Gentoo Archives: gentoo-hardened

From: Robert Sharp <selinux@×××××××××××××××.org>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Selinux: /bin/su and pam_selinux
Date: Sat, 21 Jan 2017 18:05:02
Message-Id: 9be896e1-beae-f94b-800f-d10f7862c67d@sharp.homelinux.org
1 Hi,
2
3 I have been wrestling with a problem for some time and I cannot see what
4 I am doing wrong. Here is an outline:
5
6 AIM - to be able to su to root and switch off strict mode in case
7 something goes wrong. I was using newrole but I kept forgetting so I am
8 trying to use pam_selinux to change the role to sysadm_r. I followed the
9 instructions given at
10 http://blog.siphos.be/2013/04/how-logins-get-their-selinux-user-context/
11 in general, but I had to do some research to find out how to apply them
12 for /bin/su.
13
14 The answer was in su.if, added to the "su_role_template" interface. I
15 then spent some time figuring out how to get the roles/sysadm module to
16 use my modified interface (put it in the same directory) and it
17 generally seemed to work. I got a few extra AVCs but I ended up with the
18 following:
19
20 optional_policy(`
21 domain_subj_id_change_exemption($1_su_t)
22 domain_role_change_exemption($1_su_t)
23
24 selinux_validate_context($1_su_t)
25 selinux_compute_access_vector($1_su_t)
26 selinux_compute_create_context($1_su_t)
27 selinux_compute_relabel_context($1_su_t)
28 selinux_compute_user_contexts($1_su_t)
29
30 seutil_read_config($1_su_t)
31 seutil_read_default_contexts($1_su_t)
32
33 userdom_relabelto_user_ptys($1_su_t)
34 userdom_dontaudit_relabelfrom_user_ptys($1_su_t)
35 userdom_use_user_ptys($1_su_t)
36 allow $1_su_t self:process setkeycreate;
37 allow $1_su_t $3:key manage_key_perms;
38 ')
39
40 The PROBLEM: I still get two AVCs that I don't think I should be getting:
41
42 type=PROCTITLE msg=audit(1485020695.038:10367):
43 proctitle=2F62696E2F7375002D
44 type=PATH msg=audit(1485020695.038:10367): item=0 name="/dev/pts/3"
45 inode=6 dev=00:12 mode=020620 ouid=501 ogid=5 rdev=88:03
46 obj=staff_u:object_r:user_devpts_t nametype=NORMAL
47 type=CWD msg=audit(1485020695.038:10367):
48 cwd="/home/robert/selinux/sysadm"
49 type=SYSCALL msg=audit(1485020695.038:10367): arch=c000003e
50 syscall=188 success=yes exit=0 a0=375183c820 a1=3817fb1fcaa
51 a2=375183bce0 a3=1c items=1 ppid=17744 pid=20374
52 auid=4294967295 uid=501 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
53 fsgid=0 tty=pts3
54 ses=4294967295 comm="su" exe="/bin/su"
55 subj=staff_u:sysadm_r:sysadm_su_t key=(null)
56 type=AVC msg=audit(1485020695.038:10367): avc: denied { relabelto
57 } for pid=20374 comm="su" name="3" dev="devpts" ino=6
58 scontext=staff_u:sysadm_r:sysadm_su_t
59 tcontext=root:object_r:user_devpts_t tclass=chr_file permissive=1
60 ----
61 type=AVC msg=audit(1485020695.038:10368): avc: denied { create }
62 for pid=20374 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t
63 tcontext=root:sysadm_r:sysadm_t tclass=key permissive=1
64
65 I double checked that I had corresponding rules to allow these:
66
67 # sesearch -s sysadm_su_t -t user_devpts_t -A
68 allow sysadm_su_t user_devpts_t:chr_file { read getattr write ioctl
69 relabelto open append };
70
71 # sesearch -s sysadm_su_t -t sysadm_t -c key -A
72 allow sysadm_su_t sysadm_t:key { search setattr read create write
73 link view };
74
75 So I really cannot see why I am getting these AVCs. I keep looking at
76 the scripts, the rules and the AVCs to see if I have done something
77 stupid, but I cannot see it. I have started making fairly arbitrary
78 changes to see if I can make it go away but I am just wasting time
79 really. If I cannot figure this out I suspect I will be ditching
80 pam_selinux and reverting to explicitly issuing newrole. I guess with
81 strict on I will quickly be reminded that I have forgotten to change
82 roles anyway.
83
84 Thanks in advance,
85
86 Robert Sharp

Replies

Subject Author
Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux Luis Ressel <aranea@×××××.de>
Re: [gentoo-hardened] Selinux: /bin/su and pam_selinux Sven Vermeulen <swift@g.o>