Bug 145025
Summary: | smbmount - needs samba access permissions | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> | ||||||
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-02-07 22:32:22 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Ivan Gyurdiev
2005-01-13 20:52:15 UTC
smbiod: audit(1105655461.646:0): avc: denied { write } for pid=2671 comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139 scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t tclass=tcp_socket audit(1105655461.646:0): avc: denied { read } for pid=2671 comm=smbiod laddr=192.168.0.2 lport=58431 faddr=192.168.0.3 fport=139 scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t tclass=tcp_socket gnome-vfs-daemon: audit(1105648235.958:0): avc: denied { write } for pid=3754 exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.0.2 lport=41856 faddr=192.168.0.3 fport=139 scontext=user_u:user_r:user_t tcontext=system_u:system_r:mount_t tclass=tcp_socket Ok We are going to need some context for smbmount. I have put together a preliminary policy for smbmount, that I want you to try and if you can finish it, since I don't currently have access to a smb environment. Or at least submit the AVC messages. (You might want to do this in permissive mode). Dan Okay, where's the policy? It is out on people ftp://people.redhat.com/dwalsh/SELinux/Fedora selinux-policy-strict-*1.21.3-4 You will need to restorecon /usr/bin/smbmount Good luck. YOu can communicate with me on the #selinux chat room if you need quick response. Dan Is "can_ypbind" necessary? I'm not familiar with ypbind, but I didn't see any related denials. The rest of the rules look fine, but see - now smbmount can't acecss any of the things in the mount policy, and it needs some of those permissions. See below. How can smbmount inherit some permissions from mount? In the meantime here are the denials: Common with mount ============================== It can't { getattr search mounton } mnt_t where I put the mount point It can't { create write add_name create unlink } etc_t (for mtab backups) It can't { read append geattr } etc_runtime_t (for mtab) It can't { mount } cifs_t, available through this rule: allow mount_t file_type:filesystem { unmount mount relabelto }; in mount.te Other, more general denials include: ==================================== It can't { signal sigchld} self:process It can't read_locale() It can't { search } devpts_t It can't { read write } sysadm_devpts_t It can't { use } /dev/pts/2 of type user_t It can't { read write ioctl } /dev/tty Some of those are already in the mount policy. Others are not. Samba-related stuff: =================== It can't { search } samba_log_t or var_log_t (Will it also need to create the log file if it's missing? - need to test) It can't { create connect} unix_stream_socket in the same domain. It can't { search } samba_var_t:dir. It can't { read geattr } this thing of type lib_t: gconv-modules.cache It can't { fork } itself. It can't { search getattr } bin_t:dir in order to { read execute execute_no_trans } bin_t:file (/usr/bin/smbmnt) which it tries to do. Finally there's this kind of denial: audit(1106808301.487:0): avc: denied { read } for pid=1383 comm=smbiod laddr=192.168.2.96 lport=45305 faddr=192.168.2.96 fport=445 scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket audit(1106808303.487:0): avc: denied { write } for pid=1389 exe=/usr/libexec/gnome-vfs-daemon laddr=192.168.2.96 lport=45305 faddr=192.168.2.96 fport=445 scontext=user_u:user_r:user_t tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket Hope this is helpful. I can add some of these myself, but I wasn't clear on how to structure this with respect to the mount policy. ypbind will only come into effect if you are running in an NIS environment, it is required. Not sure I caught them all but here is the bottom section of samba.te ifdef(`mount.te', ` # # Domain for running smbmount # application_domain(smbmount, `, fs_domain, nscd_client_domain'); can_network(smbmount_t) can_ypbind(smbmount_t) allow smbmount_t cifs_t:dir r_dir_perms; allow smbmount_t self:unix_dgram_socket create_socket_perms; allow smbmount_t samba_etc_t:file r_file_perms; allow smbmount_t samba_log_t:dir r_dir_perms; allow smbmount_t samba_log_t:file ra_file_perms; allow smbmount_t samba_var_t:dir r_dir_perms; allow smbmount_t samba_var_t:file rw_file_perms; domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) r_dir_file(smbmount_t, proc_t) allow smbmount_t self:capability { signal sigchld net_bind_service sys_rawio sys_admin dac_override chown }; allow smbmount_t self:process { fork signal_perms }; file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) allow smbmount_t cifs_t:dir mounton; allow smbmount_t cifs_t:dir search; allow smbmount_t mnt_t:dir mounton; read_locale(smbmount_t) allow smbmount_t userdomain:fd use; allow smbmount_t self:unix_stream_socket create_socket_perms; can_exec(smbmount_t, bin_t) allow kernel_t smbmount_t:tcp_socket { read write }; allow smbmount_t file_type:filesystem { unmount mount relabelto }; ') Well I was wondering if there could be some sort of common macro in mount.te that gives a bunch of those permissions to smbmount_t and mount_t. allow smbmount_t file_type:filesystem { unmount mount relabelto }; Shouldn't this be restricted to particular filesystems? allow smbmount_t cifs_t:dir search; Hmm...why is this needed...I should investigate allow smbmount_t cifs_t:dir mounton; This looks wrong in light of what Stephen Smalley said about binfmt. I will test some more to see if I get this kind of denial or if it's some sort of dual mount problem. allow smbmount_t samba_log_t:file ra_file_perms; Do you know if smbmount creates the file if it isn't there? allow smbmount_t self:unix_stream_socket create_socket_perms; You should put that next to the dgram_socket one. can_exec(smbmount_t, bin_t) Isn't the scope of this rule too broad? Now it can execute all of bin_t. Maybe label smbmnt differently? What about mount.cifs? allow smbmount_t cifs_t:dir mounton; allow smbmount_t cifs_t:dir search; Hmm - yeah, where are those two coming from? They're not in my list of denials - I don't think. Ok updated the latest policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora smb seems to be working. cifs works alot better and requires no policy change. I have gotten rid of all smb errors on my test machine. selinux-policy-strict-1.21.4-2 What about my comments in #8 and #9? Some of those permissions seem too broad, or unnecessary - see above. Also I get denials: Tty stuff: { search } devpts_t:dir { read write } sysadm_devpts_t:chr_file { read write ioctl } sysadm_devtty_t:chr_file { search } bin_t:dir (Need this for finding /usr/bin/smbmnt) { search } var_log_t:dir (Need this for finding /var/log/samba/smbmount.log) { mount } cifs_t:filesystem That last one is because cifs_t is fs_type, not file_type. Finally there are still denials of this type: audit(1106866332.138:0): avc: denied { write } for pid=30275 exe=/bin/ls laddr=192.168.2.96 lport=58074 faddr=192.168.2.96 fport=445 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:smbmount_t tclass=tcp_socket Ok, fixes. Attached is a patch between selinux-policy-strict-1.21.5-2 and what I have. Also attached is the samba.te file itself. It does the following: - comments everything and organizes it so it's not just a list of rules ordered randomly - removes permissions that I think are unnecessary.. like mounton on cifs_t, and some other things - restricts permissions that are overly broad like the rule that lets smbmount mount every filesystem - adds rules that I needed to eliminate ALL denials. I don't get any denials anymore. Most of them were tty rules, but there were some search rules, and a log creation rule, etc. There was also a bug in the cifs mount rule that I fixed. Please consider for inclusion. Also, please look at FIXMEs and see if those are necessary - I just didn't know. smbmnt_t should probably be labeled as something else so smbmount_t doesn't have execute permissions on all of bin_t. Created attachment 110384 [details]
Samba.te file
This is my samba.te file
Created attachment 110385 [details]
Samba.te patch
And this is the patch.
Added in 1.21.5-3 Here's some changes to address a FIXME. Restricts execute priviledges of smbmount. Also smbmnt now transitions to smbmount_t if executed by users. --- samba.te 2005-01-31 20:14:24.000000000 -0700 +++ samba.new 2005-01-31 20:17:33.000000000 -0700 @@ -164,9 +164,8 @@ r_dir_file(smbmount_t, proc_t) # Fork smbmnt -# FIXME: label bin_t as more restricted type? allow smbmount_t bin_t:dir r_dir_perms; -can_exec(smbmount_t,bin_t) +can_exec(smbmount_t,smbmount_exec_t) allow smbmount_t self:process { fork signal_perms }; # Mount --- samba.fc 2005-01-31 20:13:07.000000000 -0700 +++ samba.new 2005-01-31 20:13:37.000000000 -0700 @@ -20,5 +20,6 @@ /var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t /var/spool/samba(/.*)? system_u:object_r:samba_var_t ifdef(`mount.te', ` -/usr/bin/smbmount system_u:object_r:smbmount_exec_t +/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t +/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t ') |