Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <swift@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Incorrect contexts in /run
Date: Tue, 04 Mar 2014 16:24:06
Message-Id: 20140304162358.GB13432@gentoo.org
1 On Sun, Mar 02, 2014 at 04:36:23PM -0500, Ben Pritchard wrote:
2 > I have a few files/directories in /run (or /var/run) that do not have the
3 > correct selinux contexts. Notably, files belonging to samba and fail2ban,
4 > but there may be others.
5 >
6 > I thought this might be related to the /run migration bug (424173) but
7 > it seems to restore to the correct contexts, just that the files are not
8 > created with the correct contexts. How are the contexts of these files
9 > usually managed?
10 >
11 >
12 > #output from matchpathcon:
13 > /run/dbus.pid has context system_u:object_r:system_dbusd_var_run_t, should be <<none>>
14 > /run/fail2ban has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:fail2ban_var_run_t
15 > /run/lvm has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
16 > /run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t
17 > /run/privoxy-tor.pid has context system_u:object_r:privoxy_var_run_t, should be <<none>>
18 > /run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t
19 > /run/saslauthd has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t
20 > /run/sepermit has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:pam_var_run_t
21 > /run/sshd.pid has context system_u:object_r:sshd_var_run_t, should be <<none>>
22 > /run/syslog-ng.ctl has context system_u:object_r:devlog_t, should be system_u:object_r:syslogd_var_run_t
23
24 The matchpathcon and restorecon actions should be the same: matchpathcon
25 tells the user what the value should be, restorecon applies this value.
26
27 When matchpathcon sais that a label should be <<none>> then no specific
28 action is taken. This is usually the case for files that get a file context
29 assigned by the process that creates the file, and which might be different
30 depending on circumstances. Or in other words, SELinux keeps the label
31 as-is, even during a restorecon operation.
32
33 For instance:
34
35 # matchpathcon
36 > /run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t
37 > /run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t
38
39 # restorecon
40 > restorecon reset /run/ntpd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:ntpd_var_run_t
41 > restorecon reset /run/samba context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
42 > restorecon reset /run/samba/nmbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:nmbd_var_run_t
43 > restorecon reset /run/samba/smbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t
44
45 In order to have the files immediately with the right context, we need to
46 find out which process (actually, which SELinux domain) is responsible for
47 creating the files in the first place (and thus having the files stored with
48 a particular label).
49
50 For most of the files, this is easy to deduce.
51
52 For instance, /run/ntpd.pid got label initrc_var_run_t, so it's most likely
53 initrc_t (the domain used for init scripts) that created the PID file. And
54 if I'd take a long guess, it would be /etc/init.d/ntpd ;-)
55
56 In order to fix this, we need to add in a statement that equals to:
57
58 #v+
59 files_pid_filetrans(initrc_t, ntpd_var_run_t, file, "ntpd.pid")
60 #v-
61
62 Sadly, this statement calls two types not part of the same module (initrc_t
63 is of the "init" module while ntpd_var_run_t is of the "ntp" module).
64 Coding-style wise, this is not allowed, so we need to seek (or write)
65 another statement that only calls types of the same module.
66
67 For directories, we created an "init_daemon_run_dir" call. It looks like we
68 might need to introduce a similar one for files, namely
69 "init_daemon_run_file". Then the call would be (inside ntp.te):
70
71 #v+
72 init_daemon_run_file(ntpd_var_run_t, "ntpd.pid")
73 #v-
74
75 For the samba directory, we can already use the init_daemon_run_dir() call,
76 as /run/samba has context initrc_var_run_t (thus also created most likely by
77 the smb* or other samba related init scripts).
78
79 I'll put your mail in a bugreport and might even work on it this evening
80 (depending on available time). I'll get back to you when the necessary
81 commits have occurred ;-)
82
83 Wkr,
84 Sven Vermeulen