certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris
Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc.
The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work.
I'm trying to use runcon to simulate certmonger executing a fake script:
# cat /tmp/fakescript
#!/bin/bash
set -eu
id -Z
# /tmp/fakescript
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /tmp/fakescript
unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript
# runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
runcon: ‘/tmp/fakescript’: Permission denied
Here is the avc denial:
----
type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0
Even though:
# sepolicy transition -s certmonger_t -t certmonger_unconfined_t
certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t
Diving in a little deeper, I can see that certmonger can execute the file:
# sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A
allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read };
... and that the file type is an entrypoint for the certmonger_unconfined_t domain:
# sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A
allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read };
... and that transition is permitted from certmonger_t:
# sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A
allow certmonger_t certmonger_unconfined_t:process transition;
Which leaves me scratching my head, unsure why it doesn't work in practice...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
2 weeks
Re: Patch "selinux: fix race condition when computing ocontext SIDs"
has been added to the 5.4-stable tree
by Ondrej Mosnacek
Hi Greg,
On Wed, Dec 15, 2021 at 2:35 PM <gregkh(a)linuxfoundation.org> wrote:
> This is a note to let you know that I've just added the patch titled
>
> selinux: fix race condition when computing ocontext SIDs
>
> to the 5.4-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=s...
>
> The filename of the patch is:
> selinux-fix-race-condition-when-computing-ocontext-sids.patch
> and it can be found in the queue-5.4 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable(a)vger.kernel.org> know about it.
Somehow this notification (and a couple of previous ones) has been
sent to selinux(a)lists.fedoraproject.org instead of
selinux(a)vger.kernel.org, which is the right list for SElinux kernel
development. It's not a big deal, but you might want to check what
went wrong and fix it up :)
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
2 years, 6 months
【寐】香港之杭州文过饰非,黄晓玲之黄页过犹不及
by yx279667 yx279667
香港之杭州黄晓玲之黄页
--》点击后面地址进入看午@夜大片: http://heqabd998.aa345.cc/#fedoraproject1211
--》点击后面地址进入看午@夜视频: http://heqabd998.aa345.cc/#fedoraproject1211
香港之杭州黄晓玲之黄页长大的路上,她牵着我的手,让我懂得了什么叫宽容。曾几何时,贪玩任性的我迟迟归来,她用温柔的双手抚摸着我的头说,饭热好了,吃吧。曾几何时,我手捧不理想的成绩单站在她面前,她说,没关系,下次努力,你永远是我的骄傲。她的眼中闪现出一丝光彩,我知道,那是宽容。长大的路上,她牵着我的手,让我懂得了什么叫慈爱。曾记得,每次下雨,她总是第一个给我送伞,她说,我也没事,闲着也是闲着。曾记得,每次高烧,她总是细心地照料我,她说,以后可要注意点,多穿点衣服。她挥动手臂拭着额上的汗珠,我知道,那是慈爱。她,我的母亲。母亲啊,您温柔的双手牵我走过高山,趟过河流,一路走来,一路吟唱。小时候,突然迷上了自行车,我缠着您学。您微笑着,仔细地向我传授方法。我歪歪扭扭地蹬几下,摔倒了。您又微笑着说,好孩子,自己爬起来。我站起来,接着骑,又摔倒,您还是鼓励着我。我烦了,您依旧微笑着鼓励我。慢慢地,我学会了,我欢喜地笑着,您欣慰地笑着……母亲啊,女儿没有用高山、大海来形容您,女儿觉得,您给我的,是真实的、确切的、触摸得到的爱与关怀,而不是遥远的、空洞的、模糊的一个概念。您执着地守护着我,就像蓝天执着地守护着白云,大海执着地守护着鱼儿。母亲啊,你在女儿心中是那不可磨灭的印记,是那不可丢弃的生命。岁月的河流缓缓淌过,成长的脚印深深留下。蓦然回首,长大的路上,她牵着我的手…她的脊背总是柔软的,并不宽阔,却给人一种安全感。无数次,我在她的脊背上拨弄着她的头发,牵扯着她的衣领,重复着一首又一首她教给我的童谣。【寐】香港之杭州文过饰非,黄晓玲之黄页过犹不及“千里黄云白日曛,北风吹雁雪纷纷。”弥漫的迷云遮蔽住太阳的光辉,鸟群在北风的吼叫中向南方飞去。风一起,浑身都冰凉了。香港之杭州黄晓玲之黄页
2 years, 6 months