Investigating domain transitions

July 06, 2021

An important analytical approach when dealing with SELinux policies is to perform a domain transition analysis. Domains are bounded by the access controls in place for a given domain, but users or processes can transition to other domains by executing the right set of applications.

Analyzing whether and how a transition can occur between two SELinux domains allows administrators to validate the secure state of the policy. Given the mandatory nature of SELinux, adversaries will find it difficult to be able to execute target applications if a domain transition analysis shows that the source domain cannot execute said application, either directly or indirectly.

Administrators should use domain transition analysis to confirm a domain is correctly confined, and that vulnerabilities within the applications running inside a domain cannot lead to privilege escalations.

Using apol for domain transition analysis

After starting apol, select New Analysis followed by Domain Transition Analysis. The analysis screen itself will show several possible analytical approaches:

domain transitions

This analysis will attempt to find a path between a given source domain and target domain, and display the execution trail that could lead to the transition. Administrators can then verify whether the applications associated with these domain transitions can be trusted or not. Such analysis is sensible when we need to assert that certain domains cannot break out of their confinement, or when we are developing new policies and want to ensure that the confinement is within the boundaries we want.

The transition analysis can be fine-tuned through the following settings:

  • With Shortest paths, apol will show domain transitions between the source domain and the target domain, seeking the shortest transitions possible. For instance, a transition from staff_t to staff_sudo_t to unconfined_t is a two-step path. When a path is found, apol will not search for longer paths.
  • When we select All paths up to, apol will perform the analysis up to a certain number of steps. When we use up to one step, then this is similar to doing direct queries with seinfo or sesearch.
  • Using Transitions out of the source domain and Transitions into the target domain will show all transitions that can occur from a given source domain or to the target domain. This is used for a more interactive session, where users can click through the domains to see the next set of domains that can be transitioned to.

To further fine-tune the analysis, a few options can be selected. For instance, we can exclude certain types from being used in the domain transition analysis. This allows us to mark certain domains as trusted (such as the *_sudo_t domains), which will make apol ignore those domains to find more appropriate transition chains to analyze.

Using sedta for domain transition analysis

The path analysis done by apol can also be executed from a command-line application called sedta. It has the same capabilities as the domain transition analysis functionality within apol.

The type of analysis is selected through command-line arguments: -S is used for shortest path analysis, whereas -A (followed by a number) runs the equivalent of All paths up to.

For instance, to check for a domain transition path between the staff_t domain and the unconfined_t domain, excluding the staff_sudo_t, newrole_t, and init_t domains, use the following command:

$ sedta -S -s staff_t -t unconfined_t staff_sudo_t newrole_t
Domain transition path 1:
Step 1: staff_t -> oddjob_t
Domain transition rule(s):
allow staff_t oddjob_t:process transition;
Set execution context rule(s):
allow staff_t staff_t:process { dyntransition fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop transition };
Entrypoint oddjob_exec_t:
 Domain entrypoint rule(s):
 allow oddjob_t oddjob_exec_t:file { entrypoint execute getattr ioctl lock map open read };
 File execute rule(s):
 allow staff_t oddjob_exec_t:file { execute execute_no_trans getattr ioctl map open read };
 Type transition rule(s):
 type_transition staff_t oddjob_exec_t:process oddjob_t;
Step 2: oddjob_t -> openshift_initrc_t
...

We can analyze a different policy than the current system policy using the -p option.

Using sepolicy for domain transition analysis

The sepolicy tool has a built-in domain transition analysis capability using the transition argument. It is, however, not as flexible as sedta or apol, as no tuning can be done to the command. It also does not seem to cover all possible paths, often displaying extensive and elaborate routes that could be much simpler:

$ sepolicy transition -s mount_t -t unconfined_t
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... stunnel_t ... telnetd_t
 ... remote_login_t @ shell_exec_t --> unconfined_t
 -- Allowed True [ unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kmscon_t ... 
 local_login_t @ shell_exec_t --> unconfined_t 
 -- Allowed True [ unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kdumpgui_t ... kdumpctl_t
 ... sge_execd_t ... sge_shepherd_t ...
 sshd_t @ shell_exec_t --> unconfined_t
 -- Allowed True [ ssh_sysadm_login=0 || unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kdumpgui_t ... kdumpctl_t ...
 sulogin_t @ shell_exec_t --> unconfined_t
 -- Allowed True [ unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kdumpgui_t ... kdumpctl_t
 ... inetd_t ...
 rshd_t @ shell_exec_t --> unconfined_t
 -- Allowed True [ unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kdumpgui_t ... kdumpctl_t
 ... piranha_pulse_t ...
 crond_t @ shell_exec_t --> unconfined_t
 -- Allowed True [ cron_userdomain_transition=1 || unconfined_login=1 ]
mount_t ... glusterd_t ... ipsec_t ... ipsec_mgmt_t
 ... initrc_t ... condor_schedd_t ... condor_startd_t
 ... openshift_initrc_t ... kdumpgui_t ... kdumpctl_t
 ... piranha_pulse_t ... cockpit_ws_t ...
 cockpit_session_t @ unconfined_exec_t --> unconfined_t

Let’s compare this with sedta, which we use against the same policy and for the same domain transition:

$ sedta -S -s mount_t -t unconfined_t | \
grep -E '(transition path|Step)'
Domain transition path 1:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> sulogin_t
Step 3: sulogin_t -> unconfined_t
Domain transition path 2:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> virtd_lxc_t
Step 3: virtd_lxc_t -> unconfined_t
Domain transition path 3:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> xdm_t
Step 3: xdm_t -> unconfined_t
Domain transition path 4:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> crond_t
Step 3: crond_t -> unconfined_t
Domain transition path 5:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> sshd_t
Step 3: sshd_t -> unconfined_t
Domain transition path 6:
Step 1: mount_t -> glusterd_t
Step 2: glusterd_t -> virtd_t
Step 3: virtd_t -> unconfined_t
6 domain transition path(s) found.

When comparing the transition paths with the ones generated by sedta, you will notice that sedta often finds shorter domain transitions, which sepolicy transition does not. Hence it is not recommended to rely solely on sepolicy transition for domain transition analysis.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

four − two =