I have a script invoked from a procmail recipe that needs to perform actions involving searching for processes by name, playing sound through pulseaudio, sending mail, plus a few others. When I run with enforcing=0 I get 385 AVC denials (103KB, not attached), and that's _without_ disabling the "dontaudit" rules, which would yield over 100 more denials. The target contexts are not something I can change without totally destroying the current policy.
Any suggestions other than the 120 "allow" rules that audit2allow would suggest (and that's without considering the "dontaudit" denials)?
I'm getting _really_ tired of this. I'm spending more time trying to get things to work under SELinux than it would take me to recover from a (highly unlikely) intrusion. Sometimes the cost of insurance is just too high.
On 04/30/2013 12:39 PM, Robert Nichols wrote:
I have a script invoked from a procmail recipe that needs to perform actions involving searching for processes by name, playing sound through pulseaudio, sending mail, plus a few others. When I run with enforcing=0 I get 385 AVC denials (103KB, not attached), and that's _without_ disabling the "dontaudit" rules, which would yield over 100 more denials. The target contexts are not something I can change without totally destroying the current policy.
Any suggestions other than the 120 "allow" rules that audit2allow would suggest (and that's without considering the "dontaudit" denials)?
I'm getting _really_ tired of this. I'm spending more time trying to get things to work under SELinux than it would take me to recover from a (highly unlikely) intrusion. Sometimes the cost of insurance is just too high.
I tried setting up a domain transition, but it looks like a transition from procmail_t to unconfined_t just isn't going to be allowed. Since unconfined_t already has an entrypoint unconfined_exec_t, the module I installed is:
module procmail_uncon 1.0;
require { type unconfined_t; type unconfined_exec_t; type procmail_t; class process { transition sigchld }; }
allow procmail_t unconfined_t : process { transition sigchld };
That built and installed OK, and I gave the script the label unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to execute it I get the error:
type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid: invalid context system_u:unconfined_r:procmail_t:s0 for scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
and the desired transition does not occur.
Did I do something wrong there, or is disabling SELinux my only recourse?
On Tue, 2013-04-30 at 16:02 -0500, Robert Nichols wrote:
On 04/30/2013 12:39 PM, Robert Nichols wrote:
I have a script invoked from a procmail recipe that needs to perform actions involving searching for processes by name, playing sound through pulseaudio, sending mail, plus a few others. When I run with enforcing=0 I get 385 AVC denials (103KB, not attached), and that's _without_ disabling the "dontaudit" rules, which would yield over 100 more denials. The target contexts are not something I can change without totally destroying the current policy.
Any suggestions other than the 120 "allow" rules that audit2allow would suggest (and that's without considering the "dontaudit" denials)?
I'm getting _really_ tired of this. I'm spending more time trying to get things to work under SELinux than it would take me to recover from a (highly unlikely) intrusion. Sometimes the cost of insurance is just too high.
I tried setting up a domain transition, but it looks like a transition from procmail_t to unconfined_t just isn't going to be allowed. Since unconfined_t already has an entrypoint unconfined_exec_t, the module I installed is:
module procmail_uncon 1.0; require {type unconfined_t; type unconfined_exec_t; type procmail_t; class process { transition sigchld }; }
allow procmail_t unconfined_t : process { transition sigchld };
Looks like you are missing an actual domain transition rule. There is also something fishy going on with role based access control.
Try this:
sudo semodule -r procmail_uncon
cat > mytest.te <<EOF policy_module(mytest, 1.0.0) optional_policy(` gen_require(` type procmail_t, unconfined_t, unconfined_exec_t; ') domtrans_pattern(procmail_t, unconfined_exec_t, unconfined_t) ') EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
Then try again, but keep a look out for any "SELINUX_ERR" messages in audit.log
There may be some RBAC related issues yet to resolve.
First things first: see where this gets you
That built and installed OK, and I gave the script the label unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to execute it I get the error:
type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid:invalid context system_u:unconfined_r:procmail_t:s0 for scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
and the desired transition does not occur.
Did I do something wrong there, or is disabling SELinux my only recourse?
On 05/01/2013 05:01 AM, Dominick Grift wrote:
On Tue, 2013-04-30 at 16:02 -0500, Robert Nichols wrote:
I tried setting up a domain transition, but it looks like a transition from procmail_t to unconfined_t just isn't going to be allowed. Since unconfined_t already has an entrypoint unconfined_exec_t, the module I installed is:
module procmail_uncon 1.0; require {type unconfined_t; type unconfined_exec_t; type procmail_t; class process { transition sigchld }; }
allow procmail_t unconfined_t : process { transition sigchld };Looks like you are missing an actual domain transition rule. There is also something fishy going on with role based access control.
Try this:
sudo semodule -r procmail_uncon
cat > mytest.te <<EOF policy_module(mytest, 1.0.0) optional_policy(` gen_require(` type procmail_t, unconfined_t, unconfined_exec_t; ') domtrans_pattern(procmail_t, unconfined_exec_t, unconfined_t) ') EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
Then try again, but keep a look out for any "SELINUX_ERR" messages in audit.log
There may be some RBAC related issues yet to resolve.
First things first: see where this gets you
I _finally_ discovered that makefile last night (a web page that I think was in Portugese was the first place I found that referenced it), and that let me use Dan's blog page as a model. I did get it to work, but I had to use a custom type my_uncon_exec_t:
policy_module(procmail_uncon, 1.0.18)
gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
If I try to do that with unconfined_exec_t in the domain_auto_trans(), I get these AVCs:
type=AVC msg=audit(1367415022.653:1349): avc: denied { transition } for pid=11841 comm="procmail" path="/home/rnichols/bin/stock-alert" dev=sda6 ino=229247 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1367415022.653:1349): arch=c000003e syscall=59 success=no exit=-13 a0=7fffee5d82dc a1=bbf100 a2=bc00d0 a3=8 items=0 ppid=1 pid=11841 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=12 fsgid=500 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
Running those through audit2allow yields:
#============= procmail_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow procmail_t unconfined_t:process transition;
No way in Hell am I ever going through this again. The next time SELinux gives me any trouble, it gets shut off and that's the end of it.
On 05/01/2013 12:01 PM, Dominick Grift wrote:
On Tue, 2013-04-30 at 16:02 -0500, Robert Nichols wrote:
On 04/30/2013 12:39 PM, Robert Nichols wrote:
I have a script invoked from a procmail recipe that needs to perform actions involving searching for processes by name, playing sound through pulseaudio, sending mail, plus a few others. When I run with enforcing=0 I get 385 AVC denials (103KB, not attached), and that's _without_ disabling the "dontaudit" rules, which would yield over 100 more denials. The target contexts are not something I can change without totally destroying the current policy.
Any suggestions other than the 120 "allow" rules that audit2allow would suggest (and that's without considering the "dontaudit" denials)?
I'm getting _really_ tired of this. I'm spending more time trying to get things to work under SELinux than it would take me to recover from a (highly unlikely) intrusion. Sometimes the cost of insurance is just too high.
I tried setting up a domain transition, but it looks like a transition from procmail_t to unconfined_t just isn't going to be allowed. Since unconfined_t already has an entrypoint unconfined_exec_t, the module I installed is:
module procmail_uncon 1.0; require {type unconfined_t; type unconfined_exec_t; type procmail_t; class process { transition sigchld }; }
allow procmail_t unconfined_t : process { transition sigchld };Looks like you are missing an actual domain transition rule. There is also something fishy going on with role based access control.
Try this:
sudo semodule -r procmail_uncon
cat > mytest.te <<EOF policy_module(mytest, 1.0.0) optional_policy(` gen_require(` type procmail_t, unconfined_t, unconfined_exec_t; ') domtrans_pattern(procmail_t, unconfined_exec_t, unconfined_t) ') EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
Then try again, but keep a look out for any "SELINUX_ERR" messages in audit.log
There may be some RBAC related issues yet to resolve.
First things first: see where this gets you
That built and installed OK, and I gave the script the label unconfined_u:object_r:unconfined_exec_t:s0, but when procmail tries to execute it I get the error:
type=SELINUX_ERR msg=audit(1367353892.747:26477): security_compute_sid:invalid context system_u:unconfined_r:procmail_t:s0 for scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=process
and the desired transition does not occur.
Did I do something wrong there, or is disabling SELinux my only recourse?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would go with a different way and create a new domain - procmail_unconfined_t and make this domain as unconfined domain.
# cat myprocmail.te
require{ type procmail_t; }
type procmail_unconfined_exec_t; application_executable_file(procmail_unconfined_exec_t)
optional_policy(` type procmail_unconfined_t; domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role system_r types procmail_unconfined_t;
domtrans_pattern(procmail_t, procmail_unconfined_exec_t, procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow procmail_t procmail_unconfined_exec_t:file ioctl;
init_domtrans_script(procmail_unconfined_t)
optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
I would go with a different way and create a new domain - procmail_unconfined_t and make this domain as unconfined domain.
# cat myprocmail.te
require{ type procmail_t; }
type procmail_unconfined_exec_t; application_executable_file(procmail_unconfined_exec_t)
optional_policy(` type procmail_unconfined_t; domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role system_r types procmail_unconfined_t; domtrans_pattern(procmail_t, procmail_unconfined_exec_t,procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow procmail_t procmail_unconfined_exec_t:file ioctl; init_domtrans_script(procmail_unconfined_t) optional_policy(` unconfined_domain(procmail_unconfined_t) ')')
# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing. [copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/02/2013 05:53 PM, Robert Nichols wrote:
On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
I would go with a different way and create a new domain - procmail_unconfined_t and make this domain as unconfined domain.
# cat myprocmail.te
require{ type procmail_t; }
type procmail_unconfined_exec_t; application_executable_file(procmail_unconfined_exec_t)
optional_policy(` type procmail_unconfined_t; domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role system_r types procmail_unconfined_t;
domtrans_pattern(procmail_t, procmail_unconfined_exec_t, procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow procmail_t procmail_unconfined_exec_t:file ioctl;
init_domtrans_script(procmail_unconfined_t)
optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing. [copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
One difference between what Miroslav showed and you did, was that your new domain is now unconfined_t and might transition to another domain. Whereas his would not, also any confined domain that was allowed to communicate with unconfined_t would be able t communicate with your domain. They would not in Mirsoslav's case.
On 05/06/2013 11:40 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/02/2013 05:53 PM, Robert Nichols wrote:
On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
I would go with a different way and create a new domain - procmail_unconfined_t and make this domain as unconfined domain.
# cat myprocmail.te
require{ type procmail_t; }
type procmail_unconfined_exec_t; application_executable_file(procmail_unconfined_exec_t)
optional_policy(` type procmail_unconfined_t; domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role system_r types procmail_unconfined_t;
domtrans_pattern(procmail_t, procmail_unconfined_exec_t, procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow procmail_t procmail_unconfined_exec_t:file ioctl;
init_domtrans_script(procmail_unconfined_t)
optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing. [copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
One difference between what Miroslav showed and you did, was that your new domain is now unconfined_t and might transition to another domain. Whereas his would not, also any confined domain that was allowed to communicate with unconfined_t would be able t communicate with your domain. They would not in Mirsoslav's case.
Then I'll definitely stick with what I've got since it makes everything work the same way it does when I invoke procmail from the command line. procmail transitions to procmail_t only when invoked from certain other confined domains, and that is a large part of what was making my life difficult in testing. Now, my script runs the same whether procmail was running in domain procmail_t or unconfined_t.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/07/2013 09:42 AM, Robert Nichols wrote:
On 05/06/2013 11:40 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/02/2013 05:53 PM, Robert Nichols wrote:
On 05/02/2013 12:58 AM, Miroslav Grepl wrote:
I would go with a different way and create a new domain - procmail_unconfined_t and make this domain as unconfined domain.
# cat myprocmail.te
require{ type procmail_t; }
type procmail_unconfined_exec_t; application_executable_file(procmail_unconfined_exec_t)
optional_policy(` type procmail_unconfined_t; domain_type(procmail_unconfined_t)
domain_entry_file(procmail_unconfined_t, procmail_unconfined_exec_t) role system_r types procmail_unconfined_t;
domtrans_pattern(procmail_t, procmail_unconfined_exec_t, procmail_unconfined_t)
allow procmail_t procmail_unconfined_exec_t:dir search_dir_perms; allow procmail_t procmail_unconfined_exec_t:dir read_file_perms; allow procmail_t procmail_unconfined_exec_t:file ioctl;
init_domtrans_script(procmail_unconfined_t)
optional_policy(` unconfined_domain(procmail_unconfined_t) ') ')
# make -f /usr/share/selinux/devel/Makefile mytest.pp # sudo semodule -i mytest.pp # chcon -t procmail_unconfined_exec_t PATH_TO_YOU_SCRIPTS
Thanks, I _think_ that's basically what I ended up doing. [copied from my previous post]:
policy_module(procmail_uncon, 1.0.18)
gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
One difference between what Miroslav showed and you did, was that your new domain is now unconfined_t and might transition to another domain. Whereas his would not, also any confined domain that was allowed to communicate with unconfined_t would be able t communicate with your domain. They would not in Mirsoslav's case.
Then I'll definitely stick with what I've got since it makes everything work the same way it does when I invoke procmail from the command line. procmail transitions to procmail_t only when invoked from certain other confined domains, and that is a large part of what was making my life difficult in testing. Now, my script runs the same whether procmail was running in domain procmail_t or unconfined_t.
Ok, just wanted you to know the differences.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Miroslav Grepl -
Robert Nichols