danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
DAC check before MAC check. SELinux will stop wine'ing.
danwalsh
When it comes to SELinux, one of the most aggravating bugs we see are when the kernel does a MAC check before a DAC Check. 

This means SELinux checks happen before normal ownership/permission checks.  I always prefer to have the DAC check happen first.  This is important because code that is attempting the denied access usually will handle the EPERM silently and go down a different code path.    But if a MAC Failure happens, SELinux writes an AVC to the audit log, and setroubleshoot reports it to the user.

One of the biggest offenders of this was the mmap_zero check.  Every time a process tries to map low kernel memory, the kernel denies it, in both DAC and MAC.  Wine applications are notorious for this.  We block mmap_zero because it can potentially trigger kernel bugs which can lead to privilege escalation.

Eric Paris explains the vulnerability here.

Since the MAC check was done before the DAC check, the wine applications tend to work correctly.  When the wine application attempts to mmap low memory, it gets denied, and then reattempts the mmap with a higher memory value.  On an SELinux system the kernel generates AVC.  The user sees something like:

SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect.

Reading about the mmap_zero, scares the user and they think their machine is vulnerable.  The only thing SELinux policy writers can do is write a dontaudit rule or allow the access, which defeats the purpose of the check.

We still want to block this access if a privileged confined process got it and report the SELinux violation.   If an confined application running as root, attempts a mmap_zero access, SELinux should block it and report the AVC.  If a normal unprivileged process triggered the access check, we would prefer to allow DAC to handle it, and not print the message.

To give you an idea of how often people have seen this; Google "SELinux mmap_zero" and you will get more then 13,000 hits.

Today the upstream kernel has been fixed to report check for mmap_zero for MAC AFTER DAC.

Thanks to Eric Paris and Paul Moore for fixing this issue.

Unable to transit from httpd_t to cacl_t

Roger Freeman

2014-11-17 06:02 am (UTC)

I'm writing a module for my app, need httpd_t to execute my app which is set to type cacl_exec_t, and want the selinux to transit it to cacl_t. But the transition got denied, and when use audit2allow, it gave a rule:
allow httpd_t cacl_t:process transition;
but added it to the te file and ran "make load", got
neverallow violated by allow httpd_t cacl_t:process { transition };
I'm new to the SELinux module, still don't understand when it would get cacl_t domain when a cacl_exec_t command file is executed.

The following is in the .if file:
##
interface(`cacl_domtrans',`
gen_require(`
type cacl_t, cacl_exec_t;
')

domtrans_pattern($1,cacl_exec_t,cacl_t)
')

The following is in the .te file:
module caclmod 1.0.0;

require {
type unconfined_t;
type usr_t;
type bin_t;
type httpd_t;
class file { open read execute getattr entrypoint };
class process transition;
}

type cacl_exec_t;
type cacl_t;

allow cacl_t cacl_exec_t:file entrypoint;
#allow httpd_t cacl_t:process transition;
type_transition httpd_t cacl_exec_t:process cacl_t;
allow unconfined_t cacl_exec_t:file { getattr open read execute };
allow httpd_t cacl_exec_t:file { getattr open read execute };
allow cacl_t usr_t:file { getattr open read execute };
allow cacl_t bin_t:file { getattr open read execute };
type_transition cacl_t usr_t:process usr_t;
type_transition usr_t cacl_exec_t:process cacl_t;
type_transition bin_t cacl_exec_t:process cacl_t;
type_transition unconfined_t cacl_exec_t:process cacl_t;

role system_r types cacl_t;
role system_r types bin_t;
role system_r types usr_t;
role system_r types unconfined_t;
role unconfined_r types cacl_t;
role unconfined_r types bin_t;
role unconfined_r types usr_t;
role unconfined_r types unconfined_t;

With the above, I got
type=AVC msg=audit(1416217869.038:770): avc: denied { transition } for pid=15335 comm="sh" path="/usr/local/secbin/caclb" dev=sda2 ino=421075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cacl_t:s0 tclass=process
type=SYSCALL msg=audit(1416217869.038:770): arch=c000003e syscall=59 success=no exit=-13 a0=17df330 a1=17df420 a2=17de150 a3=7fff6a675c50 items=0 ppid=8334 pid=15335 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)


Thanks in advance for any help.

Edited at 2014-11-17 09:53 am (UTC)

You are viewing danwalsh