iotuser@raspberrypi:~ $ execstack -q /usr/bin/runcon - /usr/bin/runcon On Tue, Apr 4, 2017 at 3:52 PM, Rahmadi Trimananda <[email protected]> wrote:
> iotuser@raspberrypi:~ $ scanelf -lpqe > RWX --- --- /usr/lib/arm-linux-gnueabihf/libarmmem.so > RWX --- --- /usr/lib/arm-linux-gnueabihf/libmad.so.0.2.1 > RWX --- --- /lib/klibc-YL2Pal4e_FwRI58JJ6S97Xf241g.so > RWX --- --- /usr/lib/libopenblas_armv6p-r0.2.12.so > RWX --- --- /usr/bin/penguinspuzzle > > On Tue, Apr 4, 2017 at 3:51 PM, Rahmadi Trimananda <[email protected]> > wrote: > >> Alright, this is the output for readelf -l /usr/bin/runcon: >> >> Elf file type is EXEC (Executable file) >> Entry point 0x11c58 >> There are 9 program headers, starting at offset 52 >> >> Program Headers: >> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align >> EXIDX 0x0054d4 0x000154d4 0x000154d4 0x00008 0x00008 R 0x4 >> PHDR 0x000034 0x00010034 0x00010034 0x00120 0x00120 R E 0x4 >> INTERP 0x000154 0x00010154 0x00010154 0x00019 0x00019 R 0x1 >> [Requesting program interpreter: /lib/ld-linux-armhf.so.3] >> LOAD 0x000000 0x00010000 0x00010000 0x054e0 0x054e0 R E >> 0x10000 >> LOAD 0x005efc 0x00025efc 0x00025efc 0x00278 0x003ec RW >> 0x10000 >> DYNAMIC 0x005f08 0x00025f08 0x00025f08 0x000f8 0x000f8 RW 0x4 >> NOTE 0x000170 0x00010170 0x00010170 0x00044 0x00044 R 0x4 >> GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10 >> GNU_RELRO 0x005efc 0x00025efc 0x00025efc 0x00104 0x00104 R 0x1 >> >> Section to Segment mapping: >> Segment Sections... >> 00 .ARM.exidx >> 01 >> 02 .interp >> 03 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym >> .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text >> .fini .rodata .ARM.exidx .eh_frame >> 04 .init_array .fini_array .jcr .dynamic .got .data .bss >> 05 .dynamic >> 06 .note.ABI-tag .note.gnu.build-id >> 07 >> 08 .init_array .fini_array .jcr .dynamic >> >> On Tue, Apr 4, 2017 at 12:15 PM, Stephen Smalley <[email protected]> >> wrote: >> >>> On Tue, 2017-04-04 at 13:54 -0400, Stephen Smalley wrote: >>> > On Tue, 2017-04-04 at 10:44 -0700, Rahmadi Trimananda wrote: >>> > > This again reflects a problem with the way your userspace was >>> > > built. >>> > > - Could you please explain what the problem is and how to solve >>> > > this? >>> > >>> > Please run readelf -l /usr/bin/runcon and provide the output. >>> >>> Also, if you have scanelf (from pax-utils), running scanelf -lpqe and >>> providing the output would be helpful. >>> >>> > >>> > > Umm, then how about generating port labels? >>> > > I tried adding a new port to my myapp_t label using "semanage >>> > > port", >>> > > but it's complaining that myapp_t is not a port label. Need your >>> > > insights here as well. Thank you! >>> > >>> > Yes, you would want to define a separate port type. >>> > type myapp_port_t; >>> > corenet_port(myapp_port_t) >>> > >>> > Then use myapp_port_t in your semanage port command. >>> > >>> > > >>> > > On Tue, Apr 4, 2017 at 10:17 AM, Stephen Smalley <[email protected] >>> > > > >>> > > wrote: >>> > > > On Tue, 2017-04-04 at 09:37 -0700, Rahmadi Trimananda wrote: >>> > > > > Do you mean that we create our own new domain, e.g. myapp_t? >>> > > > > I tried this and it works for my a.out that reads test.txt. >>> > > > > >>> > > > > I tried runcon as well for the Java version: >>> > > > > >>> > > > > runcon system_u:object_r:myapp_t:SystemLow java Test >>> > > > >>> > > > Just runcon -t myapp_t java Test would be simpler, and would >>> > > > preserve >>> > > > your user identity, role, and level. Processes don't use >>> > > > object_r; >>> > > > that is only for files/objects. >>> > > > >>> > > > > The response I got was: runcon: java: Permission denied. >>> > > > > In the audit.log I found that runcon is just not permitted for >>> > > > > everything. Any thoughts? >>> > > > > >>> > > > > ... >>> > > > > type=SYSCALL msg=audit(1491323666.800:4249): arch=40000028 >>> > > > >>> > > > syscall=11 >>> > > > > per=800000 success=no exit=-13 a0=7ec2c140 a1=7ec2c34c >>> > > > >>> > > > a2=7ec2c35c >>> > > > > a3=6e69622f items=0 ppid=989 pid=10629 auid=1001 uid=1001 >>> > > > >>> > > > gid=1001 >>> > > > > euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 >>> > > > > tty=pts0 ses=3 comm="runcon" exe="/usr/bin/runcon" >>> > > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > >>> > > > key=(null) >>> > > > > >>> > > > > type=AVC msg=audit(1491323672.070:4255): avc: denied { >>> > > > >>> > > > execstack } >>> > > > > for pid=10631 comm="runcon" >>> > > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > > tclass=process permissive=0 >>> > > > >>> > > > This again reflects a problem with the way your userspace was >>> > > > built. >>> > > > execstack -q /usr/bin/runcon >>> > > > readelf -l /usr/bin/runcon >>> > > > >>> > > > In the interim, you can allow execstack pervasively via: >>> > > > setsebool -P allow_execstack=1 >>> > > > >>> > > > > type=SYSCALL msg=audit(1491323672.070:4255): arch=40000028 >>> > > > > syscall=125 per=800000 success=no exit=-13 a0=7e84c000 a1=1000 >>> > > > > a2=1000007 a3=76fb6f18 items=0 ppid=10630 pid=10631 auid=1001 >>> > > > >>> > > > uid=0 >>> > > > > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 >>> > > > > ses=3 >>> > > > > comm="runcon" exe="/usr/bin/runcon" >>> > > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > >>> > > > key=(null) >>> > > > > >>> > > > > type=AVC msg=audit(1491323672.080:4256): avc: denied { >>> > > > >>> > > > transition } >>> > > > > for pid=10631 comm="runcon" path="/usr/lib/jvm/java-8-openjdk- >>> > > > > armhf/jre/bin/java" dev="mmcblk0p2" ino=524520 >>> > > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > > tcontext=system_u:object_r:myapp_t:s0 tclass=process >>> > > > > permissive=0 >>> > > > > >>> > > > > type=SYSCALL msg=audit(1491323672.080:4256): arch=40000028 >>> > > > >>> > > > syscall=11 >>> > > > > per=800000 success=no exit=-13 a0=7e84c5dc a1=7e84c7ec >>> > > > >>> > > > a2=7e84c7f8 >>> > > > > a3=6e69622f items=0 ppid=10630 pid=10631 auid=1001 uid=0 gid=0 >>> > > > >>> > > > euid=0 >>> > > > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 >>> > > > > comm="runcon" >>> > > > > exe="/usr/bin/runcon" >>> > > > >>> > > > subj=unconfined_u:unconfined_r:unconfined_t:s0- >>> > > > > s0:c0.c1023 key=(null) >>> > > > > >>> > > > > type=AVC msg=audit(1491323700.770:4269): avc: denied { >>> > > > >>> > > > transition } >>> > > > > for pid=10636 comm="runcon" path="/usr/lib/jvm/java-8-openjdk- >>> > > > > armhf/jre/bin/java" dev="mmcblk0p2" ino=524520 >>> > > > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> > > > > tcontext=system_u:object_r:myapp_t:s0 tclass=process >>> > > > > permissive=1 >>> > > > > >>> > > > > type=AVC msg=audit(1491323700.770:4269): avc: denied { >>> > > > >>> > > > entrypoint } >>> > > > > for pid=10636 comm="runcon" path="/usr/lib/jvm/java-8-openjdk- >>> > > > > armhf/jre/bin/java" dev="mmcblk0p2" ino=524520 >>> > > > > scontext=system_u:object_r:myapp_t:s0 >>> > > > > tcontext=system_u:object_r:java_exec_t:s0 tclass=file >>> > > > >>> > > > permissive=1 >>> > > > >>> > > > Add the following to your policy: >>> > > > domain_entry_file(myapp_t, java_exec_t) >>> > > > spec_domtrans_pattern(unconfined_t, java_exec_t, myapp_t) >>> > > > >>> > > > >>> > > > > ... >>> > > > > >>> > > > > >>> > > > > On Tue, Apr 4, 2017 at 9:26 AM, Stephen Smalley <[email protected]. >>> > > > > go >>> > > > >>> > > > v> >>> > > > > wrote: >>> > > > > > On Tue, 2017-04-04 at 08:50 -0700, Rahmadi Trimananda wrote: >>> > > > > > > Hey Guys, >>> > > > > > > >>> > > > > > > I am trying to confine a Java process that I have so that >>> > > > > > > it >>> > > > >>> > > > will >>> > > > > > be >>> > > > > > > able to read only certain files. This is my experiment >>> > > > > > > setup >>> > > > >>> > > > for >>> > > > > > my >>> > > > > > > folder. Basically a.out (C program) and Test.class (Java >>> > > > >>> > > > class) >>> > > > > > are >>> > > > > > > coded to read and print out the text in test.txt. >>> > > > > > > >>> > > > > > > unconfined_u:object_r:httpd_t:SystemLow a.out >>> > > > > > > unconfined_u:object_r:user_home_t:SystemLow test.c >>> > > > > > > unconfined_u:object_r:httpd_t:SystemLow Test.class >>> > > > > > > unconfined_u:object_r:user_home_t:SystemLow Test.java >>> > > > > > > unconfined_u:object_r:user_home_t:SystemLow test.txt >>> > > > > > > >>> > > > > > > I tried to change the type label for a.out from user_home_t >>> > > > >>> > > > to >>> > > > > > > httpd_t just for the sake of the experiment. With this >>> > > > > > > setup, >>> > > > > > >>> > > > > > a.out >>> > > > > > > is no longer able to read test.txt in enforcing mode. >>> > > > >>> > > > However, I >>> > > > > > seem >>> > > > > > > to not be able to do it for Test.class as it's running on a >>> > > > >>> > > > JVM. >>> > > > > > The >>> > > > > > > java label is "bin_t". And I checked using this: >>> > > > > > > >>> > > > > > > sesearch -s bin_t -t user_home_t -c file -p read -Ad >>> > > > > > > >>> > > > > > > And it doesn't seem to have a rule that allows bin_t to >>> > > > > > > read >>> > > > >>> > > > a >>> > > > > > file >>> > > > > > > with user_home_t label. >>> > > > > > > >>> > > > > > > What's the right way to do this if any? Then, I also try to >>> > > > > > >>> > > > > > confine >>> > > > > > > port accesses for Test.class, e.g. I only allow it to >>> > > > > > > access >>> > > > > > >>> > > > > > ports >>> > > > > > > 1234 and 2345. Same question, what's the right way to do >>> > > > >>> > > > this? >>> > > > > > >>> > > > > > I think you are conflating file labels with process labels. >>> > > > >>> > > > The >>> > > > > > /usr/sbin/httpd file is labeled with the httpd_exec_t type; >>> > > > > > the >>> > > > > > running >>> > > > > > httpd process runs in the httpd_t domain (to be precise, >>> > > > > > init_t >>> > > > > > transitions to httpd_t upon executing httpd_exec_t). bin_t >>> > > > > > is >>> > > > >>> > > > just >>> > > > > > a >>> > > > > > generally executable file type that doesn't cause a domain >>> > > > > > transition >>> > > > > > (as no domain transition is defined in policy on it), so a >>> > > > >>> > > > process >>> > > > > > that >>> > > > > > execs a bin_t file will just stay in its domain. You want to >>> > > > > > create a >>> > > > > > new domain and run your program in that; if you are running >>> > > > > > it >>> > > > > > through >>> > > > > > an interpreter, then you can force it into the target domain >>> > > > >>> > > > via >>> > > > > > runcon. >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > >>> > > > > >>> > > > > >>> > > > > -- >>> > > > > Kind regards, >>> > > > > Rahmadi Trimananda >>> > > > > >>> > > > > Ph.D. student @ University of California, Irvine >>> > > > > "Stay hungry, stay foolish!" - Steve Jobs - >>> > > >>> > > >>> > > >>> > > -- >>> > > Kind regards, >>> > > Rahmadi Trimananda >>> > > >>> > > Ph.D. student @ University of California, Irvine >>> > > "Stay hungry, stay foolish!" - Steve Jobs - >>> >> >> >> >> -- >> Kind regards, >> Rahmadi Trimananda >> >> Ph.D. student @ University of California, Irvine >> "Stay hungry, stay foolish!" - Steve Jobs - >> > > > > -- > Kind regards, > Rahmadi Trimananda > > Ph.D. student @ University of California, Irvine > "Stay hungry, stay foolish!" - Steve Jobs - > -- Kind regards, Rahmadi Trimananda Ph.D. student @ University of California, Irvine "Stay hungry, stay foolish!" - Steve Jobs -
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
