RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1285294 - reconsider allowing type "domain" to read all "base_ro_file_type"
Summary: reconsider allowing type "domain" to read all "base_ro_file_type"
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-25 11:22 UTC by redhat-airlock
Modified: 2016-06-28 07:01 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-28 07:01:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description redhat-airlock 2015-11-25 11:22:32 UTC 
Description of problem:
We are using SELinux to contain processes with least privilege access to the OS file system. All this processes run as a (domain) type which is included in the "domain" attribute, as it is good practice for every domain type. After the update from RHEL 6.6 to 6.7 we saw that our processes are able to read files and directories labeled with "bin_t" (and other). The reason is that a directive was added to allow the attribute "domain" to read all files labeled as "base_ro_file_type":

problematic directives, added with policy-RHEL6.7-e2506.patch
----------
   allow domain base_ro_file_type : file { ioctl read getattr lock open } ; 
   allow domain base_ro_file_type : dir { ioctl read getattr lock search open } ; 
----------

"base_ro_file_type" consists of many common resource types like bin_t, etc_t, usr_t, system_conf_t, this allows all processes to examine a large part of the OS file system, what we consider as a decrease in security.
Our problem now is, since the directive adds these permissions to the "root" attribute "domain" it is not possible to create a domain type that does not have this privileges. In our mind this privileges should have been given to a sub attribute/type of "domain" and not "domain" itself.


Version-Release number of selected component (if applicable): 
selinux-policy-minimum-3.7.19-279.el6_7.7.noarch


How reproducible:
compare results between 6.6 and 6.7
sesearch --allow -s domain -t bin_t -p read | grep "allow domain"


Actual results:
   allow domain base_ro_file_type : file { ioctl read getattr lock open } ; 
   allow domain base_ro_file_type : dir { ioctl read getattr lock search open } ; 
   allow domain base_ro_file_type : lnk_file { read getattr } ;

Expected results:
[empty]

Additional info:
Comment 2 Daniel Walsh 2015-12-01 20:44:20 UTC 
Maybe add a boolean for this defaulted to true. And then advanced users could turn it off.
Comment 3 Frank Meier 2015-12-07 09:58:31 UTC 
Since it is hard to tell, which parts of the system (will) rely on the boolean being true. A later disablement will most likely break these parts. 
A "clean" solution would be to introduce a separate domain attribute which has the privileges to read the "base_ro_file_type". And then all the domain types relying on said read permission would have to be added to this new domain attribute.
But I know, asking for this would mean quite a big change to your policy as it is now. What could also easily break some stuff.
Comment 4 Miroslav Grepl 2015-12-08 11:23:52 UTC 
We back ported it from RHEL-7 because lot of random domains wanted to access these readable files with contexts which you mentioned. I don't see any real flaws here. We can not do it with a boolean due to policy language. 

Thinking about introducing a new domain which could just add additional complexity to the current complex policy. There is a way to label intended files by a type which is not base_ro.
Comment 5 Daniel Walsh 2015-12-09 19:45:18 UTC 
Yes if you want to protect executable/files that should not be readable by all domains, then add a type for them. 

They should not be bin_t, usr_t, etc_t, lib_t ...
Comment 6 Miroslav Grepl 2016-06-28 07:01:44 UTC 
Closing this bug as WONTFIX based on our previous comments - #4 and #5.
Note You need to log in before you can comment on or make changes to this bug.