[DSE-Dev] Bug#874201: selinux-policy-default: need typebounds support for systemd NoNewPrivileges=yes

Russell Coker russell at coker.com.au
Mon Sep 4 05:17:15 UTC 2017 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal

https://github.com/systemd/systemd/issues/3845
https://bugzilla.redhat.com/show_bug.cgi?id=1411981
https://stackoverflow.com/questions/44127247/does-anyone-know-a-workaround-for-no-new-privileges-blocking-selinux-transitions
https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Above are some relevant URLs to this issue (search for NoNewPrivileges in the
last one).  Currently I've noticed this problem with tor and mysql, but I expect
that other daemons have the same issue:
# ps axZ|grep init_t|grep -v grep
system_u:system_r:init_t:s0         1 ?        Ss    95:19 /sbin/init
system_u:system_r:init_t:s0      1287 ?        Ssl  1042:39 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
system_u:system_r:init_t:s0     30280 ?        Ssl    7:49 /usr/sbin/mysqld

For tor the following policy is needed to fix it.  This type of change means
that init_t needs EVERY permission that every domain it enters with
NoNewPrivileges=yes has.

typebounds init_t tor_t;
allow init_t tor_exec_t:file entrypoint;
allow init_t tmpfs_t:lnk_file read;

The workaround for this is to run a command like
"systemctl edit tor at default.service" and put in something like the following:
[Service]
NoNewPrivileges=no

But we don't want to disable NoNewPrivileges as that reduces protections on
non-SE systems, which hurts people who run in permissive some of the time and
allows the possibility of a security issue that is stopped by NoNewPrivileges
but not by SE Linux to exploit systems.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b1
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list