Giter Site home page Giter Site logo

Comments (8)

rhatdan avatar rhatdan commented on July 18, 2024

You can modify the roles available to the staff_u user or create a new user to run as staff_r without sysadm_r, system_r and unconfined_r.
Or better yet create a user record for millerthegorilla which just runs as the staff_r role.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

BTW Staff_r getting to unconfined_r is a risk but you still need to use a setuid program like sudo to get to a different type. staff_t can not easily transition to unconfined_t.

from container-selinux.

millerthegorilla avatar millerthegorilla commented on July 18, 2024

Thanks for the reply.
I have managed to use selinux for an alternative treatment of the same problem, one not using containers, so I am beginning to find my way through. However, I want to use containerised microservices for a site I am creating, and am going to want to lock down the containers as much as possible.

I have tried using udica, and experience this issue - containers/udica#8 - it looks unlikely that libsepol is going to be updated to address this, and I am scratching my head as to why udica isn't updated to name the resulting type without special characters etc.

I have one question though. I have been reading and reading, and cannot seem to locate the docs regarding the editing of roles. I figure that I can copy an existing role and then edit it, but am uncertain as to whether this is done entirely through policy updates or whether there is a ground zero creation of a role. If you could supply me with a reference re creation or editing of roles, I would be extremely grateful.

Thanks for all your help

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

I would not edit roles. If you goal is to create a user on a system that can't reach a role, you can define that as a user.

sh-5.2# semanage user -a -R staff_r -r s0-s0:c0.c1023 container_u
sh-5.2# semanage user -l

            Labeling   MLS/       MLS/

SELinux User Prefix MCS Level MCS Range SELinux Roles

container_u     user       s0         s0-s0:c0.c1023                 staff_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0-s0:c0.c1023                 user_r
xguest_u        user       s0         s0                             xguest_r
# useradd testu
# semanage login -a -s container_u testu

Now if you login as testu, you are in the staff_r role, but can not switch to any other role.

from container-selinux.

millerthegorilla avatar millerthegorilla commented on July 18, 2024

That's great, thanks, but I don't want to use staff_r, as it includes a massive amount of domains, in comparison to the domains I actually want to use, so I would prefer to create a new role, or copy an existing role and edit it.

role staff_r types { abrt_helper_t alsa_home_t antivirus_home_t audio_home_t auth_home_t bluetooth_helper_t bootloader_t cache_home_t cdrecord_t chfn_t chkpwd_t chrome_sandbox_home_t chrome_sandbox_nacl_t chrome_sandbox_t chronyc_t config_home_t container_home_t container_init_t container_kvm_t container_runtime_t container_t container_userns_t cronjob_t crontab_t cvs_home_t data_home_t dbus_home_t ddclient_t exim_t fetchmail_home_t freqset_t fsadm_t gconf_home_t gconfd_t git_session_t git_user_content_t gkeyringd_gnome_home_t gnome_home_t gpg_agent_t gpg_helper_t gpg_pinentry_t gpg_secret_t gpg_t groupadd_t gstreamer_home_t hddtemp_t home_bin_t home_cert_t httpd_user_script_t icc_data_home_t iceauth_home_t iceauth_t ifconfig_t iotop_t iptables_t irc_home_t irc_t irc_tmp_t irssi_home_t irssi_t journalctl_t kismet_home_t kmod_t kpatch_t krb5_home_t load_policy_t loadkeys_t local_login_home_t lpr_t lvm_t mail_home_rw_t mail_home_t mailman_mail_t mandb_home_t mock_build_t mock_t mount_t mozilla_home_t mozilla_plugin_config_t mozilla_plugin_t mpd_home_t mpd_user_data_t mplayer_home_t mysqld_home_t namespace_init_t newrole_t nscd_t ntpd_t obex_t oddjob_mkhomedir_t oddjob_t openshift_initrc_t openshift_var_lib_t pam_console_t pam_timestamp_t passwd_t ping_t policykit_auth_t policykit_grant_t polipo_cache_home_t polipo_config_home_t polipo_session_t postfix_postdrop_t postfix_postqueue_t pppd_t procmail_home_t ptchown_t pulseaudio_home_t pulseaudio_t qmail_inject_t qmail_queue_t rlogind_home_t rpcd_t rpm_script_t rpm_t rssh_ro_t rssh_rw_t sandbox_file_t sandbox_min_client_t sandbox_min_t sandbox_net_client_t sandbox_net_t sandbox_web_client_t sandbox_web_t sandbox_x_client_t sandbox_x_t sandbox_xserver_t screen_home_t semanage_t sepgsql_ranged_proc_t sepgsql_trusted_proc_t setfiles_t setsebool_t smbmount_t spamc_home_t speech_dispatcher_home_t ssh_home_t ssh_t sssd_t staff_consolehelper_t staff_dbusd_t staff_gkeyringd_t staff_screen_t staff_seunshare_t staff_ssh_agent_t staff_sudo_t staff_t staff_wine_t svirt_home_t svirt_socket_t svirt_t svirt_tcg_t system_mail_t systemd_home_t targetclid_home_t telepathy_cache_home_t telepathy_data_home_t telepathy_gabble_cache_home_t telepathy_gabble_t telepathy_idle_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_logger_t telepathy_mission_control_cache_home_t telepathy_mission_control_data_home_t telepathy_mission_control_home_t telepathy_mission_control_t telepathy_msn_t telepathy_salut_t telepathy_sofiasip_t telepathy_stream_engine_t telepathy_sunshine_home_t telepathy_sunshine_t texlive_home_t thumb_home_t thumb_t traceroute_t tvtime_home_t udev_t uml_ro_t uml_rw_t updpwd_t user_fonts_cache_t user_fonts_config_t user_fonts_t user_home_dir_t user_home_t user_mail_t user_tmp_t useradd_t utempter_t virt_bridgehelper_t virt_content_t virt_home_t vlock_t vmtools_helper_t vmtools_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t wireshark_t xauth_home_t xauth_t xdm_home_t xserver_t };

I want a role that only has domains pertaining to container usage, and maybe a few others, I definitely don't want to allow sudo or any other privilege escalation, as it kind of defeats the use of rootless containers via podman, but I haven't been able to find information or tutorials/references pertaining to the editing or creation of new roles.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

Then you would need to write a new role, say container_r role and allow it to container_domain types.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

user_r has lots of types assigned to it as well.

$ seinfo -ruser_r -x

Roles: 1
   role user_r types { abrt_helper_t alsa_home_t antivirus_home_t audio_home_t auth_home_t bluetooth_helper_t cache_home_t cdrecord_t chfn_t chkpwd_t chrome_sandbox_home_t chrome_sandbox_nacl_t chrome_sandbox_t chronyc_t config_home_t container_home_t container_init_t container_kvm_t container_runtime_t container_t container_userns_t cronjob_t crontab_t cvs_home_t data_home_t dbus_home_t ddclient_t exim_t fetchmail_home_t fsadm_t gconf_home_t gconfd_t git_session_t git_user_content_t gkeyringd_gnome_home_t gnome_home_t gpg_agent_t gpg_helper_t gpg_pinentry_t gpg_secret_t gpg_t gstreamer_home_t home_bin_t home_cert_t httpd_user_script_t icc_data_home_t iceauth_home_t iceauth_t irc_home_t irc_t irc_tmp_t irssi_home_t irssi_t journalctl_t kismet_home_t kmod_t krb5_home_t loadkeys_t local_login_home_t lpr_t lvm_t mail_home_rw_t mail_home_t mailman_mail_t mandb_home_t mount_t mozilla_home_t mozilla_plugin_config_t mozilla_plugin_t mpd_home_t mpd_user_data_t mplayer_home_t mysqld_home_t namespace_init_t newrole_t nscd_t obex_t oddjob_mkhomedir_t oddjob_t openshift_var_lib_t pam_timestamp_t passwd_t ping_t policykit_auth_t policykit_grant_t polipo_cache_home_t polipo_config_home_t polipo_session_t postfix_postdrop_t postfix_postqueue_t pppd_t procmail_home_t ptchown_t pulseaudio_home_t pulseaudio_t qm_container_init_t qm_container_kvm_t qmail_inject_t qmail_queue_t rlogind_home_t rpcd_t rssh_ro_t rssh_rw_t sandbox_file_t sandbox_min_client_t sandbox_min_t sandbox_net_client_t sandbox_net_t sandbox_web_client_t sandbox_web_t sandbox_x_client_t sandbox_x_t sandbox_xserver_t screen_home_t setfiles_t smbmount_t snappy_home_t spamc_home_t speech_dispatcher_home_t ssh_home_t ssh_t svirt_home_t svirt_socket_t svirt_t svirt_tcg_t systemd_home_t targetclid_home_t telepathy_cache_home_t telepathy_data_home_t telepathy_gabble_cache_home_t telepathy_gabble_t telepathy_idle_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_logger_t telepathy_mission_control_cache_home_t telepathy_mission_control_data_home_t telepathy_mission_control_home_t telepathy_mission_control_t telepathy_msn_t telepathy_salut_t telepathy_sofiasip_t telepathy_stream_engine_t telepathy_sunshine_home_t telepathy_sunshine_t texlive_home_t thumb_home_t thumb_t traceroute_t tvtime_home_t uml_ro_t uml_rw_t updpwd_t user_dbusd_t user_fonts_cache_t user_fonts_config_t user_fonts_t user_gkeyringd_t user_home_dir_t user_home_t user_mail_t user_screen_t user_seunshare_t user_ssh_agent_t user_t user_tmp_t user_wine_t utempter_t virt_bridgehelper_t virt_content_t virt_home_t vlock_t vmtools_helper_t vmtools_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t xauth_home_t xauth_t xdm_home_t };

Defining a container_r and a container_user_t to allow them to login and run containers would be a interesting use case.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

I believe this can be done now.

from container-selinux.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.