* [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:03 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 2/7] selinux: Use explicit paths for binaries in file context Stefano Brivio
` (5 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
The Makefile installs symbolic links by default, which actually
worked at some point (not by design) with SELinux, but at least on
recent kernel versions it doesn't anymore: override pasta (and
pasta.avx2) with hard links.
Otherwise, even if the links are labeled as pasta_exec_t, SELinux
will "resolve" them to passt_exec_t, and we'll have pasta running as
passt_t instead of pasta_t.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/fedora/passt.spec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index 8d28ef6..49b4860 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -55,9 +55,13 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
%install
%make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
+# The Makefile simply links pasta to passt, but we need to copy the binary for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+install -p -m 755 %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
%ifarch x86_64
ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
+install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
%endif
pushd contrib/selinux
--
@@ -55,9 +55,13 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
%install
%make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
+# The Makefile simply links pasta to passt, but we need to copy the binary for
+# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
+install -p -m 755 %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
%ifarch x86_64
ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
+install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
%endif
pushd contrib/selinux
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match
2023-08-16 6:00 ` [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match Stefano Brivio
@ 2023-08-16 9:03 ` Richard W.M. Jones
2023-08-16 9:08 ` Stefano Brivio
0 siblings, 1 reply; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:03 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:32AM +0200, Stefano Brivio wrote:
> The Makefile installs symbolic links by default, which actually
> worked at some point (not by design) with SELinux, but at least on
> recent kernel versions it doesn't anymore: override pasta (and
> pasta.avx2) with hard links.
>
> Otherwise, even if the links are labeled as pasta_exec_t, SELinux
> will "resolve" them to passt_exec_t, and we'll have pasta running as
> passt_t instead of pasta_t.
The patch and this cover note don't seem to do the same thing. It
appears to copy the binary, not make a hard link. (The comment in the
spec file seems to be correct.)
It does appear to be possible to label symbolic links:
$ touch test1
$ chcon system_u:object_r:bin_t:s0 test1
$ ln -s test1 test2
$ chcon -h system_u:object_r:tmp_t:s0 test2
$ ll -Z test1 test2
-rw-r--r--. 1 rjones rjones system_u:object_r:bin_t:s0 0 Aug 16 10:00 test1
lrwxrwxrwx. 1 rjones rjones system_u:object_r:tmp_t:s0 5 Aug 16 10:00 test2 -> test1
(which surprised me). But I don't know if SELinux does the right
thing or not in this case, or if something has changed in the kernel,
so I can't comment if copying is right or not.
Rich.
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/fedora/passt.spec | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> index 8d28ef6..49b4860 100644
> --- a/contrib/fedora/passt.spec
> +++ b/contrib/fedora/passt.spec
> @@ -55,9 +55,13 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
>
> %install
> %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
> +# The Makefile simply links pasta to passt, but we need to copy the binary for
> +# SELinux file contexts to work as intended. Same with pasta.avx2 if present.
> +install -p -m 755 %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
> %ifarch x86_64
> ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
> ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
> +install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
> %endif
>
> pushd contrib/selinux
> --
> 2.39.2
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match
2023-08-16 9:03 ` Richard W.M. Jones
@ 2023-08-16 9:08 ` Stefano Brivio
0 siblings, 0 replies; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 9:08 UTC (permalink / raw)
To: Richard W.M. Jones; +Cc: passt-dev, David Gibson
On Wed, 16 Aug 2023 10:03:08 +0100
"Richard W.M. Jones" <rjones@redhat.com> wrote:
> On Wed, Aug 16, 2023 at 08:00:32AM +0200, Stefano Brivio wrote:
> > The Makefile installs symbolic links by default, which actually
> > worked at some point (not by design) with SELinux, but at least on
> > recent kernel versions it doesn't anymore: override pasta (and
> > pasta.avx2) with hard links.
> >
> > Otherwise, even if the links are labeled as pasta_exec_t, SELinux
> > will "resolve" them to passt_exec_t, and we'll have pasta running as
> > passt_t instead of pasta_t.
>
> The patch and this cover note don't seem to do the same thing. It
> appears to copy the binary, not make a hard link. (The comment in the
> spec file seems to be correct.)
Gosh, thanks for noticing, I sent out the wrong version. :/ That was
another option that luckily we can avoid with hard links. I'll re-post
in a bit.
With a copy, by the way, we would have duplicate build-IDs in the RPM,
and rpmtool would issue warnings (possibly problematic for debugging
packages, I'm not sure).
> It does appear to be possible to label symbolic links:
>
> $ touch test1
> $ chcon system_u:object_r:bin_t:s0 test1
> $ ln -s test1 test2
> $ chcon -h system_u:object_r:tmp_t:s0 test2
> $ ll -Z test1 test2
> -rw-r--r--. 1 rjones rjones system_u:object_r:bin_t:s0 0 Aug 16 10:00 test1
> lrwxrwxrwx. 1 rjones rjones system_u:object_r:tmp_t:s0 5 Aug 16 10:00 test2 -> test1
>
> (which surprised me). But I don't know if SELinux does the right
> thing or not in this case, or if something has changed in the kernel,
> so I can't comment if copying is right or not.
Right, yes, that's what we had before -- symbolic links with the
"right" labels, but it stopped working a while ago (bisecting not
really convenient, and it wasn't intended to work anyway, so whatever).
--
Stefano
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 2/7] selinux: Use explicit paths for binaries in file context
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
2023-08-16 6:00 ` [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:04 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 3/7] selinux: Fix user namespace creation after breaking kernel change Stefano Brivio
` (4 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
There's no reason to use wildcards, and we don't want any
similarly-named binary (not that I'm aware of any) to risk being
associated to passt_exec_t and pasta_exec_t by accident.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.fc | 3 ++-
contrib/selinux/pasta.fc | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc
index fb5b5d4..09bcaab 100644
--- a/contrib/selinux/passt.fc
+++ b/contrib/selinux/passt.fc
@@ -8,5 +8,6 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-/usr/bin/passt(\.*)? system_u:object_r:passt_exec_t:s0
+/usr/bin/passt system_u:object_r:passt_exec_t:s0
+/usr/bin/passt.avx2 system_u:object_r:passt_exec_t:s0
/tmp/passt\.pcap system_u:object_r:passt_log_t:s0
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index 2ffb41a..41ee46d 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -8,6 +8,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
--
@@ -8,6 +8,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
+/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 2/7] selinux: Use explicit paths for binaries in file context
2023-08-16 6:00 ` [PATCH 2/7] selinux: Use explicit paths for binaries in file context Stefano Brivio
@ 2023-08-16 9:04 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:04 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:33AM +0200, Stefano Brivio wrote:
> There's no reason to use wildcards, and we don't want any
> similarly-named binary (not that I'm aware of any) to risk being
> associated to passt_exec_t and pasta_exec_t by accident.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/passt.fc | 3 ++-
> contrib/selinux/pasta.fc | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc
> index fb5b5d4..09bcaab 100644
> --- a/contrib/selinux/passt.fc
> +++ b/contrib/selinux/passt.fc
> @@ -8,5 +8,6 @@
> # Copyright (c) 2022 Red Hat GmbH
> # Author: Stefano Brivio <sbrivio@redhat.com>
>
> -/usr/bin/passt(\.*)? system_u:object_r:passt_exec_t:s0
> +/usr/bin/passt system_u:object_r:passt_exec_t:s0
> +/usr/bin/passt.avx2 system_u:object_r:passt_exec_t:s0
> /tmp/passt\.pcap system_u:object_r:passt_log_t:s0
> diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
> index 2ffb41a..41ee46d 100644
> --- a/contrib/selinux/pasta.fc
> +++ b/contrib/selinux/pasta.fc
> @@ -8,6 +8,7 @@
> # Copyright (c) 2022 Red Hat GmbH
> # Author: Stefano Brivio <sbrivio@redhat.com>
>
> -/usr/bin/pasta(\.*)? system_u:object_r:pasta_exec_t:s0
> +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
> +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
> /tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
> /var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
Obviously better, so:
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 3/7] selinux: Fix user namespace creation after breaking kernel change
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
2023-08-16 6:00 ` [PATCH 1/7] fedora: Install pasta as hard link to ensure SELinux file context match Stefano Brivio
2023-08-16 6:00 ` [PATCH 2/7] selinux: Use explicit paths for binaries in file context Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:05 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 4/7] selinux: Update policy to fix user/group settings Stefano Brivio
` (3 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
seems to just introduce a new functionality, but given that SELinux
implements a form of mandatory access control, introducing the new
permission breaks any application (shipping with SELinux policies)
that needs to create user namespaces, such as passt and pasta for
sandboxing purposes.
Add the new 'allow' rules. They appear to be backward compatible,
kernel-wise, and the policy now requires the new 'user_namespace'
class to build, but that's something distributions already ship.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 2 ++
contrib/selinux/pasta.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 687ae40..5868a41 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -51,6 +51,7 @@ require {
class capability sys_tty_config;
class cap_userns { setpcap sys_admin sys_ptrace };
+ class user_namespace create;
}
type passt_t;
@@ -90,6 +91,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
+allow passt_t self:user_namespace create;
allow passt_t proc_net_t:file read;
allow passt_t net_conf_t:file { open read };
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 367d09f..645ccee 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -80,6 +80,7 @@ require {
type init_t;
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
+ class user_namespace create;
}
type pasta_t;
@@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+allow pasta_t self:user_namespace create;
allow pasta_t bin_t:file { execute execute_no_trans map };
allow pasta_t nsfs_t:file { open read };
--
@@ -80,6 +80,7 @@ require {
type init_t;
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
+ class user_namespace create;
}
type pasta_t;
@@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
+allow pasta_t self:user_namespace create;
allow pasta_t bin_t:file { execute execute_no_trans map };
allow pasta_t nsfs_t:file { open read };
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 3/7] selinux: Fix user namespace creation after breaking kernel change
2023-08-16 6:00 ` [PATCH 3/7] selinux: Fix user namespace creation after breaking kernel change Stefano Brivio
@ 2023-08-16 9:05 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:05 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:34AM +0200, Stefano Brivio wrote:
> Kernel commit ed5d44d42c95 ("selinux: Implement userns_create hook")
> seems to just introduce a new functionality, but given that SELinux
> implements a form of mandatory access control, introducing the new
> permission breaks any application (shipping with SELinux policies)
> that needs to create user namespaces, such as passt and pasta for
> sandboxing purposes.
>
> Add the new 'allow' rules. They appear to be backward compatible,
> kernel-wise, and the policy now requires the new 'user_namespace'
> class to build, but that's something distributions already ship.
>
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/passt.te | 2 ++
> contrib/selinux/pasta.te | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
> index 687ae40..5868a41 100644
> --- a/contrib/selinux/passt.te
> +++ b/contrib/selinux/passt.te
> @@ -51,6 +51,7 @@ require {
>
> class capability sys_tty_config;
> class cap_userns { setpcap sys_admin sys_ptrace };
> + class user_namespace create;
> }
>
> type passt_t;
> @@ -90,6 +91,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
> allow passt_t self:process setcap;
> allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
> allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
> +allow passt_t self:user_namespace create;
>
> allow passt_t proc_net_t:file read;
> allow passt_t net_conf_t:file { open read };
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 367d09f..645ccee 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -80,6 +80,7 @@ require {
> type init_t;
>
> class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
> + class user_namespace create;
> }
>
> type pasta_t;
> @@ -104,6 +105,7 @@ init_daemon_domain(pasta_t, pasta_exec_t)
>
> allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
> allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
> +allow pasta_t self:user_namespace create;
>
> allow pasta_t bin_t:file { execute execute_no_trans map };
> allow pasta_t nsfs_t:file { open read };
Looks sensible:
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 4/7] selinux: Update policy to fix user/group settings
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
` (2 preceding siblings ...)
2023-08-16 6:00 ` [PATCH 3/7] selinux: Fix user namespace creation after breaking kernel change Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:06 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 5/7] selinux: Add rules for sysctl and /proc/net accesses Stefano Brivio
` (2 subsequent siblings)
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
Somehow most of this used to work on older kernels, but now we need
to explicitly permit setuid, setgid, and setcap capabilities, as well
as read-only access to passwd (as we support running under a given
login name) and sssd library facilities.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 7 +++++--
contrib/selinux/pasta.te | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 5868a41..a0c0526 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -49,7 +49,7 @@ require {
class netlink_route_socket { bind create nlmsg_read };
- class capability sys_tty_config;
+ class capability { sys_tty_config setuid setgid };
class cap_userns { setpcap sys_admin sys_ptrace };
class user_namespace create;
}
@@ -89,10 +89,13 @@ logging_send_syslog_msg(passt_t)
allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
-allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
+allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
allow passt_t self:user_namespace create;
+auth_read_passwd_file(passt_t)
+sssd_search_lib(passt_t)
+
allow passt_t proc_net_t:file read;
allow passt_t net_conf_t:file { open read };
allow passt_t net_conf_t:lnk_file read;
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 645ccee..28265dc 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -79,6 +79,7 @@ require {
type shell_exec_t;
type init_t;
+ class capability { sys_tty_config setuid setgid };
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
class user_namespace create;
}
@@ -103,10 +104,13 @@ allow unconfined_t pasta_t : process transition ;
init_daemon_domain(pasta_t, pasta_exec_t)
-allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
+allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
allow pasta_t self:user_namespace create;
+auth_read_passwd_file(pasta_t)
+sssd_search_lib(pasta_t)
+
allow pasta_t bin_t:file { execute execute_no_trans map };
allow pasta_t nsfs_t:file { open read };
@@ -162,7 +166,7 @@ allow pasta_t unconfined_t:dir search;
allow pasta_t unconfined_t:file read;
allow pasta_t unconfined_t:lnk_file read;
allow pasta_t passwd_file_t:file { getattr open read };
-allow pasta_t self:process setpgid;
+allow pasta_t self:process { setpgid setcap };
allow pasta_t shell_exec_t:file { execute execute_no_trans map };
allow pasta_t sssd_var_lib_t:dir search;
--
@@ -79,6 +79,7 @@ require {
type shell_exec_t;
type init_t;
+ class capability { sys_tty_config setuid setgid };
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
class user_namespace create;
}
@@ -103,10 +104,13 @@ allow unconfined_t pasta_t : process transition ;
init_daemon_domain(pasta_t, pasta_exec_t)
-allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
+allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
allow pasta_t self:user_namespace create;
+auth_read_passwd_file(pasta_t)
+sssd_search_lib(pasta_t)
+
allow pasta_t bin_t:file { execute execute_no_trans map };
allow pasta_t nsfs_t:file { open read };
@@ -162,7 +166,7 @@ allow pasta_t unconfined_t:dir search;
allow pasta_t unconfined_t:file read;
allow pasta_t unconfined_t:lnk_file read;
allow pasta_t passwd_file_t:file { getattr open read };
-allow pasta_t self:process setpgid;
+allow pasta_t self:process { setpgid setcap };
allow pasta_t shell_exec_t:file { execute execute_no_trans map };
allow pasta_t sssd_var_lib_t:dir search;
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 4/7] selinux: Update policy to fix user/group settings
2023-08-16 6:00 ` [PATCH 4/7] selinux: Update policy to fix user/group settings Stefano Brivio
@ 2023-08-16 9:06 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:06 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:35AM +0200, Stefano Brivio wrote:
> Somehow most of this used to work on older kernels, but now we need
> to explicitly permit setuid, setgid, and setcap capabilities, as well
> as read-only access to passwd (as we support running under a given
> login name) and sssd library facilities.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/passt.te | 7 +++++--
> contrib/selinux/pasta.te | 8 ++++++--
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
> index 5868a41..a0c0526 100644
> --- a/contrib/selinux/passt.te
> +++ b/contrib/selinux/passt.te
> @@ -49,7 +49,7 @@ require {
>
> class netlink_route_socket { bind create nlmsg_read };
>
> - class capability sys_tty_config;
> + class capability { sys_tty_config setuid setgid };
> class cap_userns { setpcap sys_admin sys_ptrace };
> class user_namespace create;
> }
> @@ -89,10 +89,13 @@ logging_send_syslog_msg(passt_t)
> allow syslogd_t self:cap_userns sys_ptrace;
>
> allow passt_t self:process setcap;
> -allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
> +allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid};
> allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
> allow passt_t self:user_namespace create;
>
> +auth_read_passwd_file(passt_t)
> +sssd_search_lib(passt_t)
> +
> allow passt_t proc_net_t:file read;
> allow passt_t net_conf_t:file { open read };
> allow passt_t net_conf_t:lnk_file read;
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 645ccee..28265dc 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -79,6 +79,7 @@ require {
> type shell_exec_t;
> type init_t;
>
> + class capability { sys_tty_config setuid setgid };
> class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
> class user_namespace create;
> }
> @@ -103,10 +104,13 @@ allow unconfined_t pasta_t : process transition ;
>
> init_daemon_domain(pasta_t, pasta_exec_t)
>
> -allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource };
> +allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
> allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
> allow pasta_t self:user_namespace create;
>
> +auth_read_passwd_file(pasta_t)
> +sssd_search_lib(pasta_t)
> +
> allow pasta_t bin_t:file { execute execute_no_trans map };
> allow pasta_t nsfs_t:file { open read };
>
> @@ -162,7 +166,7 @@ allow pasta_t unconfined_t:dir search;
> allow pasta_t unconfined_t:file read;
> allow pasta_t unconfined_t:lnk_file read;
> allow pasta_t passwd_file_t:file { getattr open read };
> -allow pasta_t self:process setpgid;
> +allow pasta_t self:process { setpgid setcap };
> allow pasta_t shell_exec_t:file { execute execute_no_trans map };
>
> allow pasta_t sssd_var_lib_t:dir search;
Usual kind of SELinux churn as new features are added so:
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 5/7] selinux: Add rules for sysctl and /proc/net accesses
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
` (3 preceding siblings ...)
2023-08-16 6:00 ` [PATCH 4/7] selinux: Update policy to fix user/group settings Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:10 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 6/7] selinux: Allow pasta_t to read nsfs entries Stefano Brivio
2023-08-16 6:00 ` [PATCH 7/7] selinux: Fix domain transitions for typical commands pasta might run Stefano Brivio
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
That's what we actually need to check networking-related sysctls,
to scan for bound ports, and to manipulate bits of network
configuration inside pasta's target namespaces.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 1 +
contrib/selinux/pasta.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index a0c0526..948d1b1 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -101,6 +101,7 @@ allow passt_t net_conf_t:file { open read };
allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
+kernel_search_network_sysctl(passt_t)
corenet_tcp_bind_all_nodes(passt_t)
corenet_udp_bind_all_nodes(passt_t)
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 28265dc..b3ddc6a 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -133,6 +133,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow pasta_t proc_net_t:file { open read };
allow pasta_t net_conf_t:file { open read };
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
+kernel_search_network_sysctl(pasta_t)
allow pasta_t tmp_t:sock_file { create unlink write };
@@ -186,4 +187,6 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;
+allow pasta_t net_conf_t:lnk_file read;
+allow pasta_t proc_net_t:lnk_file read;
--
@@ -133,6 +133,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow pasta_t proc_net_t:file { open read };
allow pasta_t net_conf_t:file { open read };
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
+kernel_search_network_sysctl(pasta_t)
allow pasta_t tmp_t:sock_file { create unlink write };
@@ -186,4 +187,6 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;
+allow pasta_t net_conf_t:lnk_file read;
+allow pasta_t proc_net_t:lnk_file read;
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 5/7] selinux: Add rules for sysctl and /proc/net accesses
2023-08-16 6:00 ` [PATCH 5/7] selinux: Add rules for sysctl and /proc/net accesses Stefano Brivio
@ 2023-08-16 9:10 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:10 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:36AM +0200, Stefano Brivio wrote:
> That's what we actually need to check networking-related sysctls,
> to scan for bound ports, and to manipulate bits of network
> configuration inside pasta's target namespaces.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/passt.te | 1 +
> contrib/selinux/pasta.te | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
> index a0c0526..948d1b1 100644
> --- a/contrib/selinux/passt.te
> +++ b/contrib/selinux/passt.te
> @@ -101,6 +101,7 @@ allow passt_t net_conf_t:file { open read };
> allow passt_t net_conf_t:lnk_file read;
> allow passt_t tmp_t:sock_file { create unlink write };
> allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
> +kernel_search_network_sysctl(passt_t)
>
> corenet_tcp_bind_all_nodes(passt_t)
> corenet_udp_bind_all_nodes(passt_t)
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 28265dc..b3ddc6a 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -133,6 +133,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
> allow pasta_t proc_net_t:file { open read };
> allow pasta_t net_conf_t:file { open read };
> allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
> +kernel_search_network_sysctl(pasta_t)
>
> allow pasta_t tmp_t:sock_file { create unlink write };
>
> @@ -186,4 +187,6 @@ allow pasta_t sysctl_net_t:dir search;
> allow pasta_t sysctl_net_t:file { open write };
> allow pasta_t kernel_t:system module_request;
>
> +allow pasta_t net_conf_t:lnk_file read;
> +allow pasta_t proc_net_t:lnk_file read;
Acked-by: Richard W.M. Jones <rjones@redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 6/7] selinux: Allow pasta_t to read nsfs entries
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
` (4 preceding siblings ...)
2023-08-16 6:00 ` [PATCH 5/7] selinux: Add rules for sysctl and /proc/net accesses Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:10 ` Richard W.M. Jones
2023-08-16 6:00 ` [PATCH 7/7] selinux: Fix domain transitions for typical commands pasta might run Stefano Brivio
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
This is needed to monitor filesystem-bound namespaces and quit when
they're gone -- this feature never really worked with SELinux.
Fixes: 745a9ba4284c ("pasta: By default, quit if filesystem-bound net namespace goes away")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/pasta.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index b3ddc6a..31e82dc 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;
+allow pasta_t nsfs_t:file read;
+
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;
--
@@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;
+allow pasta_t nsfs_t:file read;
+
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 6/7] selinux: Allow pasta_t to read nsfs entries
2023-08-16 6:00 ` [PATCH 6/7] selinux: Allow pasta_t to read nsfs entries Stefano Brivio
@ 2023-08-16 9:10 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:10 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:37AM +0200, Stefano Brivio wrote:
> This is needed to monitor filesystem-bound namespaces and quit when
> they're gone -- this feature never really worked with SELinux.
>
> Fixes: 745a9ba4284c ("pasta: By default, quit if filesystem-bound net namespace goes away")
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/pasta.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index b3ddc6a..31e82dc 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -187,6 +187,8 @@ allow pasta_t sysctl_net_t:dir search;
> allow pasta_t sysctl_net_t:file { open write };
> allow pasta_t kernel_t:system module_request;
>
> +allow pasta_t nsfs_t:file read;
> +
> allow pasta_t net_conf_t:lnk_file read;
> allow pasta_t proc_net_t:lnk_file read;
Acked-by: Richard W.M. Jones <rjones@redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 7/7] selinux: Fix domain transitions for typical commands pasta might run
2023-08-16 6:00 [PATCH 0/7] Extensive bandaging for SELinux policy issues, old and new Stefano Brivio
` (5 preceding siblings ...)
2023-08-16 6:00 ` [PATCH 6/7] selinux: Allow pasta_t to read nsfs entries Stefano Brivio
@ 2023-08-16 6:00 ` Stefano Brivio
2023-08-16 9:12 ` Richard W.M. Jones
6 siblings, 1 reply; 16+ messages in thread
From: Stefano Brivio @ 2023-08-16 6:00 UTC (permalink / raw)
To: passt-dev; +Cc: 'Richard W . M . Jones', David Gibson
...now it gets ugly. If we use pasta without an existing target
namespace, and run commands directly or spawn a shell, and keep
the pasta_t domain when we do, they won't be able to do much: a
shell might even start, but it's not going to be usable, or to
even display a prompt.
Ideally, pasta should behave like a shell when it spawns a command:
start as unconfined_t and automatically transition to whatever
domain is associated in the specific policy for that command. But
we can't run as unconfined_t, of course.
It would seem natural to switch to unconfined_t "just before", so
that the default transitions happen. But transitions can only happen
when we execvp(), and that's one single transition -- not two.
That is, this approach would work for:
pasta -- sh -c 'ip address show'
but not for:
pasta -- ip address show
If we configure a transition to unconfined_t when we run ip(8), we'll
really try to start that as unconfined_t -- but unconfined_t isn't
allowed as entrypoint for ip(8) itself, and execvp() will fail.
However, there aren't many different types of binaries pasta might
commonly run -- for example, we're unlikely to see pasta used to run
a mount(8) command.
Explicitly set up domain transition for common stuff -- switching to
unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
arping(8) and similar need a different treatment.
While at it, allow commands we spawn to inherit resource limits and
signal masks, because that's what happens by default, and don't
require AT_SECURE sanitisation of the environment (because that
won't happen by default). Slightly unrelated: we also need to
explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
we can't keep stdin and stdout open for shells.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/pasta.te | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 31e82dc..c37a847 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -51,6 +51,7 @@ require {
type tun_tap_device_t;
type sysctl_net_t;
class tun_socket create;
+ type user_tty_device_t;
attribute port_type;
type port_t;
@@ -77,6 +78,11 @@ require {
type kernel_t;
class process setpgid;
type shell_exec_t;
+ type ifconfig_exec_t;
+ type netutils_exec_t;
+ type ping_exec_t;
+ type ifconfig_t;
+ type ping_t;
type init_t;
class capability { sys_tty_config setuid setgid };
@@ -111,7 +117,12 @@ allow pasta_t self:user_namespace create;
auth_read_passwd_file(pasta_t)
sssd_search_lib(pasta_t)
-allow pasta_t bin_t:file { execute execute_no_trans map };
+domain_auto_trans(pasta_t, bin_t, unconfined_t);
+domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
+domain_auto_trans(pasta_t, ifconfig_exec_t, ifconfig_t);
+domain_auto_trans(pasta_t, netutils_exec_t, netutils_t);
+domain_auto_trans(pasta_t, ping_exec_t, ping_t);
+
allow pasta_t nsfs_t:file { open read };
allow pasta_t user_home_t:dir getattr;
@@ -192,3 +203,8 @@ allow pasta_t nsfs_t:file read;
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;
+allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh };
+allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
+allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
+allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
+allow pasta_t user_tty_device_t:chr_file { append read write };
--
@@ -51,6 +51,7 @@ require {
type tun_tap_device_t;
type sysctl_net_t;
class tun_socket create;
+ type user_tty_device_t;
attribute port_type;
type port_t;
@@ -77,6 +78,11 @@ require {
type kernel_t;
class process setpgid;
type shell_exec_t;
+ type ifconfig_exec_t;
+ type netutils_exec_t;
+ type ping_exec_t;
+ type ifconfig_t;
+ type ping_t;
type init_t;
class capability { sys_tty_config setuid setgid };
@@ -111,7 +117,12 @@ allow pasta_t self:user_namespace create;
auth_read_passwd_file(pasta_t)
sssd_search_lib(pasta_t)
-allow pasta_t bin_t:file { execute execute_no_trans map };
+domain_auto_trans(pasta_t, bin_t, unconfined_t);
+domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
+domain_auto_trans(pasta_t, ifconfig_exec_t, ifconfig_t);
+domain_auto_trans(pasta_t, netutils_exec_t, netutils_t);
+domain_auto_trans(pasta_t, ping_exec_t, ping_t);
+
allow pasta_t nsfs_t:file { open read };
allow pasta_t user_home_t:dir getattr;
@@ -192,3 +203,8 @@ allow pasta_t nsfs_t:file read;
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;
+allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh };
+allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
+allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
+allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
+allow pasta_t user_tty_device_t:chr_file { append read write };
--
2.39.2
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH 7/7] selinux: Fix domain transitions for typical commands pasta might run
2023-08-16 6:00 ` [PATCH 7/7] selinux: Fix domain transitions for typical commands pasta might run Stefano Brivio
@ 2023-08-16 9:12 ` Richard W.M. Jones
0 siblings, 0 replies; 16+ messages in thread
From: Richard W.M. Jones @ 2023-08-16 9:12 UTC (permalink / raw)
To: Stefano Brivio; +Cc: passt-dev, David Gibson
On Wed, Aug 16, 2023 at 08:00:38AM +0200, Stefano Brivio wrote:
> ...now it gets ugly. If we use pasta without an existing target
> namespace, and run commands directly or spawn a shell, and keep
> the pasta_t domain when we do, they won't be able to do much: a
> shell might even start, but it's not going to be usable, or to
> even display a prompt.
>
> Ideally, pasta should behave like a shell when it spawns a command:
> start as unconfined_t and automatically transition to whatever
> domain is associated in the specific policy for that command. But
> we can't run as unconfined_t, of course.
>
> It would seem natural to switch to unconfined_t "just before", so
> that the default transitions happen. But transitions can only happen
> when we execvp(), and that's one single transition -- not two.
>
> That is, this approach would work for:
>
> pasta -- sh -c 'ip address show'
>
> but not for:
>
> pasta -- ip address show
>
> If we configure a transition to unconfined_t when we run ip(8), we'll
> really try to start that as unconfined_t -- but unconfined_t isn't
> allowed as entrypoint for ip(8) itself, and execvp() will fail.
>
> However, there aren't many different types of binaries pasta might
> commonly run -- for example, we're unlikely to see pasta used to run
> a mount(8) command.
>
> Explicitly set up domain transition for common stuff -- switching to
> unconfined_t for bin_t and shells works just fine, ip(8), ping(8),
> arping(8) and similar need a different treatment.
>
> While at it, allow commands we spawn to inherit resource limits and
> signal masks, because that's what happens by default, and don't
> require AT_SECURE sanitisation of the environment (because that
> won't happen by default). Slightly unrelated: we also need to
> explicitly allow pasta_t to use TTYs, not just PTYs, otherwise
> we can't keep stdin and stdout open for shells.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
> contrib/selinux/pasta.te | 18 +++++++++++++++++-
> 1 file changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
> index 31e82dc..c37a847 100644
> --- a/contrib/selinux/pasta.te
> +++ b/contrib/selinux/pasta.te
> @@ -51,6 +51,7 @@ require {
> type tun_tap_device_t;
> type sysctl_net_t;
> class tun_socket create;
> + type user_tty_device_t;
>
> attribute port_type;
> type port_t;
> @@ -77,6 +78,11 @@ require {
> type kernel_t;
> class process setpgid;
> type shell_exec_t;
> + type ifconfig_exec_t;
> + type netutils_exec_t;
> + type ping_exec_t;
> + type ifconfig_t;
> + type ping_t;
> type init_t;
>
> class capability { sys_tty_config setuid setgid };
> @@ -111,7 +117,12 @@ allow pasta_t self:user_namespace create;
> auth_read_passwd_file(pasta_t)
> sssd_search_lib(pasta_t)
>
> -allow pasta_t bin_t:file { execute execute_no_trans map };
> +domain_auto_trans(pasta_t, bin_t, unconfined_t);
> +domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
> +domain_auto_trans(pasta_t, ifconfig_exec_t, ifconfig_t);
> +domain_auto_trans(pasta_t, netutils_exec_t, netutils_t);
> +domain_auto_trans(pasta_t, ping_exec_t, ping_t);
> +
> allow pasta_t nsfs_t:file { open read };
>
> allow pasta_t user_home_t:dir getattr;
> @@ -192,3 +203,8 @@ allow pasta_t nsfs_t:file read;
> allow pasta_t net_conf_t:lnk_file read;
> allow pasta_t proc_net_t:lnk_file read;
>
> +allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh };
> +allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
> +allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
> +allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
> +allow pasta_t user_tty_device_t:chr_file { append read write };
No idea about this one, probably best to ask someone from the SELinux
group at Red Hat about it ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
^ permalink raw reply [flat|nested] 16+ messages in thread