Folks,
I have a problem with SEL file type in /tmp --- I just don't understand why a particular type is being used. More precisely, I don't understand how the domain that uses this file type comes into play. I'm hoping someone can enlighten me.
I have a setup where subversion is accessed through httpd (mod_dav_svn). The post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow this. It uses the sudo_role_template macro as part of the setup. The full domain transition sequence to get to the sudo'd script is: * Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the top-level hook script is executed * User changes from apache to coin by sudo'ing a second-level script. The expected domain transition would be svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
When I run 'id' in the second-level script, it says the context is uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0 as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I run, for example, 'svn export' in this script, it happily creates entire directory trees of type tmp_t in /tmp, as expected.
But ... if I try to redirect output to a file, or execute something like 'touch foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the sudo_role_template macro). I've opened this macro up, and I can see it will create the rule 'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I understand. And I've managed to deal with the issue by allowing domain svn_hook_t to manage files of type svn_hook_sudo_tmp_t.
What I don't understand: Why is domain svn_hook_sudo_t in play here? According to id, the script is running in domain svn_hook_t. If anyone can enlighten me on what's happening here, I'd be a much happier person.
Thanks, Lou
On 01/28/2016 08:08 PM, lou@sfu.ca wrote:
Folks,
I have a problem with SEL file type in /tmp --- I just don't understand why a particular type is being used. More precisely, I don't understand how the domain that uses this file type comes into play. I'm hoping someone can enlighten me.I have a setup where subversion is accessed through httpd (mod_dav_svn). The post-commit hook runs as the confined uid apache. The hook needs to do bookkeeping using a different confined uid, coin. I've implemented a custom SEL module svn_hook, to allow this. It uses the sudo_role_template macro as part of the setup. The full domain transition sequence to get to the sudo'd script is:
- Domain httpd_t transitions through type svn_hook_exec_t to domain svn_hook_t when the top-level hook script is executed
- User changes from apache to coin by sudo'ing a second-level script. The expected domain transition would be svn_hook_t -> svn_hook_sudo_t -> svn_hook_t. (Perhaps I'm wrong on this?)
When I run 'id' in the second-level script, it says the context is uid=1002(coin) gid=1013(coin-web) context=system_u:system_r:svn_hook_t:s0 as expected. Elsewhere in the SEL module, svn_hook_t is granted full file and directory management rights in /tmp with the files_manage_generic_tmp_{dirs,files} macros. When I run, for example, 'svn export' in this script, it happily creates entire directory trees of type tmp_t in /tmp, as expected.
But ... if I try to redirect output to a file, or execute something like 'touch foo', the type used for file creation is svn_hook_sudo_tmp_t (generated within the sudo_role_template macro). I've opened this macro up, and I can see it will create the rule 'type_transition svn_hook_sudo_t tmp_t:file svn_hook_sudo_tmp_t;' Fine, I understand. And I've managed to deal with the issue by allowing domain svn_hook_t to manage files of type svn_hook_sudo_tmp_t. What I don't understand: Why is domain svn_hook_sudo_t in play here? According to id, the script is running in domain svn_hook_t.
Yes, this is correct. You can see
# Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3)
in thee sudo_role_template() interface.
Which is the reason why you see svn_hook_sudo_t vs. svn_hook_t when 'id' is executed. 'id' is labeled as bin_t.
If anyone can enlighten me on what's happening here, I'd be a much happier person.
Thanks, Lou-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Ouch! Somehow I managed to convince myself that id would be bright enough to interpret 'give me the security context for the current user' as 'give me the security context of the process that invoked id'. It's a bit harsh to say 'id lies', but it sure is misleading. Time to fall back to ps, where I can specify the process of interest.
Thanks for the answer!
selinux@lists.fedoraproject.org
-
Lou Hafer -
Miroslav Grepl