| Summary: | sepolicy transition -s ... -t ... does not return all possible results | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | policycoreutils | Assignee: | Vit Mojzis <vmojzis> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-27 12:25:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Milos, what does sesearch show you? $ sesearch -A -s unconfined_t -t inet_child_t -c process $ sesearch -T -s unconfined_t -c process | grep inet_child_t I believe this is not valid test scenario due to unconfined_domain attribute. # sesearch -A -s unconfined_t -t inetd_child_t -c process -C
Found 3 semantic av rules:
allow unconfined_t domain : process transition ;
allow unconfined_domain_type domain : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate ptrace_child } ;
EF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
# sesearch -T -s unconfined_t -c process | grep inetd_child_t
#
# sesearch -s unconfined_t -t initrc_t -c process -p transition -A -C
Found 2 semantic av rules:
allow unconfined_t initrc_t : process transition ;
allow unconfined_t domain : process transition ;
# sesearch -s initrc_t -t inetd_t -c process -p transition -A -C
Found 1 semantic av rules:
allow initrc_domain daemon : process transition ;
# sesearch -s inetd_t -c process -T | grep inetd_child_t
type_transition inetd_t bin_t : process inetd_child_t;
type_transition inetd_t inetd_child_exec_t : process inetd_child_t;
type_transition inetd_t usr_t : process inetd_child_t;
#
I don't understand the reasoning about unconfined_domain attribute. Is the tool able to find transitions from X to Y, or it isn't?
Something does not work deterministically here: # sepolicy transition -s unconfined_t -t inetd_child_t unconfined_t ... vmtools_helper_t ... vmtools_t ... ifconfig_t ... insmod_t ... mount_t ... glusterd_t ... initrc_t ... inetd_t @ bin_t --> inetd_child_t unconfined_t ... vmtools_helper_t ... vmtools_t ... ifconfig_t ... insmod_t ... mount_t ... glusterd_t ... initrc_t ... inetd_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... vmtools_helper_t ... vmtools_t ... ifconfig_t ... insmod_t ... mount_t ... glusterd_t ... initrc_t ... inetd_t @ usr_t --> inetd_child_t unconfined_t ... vmtools_helper_t ... vmtools_t ... ifconfig_t ... insmod_t ... mount_t ... glusterd_t ... initrc_t ... inetd_t ... stunnel_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... vmtools_helper_t ... vmtools_t ... ifconfig_t ... insmod_t ... mount_t ... glusterd_t ... initrc_t ... inetd_t ... tcpd_t @ inetd_child_exec_t --> inetd_child_t # yum -q -y reinstall selinux-policy\* mmap: Invalid argument # sepolicy transition -s unconfined_t -t inetd_child_t unconfined_t ... initrc_t ... inetd_t @ bin_t --> inetd_child_t unconfined_t ... initrc_t ... inetd_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... initrc_t ... inetd_t @ usr_t --> inetd_child_t unconfined_t ... initrc_t ... inetd_t ... sshd_t ... lvm_t ... insmod_t ... mount_t ... glusterd_t ... keepalived_t ... neutron_t ... udev_t ... cupsd_config_t ... cupsd_t ... logrotate_t ... httpd_t ... httpd_suexec_t ... openshift_script_t ... openshift_initrc_t ... condor_schedd_t ... condor_startd_t ... kdumpgui_t ... kdumpctl_t ... stunnel_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... initrc_t ... inetd_t ... tcpd_t @ inetd_child_exec_t --> inetd_child_t # Even if the selinux-policy packages were of the same version, the second sepolicy results seem to be correct (the first are not). Seems to be fixed in policycoreutils-devel-2.5-11.el7_3.x86_64 # rpm -qf /usr/bin/sepolicy policycoreutils-devel-2.5-11.el7_3.x86_64 # sepolicy transition -s unconfined_t -t inetd_child_t unconfined_t ... initrc_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... initrc_t ... firewallgui_t ... iptables_t ... insmod_t ... mount_t ... glusterd_t @ inetd_child_exec_t --> inetd_child_t ... This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |
Description of problem: Version-Release number of selected component (if applicable): policycoreutils-2.5-2.el7.x86_64 policycoreutils-devel-2.5-2.el7.x86_64 policycoreutils-newrole-2.5-2.el7.x86_64 policycoreutils-python-2.5-2.el7.x86_64 policycoreutils-sandbox-2.5-2.el7.x86_64 selinux-policy-3.13.1-69.el7.noarch selinux-policy-devel-3.13.1-69.el7.noarch selinux-policy-doc-3.13.1-69.el7.noarch selinux-policy-minimum-3.13.1-69.el7.noarch selinux-policy-mls-3.13.1-69.el7.noarch selinux-policy-sandbox-3.13.1-69.el7.noarch selinux-policy-targeted-3.13.1-69.el7.noarch How reproducible: always First I will demonstrate that it is possible to transition from unconfined_t to inet_child_t: # runcon system_u:system_r:initrc_t:s0 id -Z system_u:system_r:initrc_t:s0 # cat pokus.sh #!/bin/bash id -Z # ls -Z pokus.sh -rwxr-xr-x. root root system_u:object_r:inetd_exec_t:s0 pokus.sh # runcon system_u:system_r:initrc_t:s0 bash -c ./pokus.sh system_u:system_r:inetd_child_t:s0-s0:c0.c1023 # and now let's see what sepolicy tells us: # sepolicy transition -s unconfined_t -t inetd_child_t unconfined_t ... initrc_t ... jockey_t ... insmod_t ... mount_t ... glusterd_t ... oddjob_t ... openshift_initrc_t ... condor_master_t ... condor_schedd_t ... condor_startd_t ... inetd_t @ bin_t --> inetd_child_t unconfined_t ... initrc_t ... jockey_t ... insmod_t ... mount_t ... glusterd_t ... oddjob_t ... openshift_initrc_t ... condor_master_t ... condor_schedd_t ... condor_startd_t ... inetd_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... initrc_t ... jockey_t ... insmod_t ... mount_t ... glusterd_t ... oddjob_t ... openshift_initrc_t ... condor_master_t ... condor_schedd_t ... condor_startd_t ... inetd_t @ usr_t --> inetd_child_t unconfined_t ... initrc_t ... jockey_t ... insmod_t ... mount_t ... glusterd_t ... oddjob_t ... openshift_initrc_t ... condor_master_t ... condor_schedd_t ... condor_startd_t ... inetd_t ... stunnel_t @ inetd_child_exec_t --> inetd_child_t unconfined_t ... initrc_t ... jockey_t ... insmod_t ... mount_t ... glusterd_t ... oddjob_t ... openshift_initrc_t ... condor_master_t ... condor_schedd_t ... condor_startd_t ... inetd_t ... tcpd_t @ inetd_child_exec_t --> inetd_child_t # echo $? 0 # Please notice that the shortest path is NOT mentioned in the output: unconfined_t ... initrc_t @ inetd_exec_t --> inetd_child_t Even if the sepolicy-transition man page says: If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the paths. If a transition is possible, this tool will print out all transition paths from the source domain to the target domain.