certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris
Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc.
The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work.
I'm trying to use runcon to simulate certmonger executing a fake script:
# cat /tmp/fakescript
#!/bin/bash
set -eu
id -Z
# /tmp/fakescript
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ls -Z /tmp/fakescript
unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript
# runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
runcon: ‘/tmp/fakescript’: Permission denied
Here is the avc denial:
----
type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript
type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0
Even though:
# sepolicy transition -s certmonger_t -t certmonger_unconfined_t
certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t
Diving in a little deeper, I can see that certmonger can execute the file:
# sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A
allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read };
... and that the file type is an entrypoint for the certmonger_unconfined_t domain:
# sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A
allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read };
... and that transition is permitted from certmonger_t:
# sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A
allow certmonger_t certmonger_unconfined_t:process transition;
Which leaves me scratching my head, unsure why it doesn't work in practice...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
2 weeks
Postfix with home dirs on GPFS
by Luke Sudbery
Hello,
With home directories on IBM Spectrum Scale and selinux enabled, postfix is unable to deliver locally. This is using RHELS8.3.
Postfix logs:
May 27 10:23:20 host-name postfix/local[1245962]: A1219F9E: to=<username(a)host-name.localdomain<mailto:username@host-name.localdomain>>, orig_to=<username>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=5.2.0, status=bounced (cannot update mailbox /gpfs-fs/homes/u/username/Mailbox for user username. unable to create lock file /gpfs-fs/homes/u/username/Mailbox.lock: Permission denied)
Although the actual problem is that it can't/doesn't read ~/.forward to know where to really send the mail.
Selinux audit logs show:
type=AVC msg=audit(1622111726.610:10854499): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.610:10854499): arch=c000003e syscall=6 success=no exit=-13 a0=561f9a316390 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
type=AVC msg=audit(1622111726.611:10854500): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.611:10854500): arch=c000003e syscall=4 success=no exit=-13 a0=561f9a3165c0 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
type=AVC msg=audit(1622111726.611:10854501): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.611:10854501): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=561f9a316600 a2=c1 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
audit2allow shows:
[root@host-name audit]# audit2allow -w -a
type=AVC msg=audit(1622111726.610:10854499): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1622111726.611:10854500): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1622111726.611:10854501): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
[root@host-name audit]# audit2allow -a
#============= postfix_local_t ==============
allow postfix_local_t unlabeled_t:dir search;
[root@host-name audit]#
Creating a module using these rules fixes the problem.
I've also tested creating a user with a home directory with GPFS stopped, and using the same path that a GPFS user would have. This worked without any selinux changes, and implies this is a problem with home dirs on GPFS, rather than just the path itself.
Should this be reported as a selinux bug?
Many thanks,
Luke
--
Luke Sudbery
Architecture, Infrastructure and Systems
Advanced Research Computing, IT Services
Room 132, Computer Centre G5, Elms Road
Please note I don't work on Monday.
3 years