On 2017-08-25 22:23, Steve Dower wrote:
Here is a simplified and partial example for a simple Python 'myservice'. When the service is started by the init system, the process is automatically transitions into the myservice_exec_t domain.
[SNIP] I feel like the piece I'm missing is what needs to be added to the CPython source to make this all work. (As with auditd - when Nick
On 25Aug2017 1058, Christian Heimes wrote: pointed it out to me I wasn't comfortable until I found a sample using audit_open().)
I need to talk to some people before I can give you a good answer. A poor man's solution would look like this: with open(modulefile, 'rb') as f: context = fgetfilecon(f.fileno()) user, role, type, label = context.split(':', 4) if type != 'python_code_t': raise PermissionError I'm pretty sure it is the wrong approach. Python should not check SELinux labels. Instead we should ask if the current process context is allowed to perform a specific action (import a Python file) for a file with a certain context. I don't know how to archive this kind of check. Perhaps something like this may work: avc_has_perm( getcon(), fgetfilecon(f.fileno()), SECCLASS_FILE, FILE__EXECUTE, metadata # to be filled with file name ) This would also log proper audit events.
We can talk about SELinux during the sprint. If you like either Nick, Victor, or I could contact some engineers from SELinux (Dan) and Linux auditing team (Paul, RGB) here at Red Hat.
I'm very keen for as many platform-specific proofs of concept as possible. The more people who are thinking "if I had this information available, what would I do with it?" the better.
I'll try to get in context with some people on Monday. Christian