(Apologies for multi-question. Theme is the same, but there are quite a few edge cases.)
Browsing the web, I come across resources (see below), but they don't make this quite clear what the situation really is, so this is my attempt to clarify and gather info that I am missing.
Ways to transition
I gather there are at least three ways for process to transition into another domain. I will list them as rules that are displayed by sesearch:
- "type_transition <source> <file_label>:process <target>" - process in source domain can execute a file with file_label, which will automatically transition to target domain.
- "allow <source> self:process setexec" - process in source domain can use
setexeccon(/proc/self/attr/exec) to transition into target domain whenexecis called. - "allow <source> self:process setcurrent" - process in source domain can use
setcon(/proc/self/attr/current) to transition into target domain immediately.
Are there any other ways?
Protections for these transitions
Besides the above rules, transitions will also require following permissions:
- "allow <source> <file_label>:file { execute read getattr }" - for type_transition, setexec (and setcurrent?)
- "allow <target> <file_label>:file entrypoint" - for type_transition, setexec (and setcurrent?)
- "allow <source> <target>:process transition" - for type_transition and setexec
- "allow <source> <target>:process dyntransition" - for setcurrent
Other potential problems
- In case of memfd_create+exec("/proc/self/fd/%d"), is the file_label same as the "symlink" label? I assume for normal /proc/self/fd/ entries symlink would be followed, so that should be fine.
- Can a ptraced process transition to another domain? Experiments tell me exec fails with EPERM in case of type_transition, and there's a denial logged because of missing process ptrace permission from source to target. Would this work with dyntransition?
- type_transition requires a file with correct label. That can be created if one has proper relabelfrom and relabelto permissions.
Resources:
