On 2017-08-25 22:23, Steve Dower wrote:
> On 25Aug2017 1058, Christian Heimes wrote:
>> Here is a simplified and partial example for a simple Python
>> 'myservice'. When the service is started by the init system, the process
>> is automatically transitions into the myservice_exec_t domain.
>>
>> [SNIP]
> I feel like the piece I'm missing is what needs to be added to the
> CPython source to make this all work. (As with auditd - when Nick
> pointed it out to me I wasn't comfortable until I found a sample using
> audit_open().)
I need to talk to some people before I can give you a good answer. A
poor man's solution would look like this:
with open(modulefile, 'rb') as f:
context = fgetfilecon(f.fileno())
user, role, type, label = context.split(':', 4)
if type != 'python_code_t':
raise PermissionError
I'm pretty sure it is the wrong approach. Python should not check
SELinux labels. Instead we should ask if the current process context is
allowed to perform a specific action (import a Python file) for a file
with a certain context. I don't know how to archive this kind of check.
Perhaps something like this may work:
avc_has_perm(
getcon(),
fgetfilecon(f.fileno()),
SECCLASS_FILE,
FILE__EXECUTE,
metadata # to be filled with file name
)
This would also log proper audit events.
>> We can talk about SELinux during the sprint. If you like either Nick,
>> Victor, or I could contact some engineers from SELinux (Dan) and Linux
>> auditing team (Paul, RGB) here at Red Hat.
>
> I'm very keen for as many platform-specific proofs of concept as
> possible. The more people who are thinking "if I had this information
> available, what would I do with it?" the better.
I'll try to get in context with some people on Monday.
Christian
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig
