From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9E02F139085 for ; Tue, 24 Jan 2017 15:50:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 670891433B; Tue, 24 Jan 2017 15:50:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1B4F514329 for ; Tue, 24 Jan 2017 15:50:19 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 5DA2C3416BC; Tue, 24 Jan 2017 15:50:18 +0000 (UTC) Date: Tue, 24 Jan 2017 15:50:18 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux Message-ID: <20170124155018.GA25970@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <9be896e1-beae-f94b-800f-d10f7862c67d@sharp.homelinux.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <9be896e1-beae-f94b-800f-d10f7862c67d@sharp.homelinux.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Archives-Salt: acc35d41-9783-48e3-8750-efcbbe50448e X-Archives-Hash: 2b197d2fcf2c742d7912b843154cdb80 On Sat, Jan 21, 2017 at 06:04:51PM +0000, Robert Sharp wrote: > AIM - to be able to su to root and switch off strict mode in case > something goes wrong. I was using newrole but I kept forgetting so I am > trying to use pam_selinux to change the role to sysadm_r. I followed > the instructions given at > [1]http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-cont > ext/ in general, but I had to do some research to find out how to apply > them for /bin/su. Generally, such a change is best implemented through sudo rather than su. With sudo, you have more control over role and type switching as well (sudo is SELinux-aware, and not just through its PAM support). Would that be an option for you? If not, then let's get into the details of what you are noticing further... > The answer was in su.if, added to the "su_role_template" interface. I > then spent some time figuring out how to get the roles/sysadm module to > use my modified interface (put it in the same directory) and it > generally seemed to work. I got a few extra AVCs but I ended up with > the following: > > optional_policy(` > domain_subj_id_change_exemption($1_su_t) > domain_role_change_exemption($1_su_t) > selinux_validate_context($1_su_t) > selinux_compute_access_vector($1_su_t) > selinux_compute_create_context($1_su_t) > selinux_compute_relabel_context($1_su_t) > selinux_compute_user_contexts($1_su_t) > seutil_read_config($1_su_t) > seutil_read_default_contexts($1_su_t) > userdom_relabelto_user_ptys($1_su_t) > userdom_dontaudit_relabelfrom_user_ptys($1_su_t) > userdom_use_user_ptys($1_su_t) > allow $1_su_t self:process setkeycreate; > allow $1_su_t $3:key manage_key_perms; > ') Note that, with this in place, you might be granting more people than you originally intended to gain certain privileges. > The PROBLEM: I still get two AVCs that I don't think I should be > getting: > > type=PROCTITLE msg=audit(1485020695.038:10367): > proctitle=2F62696E2F7375002D > type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3" > inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03 > obj=staff_u:object_r:user_devpts_t nametype=NORMAL > type=CWD msg=audit(1485020695.038:10367): > cwd="/home/robert/selinux/sysadm" > type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e > syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa > a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374 > auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts3 > ses=4294967295 comm="su" exe="/bin/su" > subj=staff_u:sysadm_r:sysadm_su_t key=(null) > type=AVC msg=audit(1485020695.038:10367): avc: denied { relabelto > } for pid=20374 comm="su" name="3" dev="devpts" ino=6 > scontext=staff_u:sysadm_r:sysadm_su_t > tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1 > ---- > type=AVC msg=audit(1485020695.038:10368): avc: denied { create } > for pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t > tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1 > > I double checked that I had corresponding rules to allow these: > > # sesearch -s sysadm_su_t -t user_devpts_t -A > allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl > relabelto open append }; > > # sesearch -s sysadm_su_t -t sysadm_t -c key -A > allow sysadm_su_t sysadm_t:key { search setattr read create write > link view }; > > So I really cannot see why I am getting these AVCs. I keep looking at > the scripts, the rules and the AVCs to see if I have done something > stupid, but I cannot see it. I have started making fairly arbitrary > changes to see if I can make it go away but I am just wasting time > really. If I cannot figure this out I suspect I will be ditching > pam_selinux and reverting to explicitly issuing newrole. I guess with > strict on I will quickly be reminded that I have forgotten to change > roles anyway. As was mentioned in the thread already, this might be UBAC-related. Wkr, Sven Vermeulen