(Apologies for multi-question. Theme is the same, but there are quite a few edge cases.)
Browsing the web, I come across resources (see below), but they don't make this quite clear what the situation really is, so this is my attempt to clarify and gather info that I am missing.
Ways to transition
I gather there are at least three ways for process to transition into another domain. I will list them as rules that are displayed by sesearch:
- "type_transition<source> <file_label>:process <target>" - process in source domain can execute a file with file_label, which will then have target domain.
- "allow <source> <target>:process dyntransition" - process in source domain can use
/proc/self/attr/currentto transition into target domain. - "allow <source> <target>:process transition" - process in source domain can use
/proc/self/attr/execto transition into target domain whenexecis called.
Are there any other ways?
Protections for these transitions
Besides the above rules, transitions will also require:
- "allow <source> <file_label>:file { execute read getattr }" (is getattr really required? read?) - for type_transition and probably transition
- "allow <target> <file_label>:file entrypoint" - for type_transition and probably transition
- "allow <source> <target>:process setexec" - for transition
- "allow <source> <target>:process setcurrent" - for dyntransition
Other potential problems
- In case of memfd_create+exec("/proc/self/fd/%d"), is the file_label same as the "symlink" label? I assume for normal /proc/self/fd/ entries symlink would be followed, so that should be fine.
- Can a ptraced process transition to another domain? Experiments tell me exec fails with EPERM in case of type_transition, and there's a denial logged because of missing process ptrace permission from source to target. Would this work with dyntransition?
- type_transition requires a file with correct label. That can be created if one has proper relabelfrom and relabelto permissions.
Resources: