On Tue, Dec 5, 2023 at 8:03 AM Wart wart@kobold.org wrote:
I created a new policy module using sepolgen for my RL9 server to manage the shibboleth service, then started customizing it. Part of the new policy is a new shibboleth_etc_t file type.
This system is also using puppet to manage various config files on the filesystem.
The shibd process, running in its shibd_t domain, is able to read this file type with no problem, but I notice that puppet (running in the unconfined_t domain) now generates a new AVC denial when trying to access files of this new file type.
Do I need to explicitly allow the unconfined_t domain access to my new file type, or is there some other piece that I'm missing?
--Mike
fc file:
/usr/sbin/shibd -- gen_context(system_u:object_r:shibd_exec_t,s0) /etc/shibboleth(/.*)? -- gen_context(system_u:object_r:shibboleth_etc_t,s0) /var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_log_t,s0) /var/cache/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_cache_t,s0) /var/run/shibboleth -d gen_context(system_u:object_r:shibboleth_var_run_t,s0) /var/run/shibboleth/shibd.sock -s gen_context(system_u:object_r:shibboleth_var_run_t,s0) /etc/shibboleth/.*.pem -- gen_context(system_u:object_r:cert_t,s0) /etc/shibboleth/.*pem -- gen_context(system_u:object_r:cert_t,s0)
if file:
## <summary>policy for shibd</summary>
######################################## ## <summary> ## Execute shibd_exec_t in the shibd domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`shibd_domtrans',` gen_require(` type shibd_t, shibd_exec_t; ')
corecmd_search_bin($1) domtrans_pattern($1, shibd_exec_t, shibd_t)
')
###################################### ## <summary> ## Execute shibd in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`shibd_exec',` gen_require(` type shibd_exec_t; ')
corecmd_search_bin($1) can_exec($1, shibd_exec_t)
')
te file:
policy_module(local_shibd, 1.0.0)
######################################## # # Declarations #
require { type httpd_t; type var_run_t; type cert_t; type http_port_t; type kernel_t; class file { append create getattr open read rename unlink write }; class dir { add_name remove_name search write }; class tcp_socket { name_connect }; class sock_file { create setattr write }; class unix_stream_socket { connectto }; class unix_dgram_socket { create getopt sendto setopt }; } type shibd_t; type shibd_exec_t; type shibboleth_etc_t; type shibboleth_var_log_t; type shibboleth_var_cache_t; type shibboleth_var_run_t; init_daemon_domain(shibd_t, shibd_exec_t)
permissive shibd_t;
######################################## # # shibd local policy # allow shibd_t self:capability { setgid setuid }; allow shibd_t self:process { fork signal_perms }; allow shibd_t self:fifo_file rw_fifo_file_perms; allow shibd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(shibd_t)
files_read_etc_files(shibd_t)
auth_use_nsswitch(shibd_t)
miscfiles_read_localization(shibd_t)
allow shibd_t shibboleth_etc_t:file { getattr open read };
allow shibd_t shibboleth_var_log_t:dir { add_name remove_name search write }; allow shibd_t shibboleth_var_log_t:file { append create getattr open read rename unlink write }; allow shibd_t cert_t:file { open read }; allow shibd_t shibboleth_var_run_t:dir { add_name remove_name search write }; allow shibd_t shibboleth_var_run_t:sock_file { create setattr unlink }; allow shibd_t shibboleth_var_cache_t:dir { add_name remove_name search write }; allow shibd_t shibboleth_var_cache_t:file { create getattr open read unlink write }; allow shibd_t http_port_t:tcp_socket name_connect;
# Let apache talk to shibd and vice versa allow httpd_t shibboleth_etc_t:file { getattr open read }; allow httpd_t shibd_t:unix_stream_socket connectto; allow httpd_t shibboleth_var_run_t:dir search; allow httpd_t shibboleth_var_run_t:sock_file write; allow shibd_t kernel_t:unix_dgram_socket sendto; allow shibd_t self:unix_dgram_socket { create getopt setopt };
You should assign any type you define to an attribute using interfaces like files_type() and others, refer e.g. to https://github.com/fedora-selinux/selinux-policy/blame/rawhide/policy/module...
The AVC denial:
time->Mon Dec 4 14:40:45 2023 node=llodmt.ligo-la.caltech.edu type=PROCTITLE msg=audit(1701722445.997:630306):
proctitle=707570706574206167656E743A206170706C79696E6720636F6E66696775726174696F6E node=llodmt.ligo-la.caltech.edu type=PATH msg=audit(1701722445.997:630306): item=0 name="/etc/shibboleth/shibboleth2.xml" inode=17384656 dev=09:7e mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shibboleth_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 node=llodmt.ligo-la.caltech.edu type=CWD msg=audit(1701722445.997:630306): cwd="/" node=llodmt.ligo-la.caltech.edu type=SYSCALL msg=audit(1701722445.997:630306): arch=c000003e syscall=257 success=yes exit=35 a0=ffffff9c a1=7fa634a38e68 a2=80000 a3=0 items=1 ppid=2725223 pid=4135271 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppet" exe="/opt/puppetlabs/puppet/bin/ruby" subj=system_u:system_r:unconfined_service_t:s0 key=(null) node=llodmt.ligo-la.caltech.edu type=AVC msg=audit(1701722445.997:630306): avc: denied { open } for pid=4135271 comm="puppet" path="/etc/shibboleth/shibboleth2.xml" dev="md126" ino=17384656 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1 node=llodmt.ligo-la.caltech.edu type=AVC msg=audit(1701722445.997:630306): avc: denied { read } for pid=4135271 comm="puppet" name="shibboleth2.xml" dev="md126" ino=17384656 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:shibboleth_etc_t:s0 tclass=file permissive=1
Also note it is unconfined_service_t here which is a type different to unconfined_t.
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue