u2 and r1 == r2) or t2 = unpriv_userdomain
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5bpgcACgkQrlYvE4MpobMH5wCeIGOdIP97Xm OVHU1nS/EQmLM5
K3kAnjN7w5o7JFd3CB+tEgkh/JE67gmi
=UVh1
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 02:47 PM
Daniel J Walsh
 
Default sshd constraint violation issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2011 10:43 AM, Stephen Smalley wrote:
> On Mon, 2011-08-29 at 10:36 -0400, Christopher J. PeBenito wrote:
>> On 08/29/11 11:10, Miroslav Grepl wrote:
>>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>>>> On 08/29/11 08:33, Stephen Smalley wrote:
>>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>>>> in the openssh package.
>>>>>>
>>>>>> But we have the following issue with the following code
>>>>>>
>>>>>> ...
>>>>>>
>>>>>> if (internal-sftp) setuid() getexecon(&scon)
>>>>>> setcon(scon) freecon(scon)
>>>>>>
>>>>>> ...
>>>>>>
>>>>>> We have
>>>>>>
>>>>>> allow sshd_t unpriv_userdomainrocess dyntransition
>>>>>>
>>>>>> rule but we get a constraint violation with the following
>>>>>> AVC msg
>>>>>>
>>>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
>>>>>> dyntransition } for pid=555 comm="sshd"
>>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>>>
>>>>>> because of
>>>>>>
>>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2
>>>>>> )
>>>>>>
>>>>>> My question is why dyntrans is not allowed to change USER
>>>>>> or ROLE.
>>>>>>
>>>>>>
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>>>> I think just because we haven't previously had a system
>>>>> program using setcon(3) to switch its user/role.
>>>> Also because the theory we would be reproducing privilege
>>>> bracketed domains, so you'd be going to a different privilege
>>>> in eg httpd_t -> httpd_mycgi_t, and that would not require
>>>> user or role changes.
>>>>
>>> Ok, I understand. Thanks.
>>>
>>> Could we add an attribute to break this?
>>
>> Yes, we could add one. The question is if we want the same
>> attribute as the regular transition or a new one. i.e. I'm
>> thinking
>>
>> constran process dyntranstion ( u1 == u2 or ( t1 ==
>> can_change_process_identity and t2 == process_user_target ) );
>>
>> constran process dyntranstion ( r1 == r2 or ( t1 ==
>> can_change_process_identity and t2 == process_user_target ) );
>>
>> do we want can_change_process_identity attribute or a new one?
>
> If so, then might as well just coalesce into the existing
> constraint on transition permission.
>


Ok I like Stephen's better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5bpmUACgkQrlYvE4MpobMUeACfU9LpITibnF 4o7wZXGo+5qm/f
lQsAoObV7G/yf3OAVa1MNMH65QSKQFM3
=T/Ju
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-29-2011, 03:10 PM
Miroslav Grepl
 
Default sshd constraint violation issue

On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
> On 08/29/11 08:33, Stephen Smalley wrote:
>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>> Together with Dan Walsh, Jan Chadima we made some changes in the openssh
>>> package.
>>>
>>> But we have the following issue with the following code
>>>
>>> ...
>>>
>>> if (internal-sftp)
>>> setuid()
>>> getexecon(&scon)
>>> setcon(scon)
>>> freecon(scon)
>>>
>>> ...
>>>
>>> We have
>>>
>>> allow sshd_t unpriv_userdomainrocess dyntransition
>>>
>>> rule but we get a constraint violation with the following AVC msg
>>>
>>> type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
>>> for
>>> pid=555 comm="sshd"
>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>> tcontext=staff_u:staff_r:staff_t:s0
>>>
>>> because of
>>>
>>> constrain process dyntransition
>>> (
>>> u1 == u2 and r1 == r2
>>> )
>>>
>>> My question is why dyntrans is not allowed to change USER or ROLE.
>>>
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>> I think just because we haven't previously had a system program using
>> setcon(3) to switch its user/role.
> Also because the theory we would be reproducing privilege bracketed
> domains, so you'd be going to a different privilege in eg httpd_t ->
> httpd_mycgi_t, and that would not require user or role changes.
>
Ok, I understand. Thanks.

Could we add an attribute to break this?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org