Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libsepol.sepol_string_to_security_class: unrecognized class user_namespace #600

Closed
freedom1b2830 opened this issue Mar 2, 2023 · 4 comments
Closed

libsepol.sepol_string_to_security_class: unrecognized class user_namespace #600

freedom1b2830 opened this issue Mar 2, 2023 · 4 comments

Comments

@freedom1b2830
Copy link
Contributor

This prevents the application from starting without shutting down selinux, because the module assembler does not know about the user_namespace

[root@archlinux ~]# ausearch -a 935 -i
----
type=PROCTITLE msg=audit(02.03.2023 07:07:48.204:935) : proctitle=/opt/google/chrome/chrome --cipher-suite-blacklist=0xc013,0xc014,0x009c,0x009d,0x002f,0x0035 
type=SYSCALL msg=audit(02.03.2023 07:07:48.204:935) : arch=x86_64 syscall=clone success=no exit=EACCES(Отказано в доступе) a0=0x10000011 a1=0x7ffd2e0ab190 a2=0x0 a3=0x0 items=0 ppid=1714 pid=1715 auid=user_me uid=user_me gid=user_me euid=user_me suid=user_me fsuid=user_me egid=user_me sgid=user_me fsgid=user_me tty=pts0 ses=3 comm=chrome exe=/opt/google/chrome/chrome subj=user_u:user_r:chromium_t key=(null) 
type=AVC msg=audit(02.03.2023 07:07:48.204:935) : avc:  denied  { create } for  pid=1715 comm=chrome scontext=user_u:user_r:chromium_t tcontext=user_u:user_r:chromium_t tclass=user_namespace permissive=0 
[root@archlinux ~]# ausearch -a 935 -i|audit2allow -Rx
libsepol.sepol_string_to_security_class: unrecognized class user_namespace

require {
        type chromium_t;
        class user_namespace create;
}

#============= chromium_t ==============
allow chromium_t self:user_namespace create;

This is the same with discord.

I think this is related to chrome-sandbox, where chroot is used and the environment is configured in it

chrome-sandbox suid,chroot

-rwsr-xr-x. 1 root root system_u:object_r:discord_opt_t 15184 фев 13 22:24 chrome-sandbox
-rwxr-xr-x. 1 root root system_u:object_r:discord_exec_t 138954560 фев 13 22:24 Discord

distr:Arch linux
Linux archlinux 6.2.1-arch1-1 # 1 SMP PREEMPT_DYNAMIC Sun, 26 Feb 2023 03:39:23 +0000 x86_64 GNU/Linux

local/base-devel-selinux 1-1 (selinux)
local/base-selinux 1-1 (selinux)
local/checkpolicy 3.4-1 (selinux)
local/coreutils-selinux 9.1-3 (selinux)
local/cronie-selinux 1.6.1-1 (selinux)
local/dbus-docs-selinux 1.14.6-1 (selinux)
local/dbus-selinux 1.14.6-1 (selinux)
local/findutils-selinux 4.9.0-2 (selinux)
local/iproute2-selinux 6.2.0-2 (selinux)
local/libselinux 3.4-1 (selinux)
local/libsemanage 3.4-1 (selinux)
local/libsepol 3.4-1 (selinux)
local/logrotate-selinux 3.21.0-2 (selinux)
local/mcstrans 3.4-1 (selinux)
local/openssh-selinux 9.2p1-1 (selinux)
local/pambase-selinux 20221020-1 (selinux)
local/pam-selinux 1.5.2-1 (selinux)
local/policycoreutils 3.4-1 (selinux)
local/psmisc-selinux 23.6-1 (selinux)
local/restorecond 3.4-1 (selinux)
local/secilc 3.4-1 (selinux)
local/selinux-alpm-hook 0.1-4 (selinux)
local/selinux-dbus-config 3.4-1 (selinux)
local/selinux-gui 3.4-1 (selinux)
local/selinux-python 3.4-1 (selinux)
local/selinux-refpolicy-arch 20220520-1 (selinux)
local/selinux-refpolicy-git RELEASE_2_20221101.r94.gaedf310cd-1 (selinux)
local/selinux-refpolicy-src 20220520-1 (selinux selinux-policies)
local/selinux-sandbox 3.4-1 (selinux)
local/semodule-utils 3.4-1 (selinux)
local/setools 4.4.0-2 (selinux)
local/setroubleshoot 3.3.23-1 (selinux)
local/setroubleshoot-server 3.3.23-1 (selinux)
local/shadow-selinux 4.13-2 (selinux)
local/sudo-selinux 1.9.12.p2-2 (selinux)
local/systemd-libs-selinux 253-1 (selinux)
local/systemd-resolvconf-selinux 253-1 (selinux)
local/systemd-selinux 253-1 (selinux)
local/systemd-sysvcompat-selinux 253-1 (selinux)
local/util-linux-libs-selinux 2.38.1-1 (selinux)
local/util-linux-selinux 2.38.1-1 (selinux)
@freedom1b2830
Copy link
Contributor Author

freedom1b2830 commented Mar 8, 2023
edited
Loading

Apparently you did not understand me.

The problem is not that chromium_t doesn't have 'self:user_namespace create;'
and the problem is that I can't build a module with that permission

F_MAKE is :

export REFMAKE=/usr/share/selinux/$(sestatus |grep Load|grep --color -Ei "[ ]{2,}.*" -o|grep -Eio "[a-z0-9].*")/include/Makefile

#REFMAKE is /usr/share/selinux/refpolicy-freedom1b2830-1677953396/include/Makefile

F_MAKE(){
   make -f $REFMAKE $1.pp && semodule -i $1.pp
}

EEE.te

policy_module(EEE, 1.0)

require {
        type chromium_t;
        class user_namespace create;
}

#============= chromium_t ==============
allow chromium_t self:user_namespace create;

cmd:F_MAKE EEE

Compiling refpolicy-freedom1b2830-1677953396 EEE module
Creating refpolicy-freedom1b2830-1677953396 EEE.pp policy package
rm tmp/EEE.mod tmp/EEE.mod.fc
Failed to resolve allow statement at /var/lib/selinux/refpolicy-freedom1b2830-1677953396/tmp/modules/400/EEE/cil:3
Failed to resolve AST
semodule:  Failed!

and so on for all domains that require user_namespace

@freedom1b2830
Copy link
Contributor Author

UDP: I found the solution in your latest commits.
0e1cc1e
Where can I read more about this permission?

@pebenito
Copy link
Member

pebenito commented Mar 8, 2023

There isn't too much documentation because it is a new check in Linux 6.1. In short, it controls if a domain can create a user namespace. See https://paul-moore.com/blog/d/2022/12/linux_v61.html

@freedom1b2830
Copy link
Contributor Author

Thank you. I read it. We close the topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pebenito @freedom1b2830