FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-09-2012, 11:59 AM
Edward Ned Harvey
 
Default selinux equivalent of umask or setuid bit

Just like the people who rsh as root into another system, I understand that in many situations you wouldn't want something like this, but hypothetically supposing you did...
*
If there is a directory in your system, and you want all new files created in that directory to inherit the context type of the parent folder, is there a way to do that?* Something like the selinux equivalent of the setgid bit?
or...
If you are going to do something a moment from now which will create some files, and you want them to be created with a specific context type, is there a way to do that?* Something like the selinux equivalent of umask?
*
The situation is this:* I'm supporting a web hosting company who uses drupal, and they're constantly adding & removing plugins via drush.* Since this is a non-OS-specific application, it doesn't know anything about how it should set the context on files it creates.* Fortunately, (!) my client has been hacked before, so they're extremely cautious when it comes to ignoring selinux practices.* They are manually changing the context of all these files, which is tedious.* But at least they're doing it.
*
I'm hoping for a better way, and since my knowledge is pretty much limited to the light saber book, I don't recall any mention of anything like this.
*
Thanks for any suggestions...
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 01:27 PM
Dominick Grift
 
Default selinux equivalent of umask or setuid bit

On Thu, 2012-02-09 at 07:59 -0500, Edward Ned Harvey wrote:

>
> If there is a directory in your system, and you want all new files
> created in that directory to inherit the context type of the parent
> folder, is there a way to do that? Something like the selinux
> equivalent of the setgid bit?


Yes, This is the default behaviour:

[dominick@x220 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[dominick@x220 ~]$ mkdir test
[dominick@x220 ~]$ ls -dZ test
drwxrwxr-x. dominick dominick unconfined_ubject_r:user_home_t:s0 test
[dominick@x220 ~]$ touch test/test
[dominick@x220 ~]$ ls -alZ test
drwxrwxr-x. dominick dominick unconfined_ubject_r:user_home_t:s0 .
drwx------. dominick dominick
unconfined_ubject_r:user_home_dir_t:s0 ..
-rw-rw-r--. dominick dominick unconfined_ubject_r:user_home_t:s0 test
[dominick@x220 ~]$

Note that when a process with type unconfined_t creates a file (test) in
a directory with type user_home_t, that this file inherits the type of
the parent directory (user_home_t)

> or...
>
> If you are going to do something a moment from now which will create
> some files, and you want them to be created with a specific context
> type, is there a way to do that? Something like the selinux
> equivalent of umask?

Yes, It is called a "type_transition". This behavior needs to be
specified and it depends on the process type creating the object, the
type of the directory where this object is created in.

Examples:

default behavior:

allow a process with type myprocess1_t to create a file in a directory
with type user_home_t:

# Add a directory entry to directories with type user_home_t
allow process1_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# Create a file with type user_home_t
allow process1_t user_home_t:file { getattr create open };

allow a process with type myprocess2_t to create a file in a directory
with type myfile_t in a directory with type user_home_t using a type
transition.

# Add a directory entry to directories with type user_home_t.
allow process2_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# When a process with type process2_t creates a file in a directory with
type user_home_t, then create that file with type myfile_t using a type
transition.
type_transition process2_t user_home_t:file myfile_t;

# Create a file with type myfile_t.
allow process2_t myfile_t:file { getattr create open };

>
>
>
> The situation is this: I'm supporting a web hosting company who uses
> drupal, and they're constantly adding & removing plugins via drush.
> Since this is a non-OS-specific application, it doesn't know anything
> about how it should set the context on files it creates. Fortunately,
> (!) my client has been hacked before, so they're extremely cautious
> when it comes to ignoring selinux practices. They are manually
> changing the context of all these files, which is tedious. But at
> least they're doing it.

So these rules depend on they type of the source (the process creating
the file) and the type of the directory where the target object is
created in.

If you have a single process type that needs to be able to create both
files with a type that is inherited from its parent and files with a
private tyoe using a type transition in a single directory then there is
a conflict in older SELinux configurations.

A possible solution for this is to create a separate directory with a
separate type for content that needs to be created with a type
transition. Although if you are able to do that then you may not need a
type transition rule anymore.

In recent SELinux configurations this is not needed because it supports
a thing called "named file transitions". This is the same as type
transitions except that it also takes a name of the object to be
created.

This allows you to specify for example that:

1. if a process with type myprocess1_t creates a file with name "file1"
in a directory with user_home_t, then create the file with type myfile_t
using a type transition.

2. if a process with type myprocess1_t creates a file with name "file2"
in a directory with user_home_t, then create the file with type
yourfile_t using a type transition.

Would look something like this:

# Add a directory entry to directories with type user_home_t.
allow process1_t user_home_t:dir { getattr search open lock ioctl write
add_name };

# When a process with type process1_t creates a file with name "file1"
in a directory with type user_home_t, then create that file with type
myfile_t using a type transition.
type_transition process1_t user_home_t:file myfile_t "file1";

# Create a file with type myfile_t.
allow process1_t myfile_t:file { getattr create open };

# When a process with type process1_t creates a file with name "file2"
in a directory with type user_home_t, then create that file with type
yourfile_t using a type transition.
type_transition process1_t user_home_t:file yourfile_t "file2";

# Create a file with type yourfile_t.
allow process1_t yourfile_t:file { getattr create open };

>
>
> I'm hoping for a better way, and since my knowledge is pretty much
> limited to the light saber book, I don't recall any mention of
> anything like this.
>
>
>
> Thanks for any suggestions...

Your options depend on the properties of your environment.

>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 03:18 PM
Stephen Smalley
 
Default selinux equivalent of umask or setuid bit

On Thu, 2012-02-09 at 07:59 -0500, Edward Ned Harvey wrote:
> Just like the people who rsh as root into another system, I understand
> that in many situations you wouldn't want something like this, but
> hypothetically supposing you did...
>
>
>
> If there is a directory in your system, and you want all new files
> created in that directory to inherit the context type of the parent
> folder, is there a way to do that? Something like the selinux
> equivalent of the setgid bit?

That's the default behavior.

> or...
>
> If you are going to do something a moment from now which will create
> some files, and you want them to be created with a specific context
> type, is there a way to do that? Something like the selinux
> equivalent of umask?

That would be setfscreatecon(3) in libselinux. Specifies the security
context to set on subsequent file creations.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-09-2012, 03:21 PM
Stephen Smalley
 
Default selinux equivalent of umask or setuid bit

On Thu, 2012-02-09 at 07:59 -0500, Edward Ned Harvey wrote:

> The situation is this: I'm supporting a web hosting company who uses
> drupal, and they're constantly adding & removing plugins via drush.
> Since this is a non-OS-specific application, it doesn't know anything
> about how it should set the context on files it creates. Fortunately,
> (!) my client has been hacked before, so they're extremely cautious
> when it comes to ignoring selinux practices. They are manually
> changing the context of all these files, which is tedious. But at
> least they're doing it.

Given that it doesn't know the actual context it wants to use, perhaps
it should just invoke restorecon on the files or use the
selinux_lsetfilecon_default(3) API after creating them. That will look
up the policy-specified context (from the file_contexts configuration)
and apply it.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org