Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux - gentoo-hardened

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux
Date:	Tue, 24 Jan 2017 15:50:21
Message-Id:	`20170124155018.GA25970@gentoo.org`
In Reply to:	[gentoo-hardened] Selinux: /bin/su and pam_selinux by Robert Sharp

1

On Sat, Jan 21, 2017 at 06:04:51PM +0000, Robert Sharp wrote:

2

>    AIM - to be able to su to root and switch off strict mode in case

3

>    something goes wrong. I was using newrole but I kept forgetting so I am

4

>    trying to use pam_selinux to change the role to sysadm_r. I followed

5

>    the instructions given at

6

>    [1]http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-cont

7

>    ext/ in general, but I had to do some research to find out how to apply

8

>    them for /bin/su.

9

10

Generally, such a change is best implemented through sudo rather than su.

11

With sudo, you have more control over role and type switching as well

12

(sudo is SELinux-aware, and not just through its PAM support).

13

14

Would that be an option for you? If not, then let's get into the details of

15

what you are noticing further...

16

17

>    The answer was in su.if, added to the "su_role_template" interface. I

18

>    then spent some time figuring out how to get the roles/sysadm module to

19

>    use my modified interface (put it in the same directory) and it

20

>    generally seemed to work. I got a few extra AVCs but I ended up with

21

>    the following:

22

>

23

>            optional_policy(`

24

>                    domain_subj_id_change_exemption($1_su_t)

25

>                    domain_role_change_exemption($1_su_t)

26

>                    selinux_validate_context($1_su_t)

27

>                    selinux_compute_access_vector($1_su_t)

28

>                    selinux_compute_create_context($1_su_t)

29

>                    selinux_compute_relabel_context($1_su_t)

30

>                    selinux_compute_user_contexts($1_su_t)

31

>                    seutil_read_config($1_su_t)

32

>                    seutil_read_default_contexts($1_su_t)

33

>                    userdom_relabelto_user_ptys($1_su_t)

34

>                    userdom_dontaudit_relabelfrom_user_ptys($1_su_t)

35

>                    userdom_use_user_ptys($1_su_t)

36

>                    allow $1_su_t self:process setkeycreate;

37

>                    allow $1_su_t $3:key manage_key_perms;

38

>            ')

39

40

Note that, with this in place, you might be granting more people than you

41

originally intended to gain certain privileges.

42

43

>    The PROBLEM: I still get two AVCs that I don't think I should be

44

>    getting:

45

>

46

>        type=PROCTITLE msg=audit(1485020695.038:10367):

47

>    proctitle=2F62696E2F7375002D

48

>        type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3"

49

>    inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03

50

>            obj=staff_u:object_r:user_devpts_t nametype=NORMAL

51

>        type=CWD msg=audit(1485020695.038:10367):

52

>    cwd="/home/robert/selinux/sysadm"

53

>        type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e

54

>    syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa

55

>            a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374

56

>    auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0

57

>    fsgid=0 tty=pts3

58

>            ses=4294967295 comm="su" exe="/bin/su"

59

>    subj=staff_u:sysadm_r:sysadm_su_t key=(null)

60

>        type=AVC msg=audit(1485020695.038:10367): avc:  denied  { relabelto

61

>    } for  pid=20374 comm="su" name="3" dev="devpts" ino=6

62

>            scontext=staff_u:sysadm_r:sysadm_su_t

63

>    tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1

64

>    ----

65

>        type=AVC msg=audit(1485020695.038:10368): avc:  denied  { create }

66

>    for  pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t

67

>            tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1

68

>

69

>    I double checked that I had corresponding rules to allow these:

70

>

71

>        # sesearch -s sysadm_su_t -t user_devpts_t -A

72

>        allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl

73

>    relabelto open append };

74

>

75

>        # sesearch -s sysadm_su_t -t sysadm_t -c key -A

76

>        allow sysadm_su_t sysadm_t:key { search setattr read create write

77

>    link view };

78

>

79

>    So I really cannot see why I am getting these AVCs. I keep looking at

80

>    the scripts, the rules and the AVCs to see if I have done something

81

>    stupid, but I cannot see it. I have started making fairly arbitrary

82

>    changes to see if I can make it go away but I am just wasting time

83

>    really. If I cannot figure this out I suspect I will be ditching

84

>    pam_selinux and reverting to explicitly issuing newrole. I guess with

85

>    strict on I will quickly be reminded that I have forgotten to change

86

>    roles anyway.

87

88

As was mentioned in the thread already, this might be UBAC-related.

89

90

Wkr,

91

  Sven Vermeulen

1	On Sat, Jan 21, 2017 at 06:04:51PM +0000, Robert Sharp wrote:
2	> AIM - to be able to su to root and switch off strict mode in case
3	> something goes wrong. I was using newrole but I kept forgetting so I am
4	> trying to use pam_selinux to change the role to sysadm_r. I followed
5	> the instructions given at
6	> [1]http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-cont
7	> ext/ in general, but I had to do some research to find out how to apply
8	> them for /bin/su.
9
10	Generally, such a change is best implemented through sudo rather than su.
11	With sudo, you have more control over role and type switching as well
12	(sudo is SELinux-aware, and not just through its PAM support).
13
14	Would that be an option for you? If not, then let's get into the details of
15	what you are noticing further...
16
17	> The answer was in su.if, added to the "su_role_template" interface. I
18	> then spent some time figuring out how to get the roles/sysadm module to
19	> use my modified interface (put it in the same directory) and it
20	> generally seemed to work. I got a few extra AVCs but I ended up with
21	> the following:
22	>
23	> optional_policy(`
24	> domain_subj_id_change_exemption($1_su_t)
25	> domain_role_change_exemption($1_su_t)
26	> selinux_validate_context($1_su_t)
27	> selinux_compute_access_vector($1_su_t)
28	> selinux_compute_create_context($1_su_t)
29	> selinux_compute_relabel_context($1_su_t)
30	> selinux_compute_user_contexts($1_su_t)
31	> seutil_read_config($1_su_t)
32	> seutil_read_default_contexts($1_su_t)
33	> userdom_relabelto_user_ptys($1_su_t)
34	> userdom_dontaudit_relabelfrom_user_ptys($1_su_t)
35	> userdom_use_user_ptys($1_su_t)
36	> allow $1_su_t self:process setkeycreate;
37	> allow $1_su_t $3:key manage_key_perms;
38	> ')
39
40	Note that, with this in place, you might be granting more people than you
41	originally intended to gain certain privileges.
42
43	> The PROBLEM: I still get two AVCs that I don't think I should be
44	> getting:
45	>
46	> type=PROCTITLE msg=audit(1485020695.038:10367):
47	> proctitle=2F62696E2F7375002D
48	> type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3"
49	> inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03
50	> obj=staff_u:object_r:user_devpts_t nametype=NORMAL
51	> type=CWD msg=audit(1485020695.038:10367):
52	> cwd="/home/robert/selinux/sysadm"
53	> type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e
54	> syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa
55	> a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374
56	> auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
57	> fsgid=0 tty=pts3
58	> ses=4294967295 comm="su" exe="/bin/su"
59	> subj=staff_u:sysadm_r:sysadm_su_t key=(null)
60	> type=AVC msg=audit(1485020695.038:10367): avc: denied { relabelto
61	> } for pid=20374 comm="su" name="3" dev="devpts" ino=6
62	> scontext=staff_u:sysadm_r:sysadm_su_t
63	> tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1
64	> ----
65	> type=AVC msg=audit(1485020695.038:10368): avc: denied { create }
66	> for pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t
67	> tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1
68	>
69	> I double checked that I had corresponding rules to allow these:
70	>
71	> # sesearch -s sysadm_su_t -t user_devpts_t -A
72	> allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl
73	> relabelto open append };
74	>
75	> # sesearch -s sysadm_su_t -t sysadm_t -c key -A
76	> allow sysadm_su_t sysadm_t:key { search setattr read create write
77	> link view };
78	>
79	> So I really cannot see why I am getting these AVCs. I keep looking at
80	> the scripts, the rules and the AVCs to see if I have done something
81	> stupid, but I cannot see it. I have started making fairly arbitrary
82	> changes to see if I can make it go away but I am just wasting time
83	> really. If I cannot figure this out I suspect I will be ditching
84	> pam_selinux and reverting to explicitly issuing newrole. I guess with
85	> strict on I will quickly be reminded that I have forgotten to change
86	> roles anyway.
87
88	As was mentioned in the thread already, this might be UBAC-related.
89
90	Wkr,
91	Sven Vermeulen

Gentoo Archives: gentoo-hardened