From 8eaa9bdab3c4a89c2208e04c38fbe9333967cc35 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 17 Mar 2018 19:27:24 +0100 Subject: [PATCH 1/3] Remove capability DAC_OVERRIDE There are two simmilar capabilities DAC_READ_SEARCH and DAC_OVERRIDE capability. DAC stands for Discretionary Access Control. DAC Means standard Linux Ownership/permission flags. Process running as UID=0 with DAC_READ_SEARCH can read any file on the system, even if the permission flags would not allow a root process to read it. Similarly DAC_OVERRIDE, means the process can ignore all permission/ownerships of all files on the system. And ipa-custodia needn't modify anything from dogtag. --- ipa_custodia.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipa_custodia.te b/ipa_custodia.te index 8c0a18f..7ef8be9 100644 --- a/ipa_custodia.te +++ b/ipa_custodia.te @@ -25,8 +25,7 @@ files_tmp_file(ipa_custodia_tmp_t) # ipa_custodia local policy # -# DAC_OVERRIDE to read Dogtag's key material -allow ipa_custodia_t self:capability {net_admin dac_override}; +allow ipa_custodia_t self:capability {net_admin}; allow ipa_custodia_t self:process execmem; allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; From 7a5e71969af54967a3c3271d50fa4db0c57e82c4 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 17 Mar 2018 19:37:04 +0100 Subject: [PATCH 2/3] Allow to read dogtag files time->Fri Mar 16 12:38:20 2018 type=PATH msg=audit(1521218300.002:578): item=0 name="/etc/pki/pki-tomcat/password.conf" inode=25537522 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1521218300.002:578): cwd="/" type=SYSCALL msg=audit(1521218300.002:578): arch=c000003e syscall=257 success=yes exit=8 a0=ffffffffffffff9c a1=7f4004d85a70 a2=80000 a3=0 items=1 ppid=32585 pid=3864 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-custodia" exe="/usr/bin/python3.6" subj=system_u:system_r:ipa_custodia_t:s0 key=(null) type=AVC msg=audit(1521218300.002:578): avc: denied { dac_read_search } for pid=3864 comm="ipa-custodia" capability=2 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=1 Version of base selinux policy: selinux-policy-3.13.1-283.26.fc27.noarch --- ipa_custodia.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa_custodia.te b/ipa_custodia.te index 7ef8be9..60207c8 100644 --- a/ipa_custodia.te +++ b/ipa_custodia.te @@ -25,7 +25,7 @@ files_tmp_file(ipa_custodia_tmp_t) # ipa_custodia local policy # -allow ipa_custodia_t self:capability {net_admin}; +allow ipa_custodia_t self:capability { net_admin dac_read_search }; allow ipa_custodia_t self:process execmem; allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; From 85b85cc774458d98d0065588a3b9bd611cc2c3ec Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 17 Mar 2018 19:42:22 +0100 Subject: [PATCH 3/3] Suppress dac_override AVCs with old kernel If a process tried to read /etc/shadow, it would be allowed if it had either DAC_OVERRIDE or DAC_READ_SEARCH. Older kernel's had pseudo code like if DAC_OVERRIDE or DAC_READ_SEARCH: New Kernel switched to: if DAC_READ_SEARCH or DAC_OVERRIDE See also: https://danwalsh.livejournal.com/77140.html --- ipa_custodia.te | 1 + 1 file changed, 1 insertion(+) diff --git a/ipa_custodia.te b/ipa_custodia.te index 60207c8..6999806 100644 --- a/ipa_custodia.te +++ b/ipa_custodia.te @@ -26,6 +26,7 @@ files_tmp_file(ipa_custodia_tmp_t) # allow ipa_custodia_t self:capability { net_admin dac_read_search }; +dontaudit ipa_custodia_t self:capability dac_override; allow ipa_custodia_t self:process execmem; allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;