fedora-selinux October 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: selinux policy UBAC question

Re: selinux policy UBAC question

From: Dominick Grift <domg472_at_nospam>
Date: Tue Oct 26 2010 - 20:19:40 GMT
To: selinux@lists.fedoraproject.org

On Tue, Oct 26, 2010 at 07:49:46PM +0200, Roberto Sassu wrote:
> On Monday, October 25, 2010 06:32:50 pm Dominick Grift wrote:
> > On 10/25/2010 06:19 PM, Roberto Sassu wrote:
> > > On Monday, October 25, 2010 06:00:42 pm Dominick Grift wrote:
> > >> On 10/25/2010 05:47 PM, Dominick Grift wrote:
> > >>> On Mon, Oct 25, 2010 at 05:06:05PM +0200, Roberto Sassu wrote:
> > >>>> On Monday, October 25, 2010 04:27:22 pm Dominick Grift wrote:
> > >>>>> On Mon, Oct 25, 2010 at 02:45:54PM +0200, Roberto Sassu wrote:
> > >>>>>> Hi all
> > >>>>>>
> > >>>>>> i'm using the selinux policy shipped with Fedora 13 and UBAC turned on.
> > >>>>>> I removed the unconfined package and i noted the unconfined_t domain with
> > >>>>>> unconfined_u user is unable to access a file with another selinux user.
> > >>>>>> I tried to build a custom module which contains the line:
> > >>>>>>
> > >>>>>> ubac_process_exempt(unconfined_t)
> > >>>>>
> > >>>>> like it says this only exempts the callers access to processes
> > >>>>>
> > >>>>> in the sysadm module this is added:
> > >>>>>
> > >>>>> ubac_process_exempt(sysadm_t)
> > >>>>> ubac_file_exempt(sysadm_t)
> > >>>>> ubac_fd_exempt(sysadm_t)
> > >>>>>
> > >>>>> That should pretty much exempt the caller.
> > >>>>> Note though that ubac has issues, i am not sure how much issues in fedora but in normal refpolicy the *_admins do not work because you want to start services as system_u else unpriv users wont be ableto access resources. There is no way to change to system_u unless i guess you use runcon.
> > >>>>
> > >>>> I'm using the UBAC feature in order to identify the combination of user/program that is allowed to acces a specific label. UBAC permits to implement this access control model by
> > >>>> using the policy for the user_t domain and assigning a selinux user to each user in the platform.
> > >>>> My target is to have an usable system and it seems that the ubac is not yet ready to be used in desktop platforms.
> > >>>> Another solution is to create different user domains by using the proper template. There are other alternatives in order to implement this access control model?
> > >>>
> > >>> If i concerns apps started by users, then i think it may still be possible. Back in the day we used prefixes for process and files created by processes started by users. User home directories had a role prefix. now all users use the user_home(_dir)_t. But back then we had it prefixed like staff_home_t, users_home_t, someuser_home_t
> > >>>
> > >>> that allowed use to seperate users and their resources. We used to implement these prefixes in the per role templates for user apps
> > >>>
> > >>> like for example: allow staff_t staff_mozilla_t:file read_file_perms;
> > >>>
> > >>> We still use per role templates but only to seperate processes, we no longer use it to seperate user home content.
> > >>>
> > >>> The -P (prefix option) with semanage was used to define the prefix to be used for user home dirs
> > >>>
> > >>> semanage user -a -L s0 -r s0-s0:c0.c1023 -R "staff_r sysadm_r" -P staff staff_u (i believe it was)
> > >>>
> > >>> Not sure if this prefixing of user home dirs still works.
> > >>>
> > >>
> > >> But regardles of whether the -P option in semanage still works, you will
> > >> still be able to implement something using a per role template
> > >>
> > >> Have a look at one, for example the one is sudo.if
> > >>
> > >> you can just prefix the files created by your user applications. You may
> > >> not be easily able to seperate anything else but its something.
> > >>
> > >> example:
> > >>
> > >> manage_files_pattern($1_myapp_t, $1_myapp_file_t, $1_myapp_file_t)
> > >> userdom_user_home_dir_filetrans($1_myapp_t, $1_myapp_file_t, file)
> > >>
> > >> HOME_DIR/\.myapp_file -- gen_context(system_u:object_r:ROLE_myapp_file_t,s0)
> > >>
> > >> Where $1 is a role prefix. That *might* work
> > >>
> > >
> > > If i understand correctly i need to create first, for the user user1, the initial domain user1_t;
> > > then i have to duplicate the ssh policy by creating the domain user1_ssh_t.
> > > A relevant issue i find in this approach is that i need to modify the policy each time a new user
> > > is created.
> >
> > I do think the ssh.if module file has interfaces that can be used. not
> > sure if those work.
> >
> > > I think it should work but it is much more simple to have user1_u:user_r:user_t:s0 and
> > > user1_u:user_r:ssh_t:s0 security contexts.
> > > Just another question about the ubac, does it is possible to configure the policy to isolate user1_u
> > > from user2_u, and to grant accesses from user1_u, user2_u to system_u, unconfined_u, staff_u and sysadm_u?
> >
> > Yes i think that is possible. I was just thinking about what i said in
> > my previous reply and it occurred to me that if sysadm is ubac exempt
> > that i think in that case all identities can interac with ubac aswell.
> >
> > So if you make unconfined_u and staff_u ubac exempt, then i think those
> > two users can access all ubac constrained objects/subjects, BUT also
> > that ubac constrained subject can interact with the ubac excempt identities.
> >
> > So in that case my previous issue with ubac no longer stand. Because
> > 1. if unconfined_u is ubac exempt and it runs rpm to install a package.
> > then even though the files installed with have unconfined_u prefix,
> > everyone can still interact with the files since unconfined_u is exempt
> >
> > 2 same for the *_admins:
> >
> > if staff_u is ubac exempt and he sudos to for example the webadm_t and
> > restarts the web server, then the webserver will run with the staff_u
> > identity, objects created by the webserver will have the staff_u
> > identity, But that does not matter because even ubac constrained process
> > can interact with ubac exempt process and objects.
> >
> >
> > I think we should just try it out. I think it should indeed work out nicely.
> >
>
> Ok, i will try. I suppose i have to modify the constraints file by adding for example in
> the 'basic_ubac_conditions' definition:
> or u1 = unconfined_u
> or u2 = unconfined_u

I do not believe you would need to modify the contraints i think you would just call the interfaces in ubac.if and that you ubac exempt the caller.

>
> Just another question: is it possible to duplicate the definition of a type in a simple manner?
> I need more than an alias, because if i do chcon -t <alias> the extended attribute is set to
> the original type.

i am not sure that i understand what you mean but you could try the typealias statement.

i am not sure if it matter to what type the xattr is set. they are both identical if you defined a typealias?

>
>
> >
> >
> > >
> > >>>> Thanks.
> > >>>>
> > >>>>>
> > >>>>> That brings us to the second issue that is that you probably want to build policy with sysadm_direct_initrc option enabled. That way to can for example run rpm /yum in the rpm_t domain with system_u. Else it will install files with sysadm_u id and then ubac users cannot access it.
> > >>>>>
> > >>>>> Those two issues were enough reason for me to turn it of. (especially not being able to use the *_admins.
> > >>>>>
> > >>>>>
> > >>>>>>
> > >>>>>> but this does not solve the issue. How do i configure the policy to allow some
> > >>>>>> domains to circumvent the UBAC enforcement?
> > >>>>>> Thanks in advance for replies.
> > >>>>>>
> > >>>>>> Roberto Sassu
> > >>>>>> --
> > >>>>>> selinux mailing list
> > >>>>>> selinux@lists.fedoraproject.org
> > >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>>>
> > >>
> > >>
> > >>
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux