Bug 490228 - can relabelto types that arent usable files types
can relabelto types that arent usable files types
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-13 18:23 EDT by Sebastian Pfaff
Modified: 2009-03-13 18:58 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-13 18:58:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sebastian Pfaff 2009-03-13 18:23:47 EDT
Description of problem:

in this example it's possible to label a file via restorecon, which is usable. look, there is no files_type(test_prog_exec_t) call in *.te file!

Version-Release number of selected component (if applicable):

i don't know.

How reproducible && Steps to Reproduce:

te file: 

policy_module(test_prog, 0.0.1)

require {
        type devpts_t;
        type unconfined_devpts_t;
        type test_prog_exec_t;
        type usr_t;
        type proc_t;
        type admin_home_t;
        type test_prog_t;
        type unconfined_t;
}


type test_prog_t;
type test_prog_exec_t;

role unconfined_r types test_prog_t;

domain_type(test_prog_t)
domain_entry_file(unconfined_t, test_prog_exec_t)
domain_auto_trans(unconfined_t, test_prog_exec_t, test_prog_t)

# generated by audit2allow
# neccessary to allow everything for test.sh
#============= test_prog_t ==============
allow test_prog_t admin_home_t:dir getattr;
allow test_prog_t devpts_t:dir search;
allow test_prog_t proc_t:file read;
allow test_prog_t test_prog_exec_t:file read;
allow test_prog_t unconfined_devpts_t:chr_file ioctl;
allow test_prog_t usr_t:dir search;


fc file:

/root/test_prog/test.sh -- gen_context(unconfined_u:object_r:test_prog_exec_t, s0)

here the script:

[root@SecLab test_prog]# cat test.sh
#!/bin/sh
echo "foo"
#EOF 


Actual results:

...
compiling && loading module
...

[root@SecLab test_prog]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@SecLab test_prog]# ls -Z test.sh 
-rwx------  root root unconfined_u:object_r:admin_home_t:s0 test.sh
[root@SecLab test_prog]# semodule -l | grep test
test_prog	0.0.1
[root@SecLab test_prog]# restorecon /root/test_prog/test.sh 
[root@SecLab test_prog]# semodule -l | grep test
test_prog	0.0.1
[root@SecLab test_prog]# ls -Z test.sh 
-rwx------  root root unconfined_u:object_r:test_prog_exec_t:s0 test.sh
[root@SecLab test_prog]# 


Expected results: 

something like this (produced on the same machine, but other policy module):

audit.log:

type=AVC msg=audit(1236879143.296:193): avc:  denied  { relabelto } for  pid=26871 comm="restorecon" name="writable2" dev=sda1 ino=209596 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:my_type_t:s0 tclass=dir
type=SYSCALL msg=audit(1236879143.296:193): arch=40000003 syscall=227 success=no exit=-13 a0=bf9c8cc0 a1=14777d a2=b8b20aa0 a3=1f items=0 ppid=20022 pid=26871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=10 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

for comleteness code of te file:

policy_module(fake_httpd, 0.1.1)

require{
        type httpd_t;
        type httpd_exec_t;
        type unconfined_t;
        type admin_home_t;

#       type sleep_exec_t;
}

type my_type_t;
role unconfined_r types httpd_t;

#domain_type(httpd_t)
#files_type(my_type_t);
domain_entry_file(httpd_t, httpd_exec_t)
domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)

allow httpd_t admin_home_t:dir { getattr search };
#allow httpd_t sleep_exec_t:file { read getattr };

fe file:

/root/fake_httpd.sh -- gen_context(system_u:object_r:httpd_exec_t, s0)
/var/www/writable2 -d gen_context(system_u:object_r:my_type_t, s0)

the above module is a testing example. the modul has no further purpose. so don't wonder, when it seems confusing. 

good night

Sebastian
Comment 1 Sebastian Pfaff 2009-03-13 18:40:27 EDT
sorry, change this:

in this example it's possible to label a file via restorecon, which is usable.

to this:

in this example it's possible to label a file via restorecon, which is _still_not_ usable.

night

seba
Comment 2 Sebastian Pfaff 2009-03-13 18:58:49 EDT
sorry for wasting time.

this is NOT a bug. files_type is implicitly called in corecommands.if

interface(`corecmd_executable_file',`
        gen_require(`
                attribute exec_type;
        ')

        typeattribute $1 exec_type;

        files_type($1)
')

which in turn will be called through domain_entry_file(...).

sorry for this stupid entry. tnx to dgrift for pointing this out.

bye

seba

Note You need to log in before you can comment on or make changes to this bug.