From: Sven Vermeulen <swift@gentoo.org>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux
Date: Tue, 24 Jan 2017 15:50:18 +0000 [thread overview]
Message-ID: <20170124155018.GA25970@gentoo.org> (raw)
In-Reply-To: <9be896e1-beae-f94b-800f-d10f7862c67d@sharp.homelinux.org>
On Sat, Jan 21, 2017 at 06:04:51PM +0000, Robert Sharp wrote:
> AIM - to be able to su to root and switch off strict mode in case
> something goes wrong. I was using newrole but I kept forgetting so I am
> trying to use pam_selinux to change the role to sysadm_r. I followed
> the instructions given at
> [1]http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-cont
> ext/ in general, but I had to do some research to find out how to apply
> them for /bin/su.
Generally, such a change is best implemented through sudo rather than su.
With sudo, you have more control over role and type switching as well
(sudo is SELinux-aware, and not just through its PAM support).
Would that be an option for you? If not, then let's get into the details of
what you are noticing further...
> The answer was in su.if, added to the "su_role_template" interface. I
> then spent some time figuring out how to get the roles/sysadm module to
> use my modified interface (put it in the same directory) and it
> generally seemed to work. I got a few extra AVCs but I ended up with
> the following:
>
> optional_policy(`
> domain_subj_id_change_exemption($1_su_t)
> domain_role_change_exemption($1_su_t)
> selinux_validate_context($1_su_t)
> selinux_compute_access_vector($1_su_t)
> selinux_compute_create_context($1_su_t)
> selinux_compute_relabel_context($1_su_t)
> selinux_compute_user_contexts($1_su_t)
> seutil_read_config($1_su_t)
> seutil_read_default_contexts($1_su_t)
> userdom_relabelto_user_ptys($1_su_t)
> userdom_dontaudit_relabelfrom_user_ptys($1_su_t)
> userdom_use_user_ptys($1_su_t)
> allow $1_su_t self:process setkeycreate;
> allow $1_su_t $3:key manage_key_perms;
> ')
Note that, with this in place, you might be granting more people than you
originally intended to gain certain privileges.
> The PROBLEM: I still get two AVCs that I don't think I should be
> getting:
>
> type=PROCTITLE msg=audit(1485020695.038:10367):
> proctitle=2F62696E2F7375002D
> type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3"
> inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03
> obj=staff_u:object_r:user_devpts_t nametype=NORMAL
> type=CWD msg=audit(1485020695.038:10367):
> cwd="/home/robert/selinux/sysadm"
> type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e
> syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa
> a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374
> auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts3
> ses=4294967295 comm="su" exe="/bin/su"
> subj=staff_u:sysadm_r:sysadm_su_t key=(null)
> type=AVC msg=audit(1485020695.038:10367): avc: denied { relabelto
> } for pid=20374 comm="su" name="3" dev="devpts" ino=6
> scontext=staff_u:sysadm_r:sysadm_su_t
> tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1
> ----
> type=AVC msg=audit(1485020695.038:10368): avc: denied { create }
> for pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t
> tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1
>
> I double checked that I had corresponding rules to allow these:
>
> # sesearch -s sysadm_su_t -t user_devpts_t -A
> allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl
> relabelto open append };
>
> # sesearch -s sysadm_su_t -t sysadm_t -c key -A
> allow sysadm_su_t sysadm_t:key { search setattr read create write
> link view };
>
> So I really cannot see why I am getting these AVCs. I keep looking at
> the scripts, the rules and the AVCs to see if I have done something
> stupid, but I cannot see it. I have started making fairly arbitrary
> changes to see if I can make it go away but I am just wasting time
> really. If I cannot figure this out I suspect I will be ditching
> pam_selinux and reverting to explicitly issuing newrole. I guess with
> strict on I will quickly be reminded that I have forgotten to change
> roles anyway.
As was mentioned in the thread already, this might be UBAC-related.
Wkr,
Sven Vermeulen
prev parent reply other threads:[~2017-01-24 15:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-21 18:04 [gentoo-hardened] Selinux: /bin/su and pam_selinux Robert Sharp
2017-01-21 19:04 ` Luis Ressel
2017-01-24 15:50 ` Sven Vermeulen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170124155018.GA25970@gentoo.org \
--to=swift@gentoo.org \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox