Ways to transition SELinux domain / process context (securing SELinux boundaries)

(Apologies for multi-question. Theme is the same, but there are quite a few edge cases.)

Browsing the web, I come across resources (see below), but they don’t make this quite clear what the situation really is, so this is my attempt to clarify and gather info that I am missing.


Ways to transition

I gather there are at least three ways for process to transition into another domain. I will list them as rules that are displayed by sesearch:

  1. type_transition <source> <file_label>:process <target>” – process in source domain can execute a file with file_label, which will then have target domain.
  2. “allow <source> <target>:process dyntransition” – process in source domain can use /proc/self/attr/current to transition into target domain.
  3. “allow <source> <target>:process transition” – process in source domain can use /proc/self/attr/exec to transition into target domain when exec is called.

Are there any other ways?


Protections for these transitions

Besides the above rules, transitions will also require:

  • “allow <source> <file_label>:file { execute read getattr }” (is getattr really required? read?) – for type_transition and probably transition
  • “allow <target> <file_label>:file entrypoint” – for type_transition and probably transition
  • “allow <source> <target>:process setexec” – for transition
  • “allow <source> <target>:process setcurrent” – for dyntransition

Other potential problems

  • In case of memfd_create+exec(“/proc/self/fd/%d”), is the file_label same as the “symlink” label? I assume for normal /proc/self/fd/ entries symlink would be followed, so that should be fine.
  • Can a ptraced process transition to another domain? Experiments tell me exec fails with EPERM in case of type_transition, and there’s a denial logged because of missing process ptrace permission from source to target. Would this work with dyntransition?

Resources:

  • https://selinuxproject.org/page/NB_Domain_and_Object_Transitions
  • https://selinuxproject.org/page/NB_ObjectClassesPermissions
  • https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context