Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to transfer the current process or its thread to another context? #627

Closed
freedom1b2830 opened this issue Jul 19, 2023 · 4 comments
Closed

How to transfer the current process or its thread to another context? #627

freedom1b2830 opened this issue Jul 19, 2023 · 4 comments

Comments

@freedom1b2830
Copy link
Contributor

freedom1b2830 commented Jul 19, 2023
edited
Loading

I want to implement the transfer of the current process or its application thread (what I wanted ideally) from java
right now I'm using int setcon(String context);
function returns -1

for example i need to transit from user_u:user_r:java_t -> user_u:user_r:user_t

is it correct to use this function (setcon)
and what TE rules are needed to transfer

allow java_t self:process { dyntransition setcurrent };

neverallow check failed at /var/lib/selinux/refpolicy-freedom/tmp/modules/400/base/cil:4199
  (neverallow base_typeattr_5 self (process (setcurrent)))
    <root>
    allow at /var/lib/selinux/refpolicy-freedom/tmp/modules/400/javatrans/cil:3
      (allow java_t self (process (dyntransition setcurrent setrlimit)))

Failed to generate binary
semodule:  Failed!

aureport -i -a|grep 103475

18. 07/19/2023 06:58:27 java user_u:user_r:java_t:s0 write process setcurrent user_u:user_r:java_t:s0 denied 103475
19. 07/19/2023 06:58:27 java user_u:user_r:java_t:s0 write process dyntransition user_u:user_r:java_t:s0 denied 103475

----
type=PROCTITLE msg=audit(07/19/2023 06:58:27.497:103475) : proctitle=/usr/lib/jvm/java-8-openjdk/bin/java -Dfile.encoding=UTF-8 -classpath /home/user_dev/eclipse-workspace-ide/bind-jna-selinux/targ 
type=SYSCALL msg=audit(07/19/2023 06:58:27.497:103475) : arch=x86_64 syscall=write success=yes exit=24 a0=0xf a1=0x7f7e5020c8f0 a2=0x18 a3=0x0 items=0 ppid=1254 pid=434102 auid=user_dev uid=user_dev gid=user_dev euid=user_dev suid=user_dev fsuid=user_dev egid=user_dev sgid=user_dev fsgid=user_dev tty=pts2 ses=5 comm=java exe=/usr/lib/jvm/java-8-openjdk/jre/bin/java subj=user_u:user_r:java_t:s0 key=(null) 
type=AVC msg=audit(07/19/2023 06:58:27.497:103475) : avc:  denied  { dyntransition } for  pid=434102 comm=java scontext=user_u:user_r:java_t:s0 tcontext=user_u:user_r:java_t:s0 tclass=process permissive=1 
type=AVC msg=audit(07/19/2023 06:58:27.497:103475) : avc:  denied  { setcurrent } for  pid=434102 comm=java scontext=user_u:user_r:java_t:s0 tcontext=user_u:user_r:java_t:s0 tclass=process permissive=1
@pebenito
Copy link
Member

pebenito commented Jul 19, 2023
edited
Loading

You need:

allow java_t self:process setcurrent;
allow java_t user_t:process dyntransition;
domain_dyntrans_type(java_t)

@freedom1b2830
Copy link
Contributor Author 

policy_module(demotrans, 1.0.0)

optional_policy(`
	gen_require(`
		type java_t;
		type user_t;
		type xdg_cache_t;
	')
	domain_dyntrans_type(java_t)
	allow java_t self:process setcurrent;
	allow java_t user_t:process dyntransition;
	
	#RW jna so
	xdg_manage_cache(java_t)
	allow java_t xdg_cache_t:file { execute map };
	#execute jna so
	libs_exec_ldconfig(java_t)
	
	seutil_libselinux_linked(java_t)
')

ausearch -i -a 3088
----
type=PROCTITLE msg=audit(07/19/2023 21:09:03.721:3088) : proctitle=/usr/lib/jvm/java-8-openjdk/bin/java -Dfile.encoding=UTF-8 -classpath /home/user_dev/eclipse-workspace-ide/bind-jna-selinux/targ 
type=SYSCALL msg=audit(07/19/2023 21:09:03.721:3088) : arch=x86_64 syscall=write success=no exit=EPERM(Operation not permitted) a0=0xf a1=0x7fd8140944f0 a2=0x18 a3=0x0 items=0 ppid=777 pid=5598 auid=user_dev uid=user_dev gid=user_dev euid=user_dev suid=user_dev fsuid=user_dev egid=user_dev sgid=user_dev fsgid=user_dev tty=pts3 ses=5 comm=EEEE exe=/usr/lib/jvm/java-8-openjdk/jre/bin/java subj=user_u:user_r:java_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(07/19/2023 21:09:03.721:3088) : op=security_bounded_transition seresult=denied oldcontext=user_u:user_r:java_t:s0 newcontext=user_u:user_r:user_t:s0

@freedom1b2830
Copy link
Contributor Author

What other solutions are there? i tried to run the program as root user

@cgzones
Copy link
Contributor

cgzones commented Jul 27, 2023

Probably a limitation of setcon(3) as mentioned in the man page:

Since Linux 2.6.28, setcon() is permitted for threads within a multi-threaded process if the new security context is bounded by the old security context, where the bounded relation is defined through typebounds statements in the policy and guarantees that the new security context has a subset of the permissions of the old security context.

BUT: You really should not use setcon(3), especially in a complex application like java; use for example a wrapper script with just exec $@ and model a type transition based on the file context of that wrapper. Dynamic transitions should really be the exception, e.g. for systemd after loading the initial policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pebenito @cgzones @freedom1b2830