From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1456432571.3702.69.camel@redhat.com> Subject: Re: Strange AVC with latest rawhide kernel. From: Daniel J Walsh To: Stephen Smalley , Eric Paris , pmoore@redhat.com, mgrepl@redhat.com Cc: selinux@tycho.nsa.gov Date: Thu, 25 Feb 2016 15:36:11 -0500 In-Reply-To: <56CF5A54.7020600@tycho.nsa.gov> References: <1456423369.3702.42.camel@redhat.com> <56CF4574.3030709@tycho.nsa.gov> <1456426779.3702.52.camel@redhat.com> <56CF523A.7000503@tycho.nsa.gov> <1456429021.31341.34.camel@redhat.com> <56CF5A54.7020600@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Thu, 2016-02-25 at 14:47 -0500, Stephen Smalley wrote: > On 02/25/2016 02:37 PM, Eric Paris wrote: > > > > You added a type bounds right before this broke...  Does the parent > > type have entrypoint? If not, maybe that's where it got stripped... > That would match the behavior he described (although he should get > an  > audit message of the form op=security_compute_av reason=bounds.. in  > audit.log or dmesg in that case).  The kernel automatically reduces  > permissions as required by typebounds.  The corresponding logic > never  > made its way into the libsepol compute_av code, so audit2why > wouldn't  > know about it, and sesearch merely searches for TE rules; it doesn't > do  > anything about typebounds.  We should probably update libsepol  > compute_av (for that, and eventually for xperms). Eric is right.  I added the following policy and got the error again. policy_module(mypol, 1.0) require { type svirt_lxc_net_t; type docker_t; } typebounds docker_t svirt_lxc_net_t; Then I added this policy and it worked. policy_module(mypol, 1.0) require { type svirt_lxc_net_t; type docker_t; type svirt_sandbox_file_t; } allow docker_t svirt_sandbox_file_t:file entrypoint; typebounds docker_t svirt_lxc_net_t; So typebounds removed the entrypoint access from svirt_lxc_net_t, but none of the tools realized this.