From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <1456504426.3481.44.camel@redhat.com> Subject: Re: Strange AVC with latest rawhide kernel. From: Daniel J Walsh To: Stephen Smalley , Paul Moore Cc: selinux@tycho.nsa.gov, Eric Paris Date: Fri, 26 Feb 2016 11:33:46 -0500 In-Reply-To: <56D07421.3090301@tycho.nsa.gov> References: <1456423369.3702.42.camel@redhat.com> <56CF4574.3030709@tycho.nsa.gov> <1456426779.3702.52.camel@redhat.com> <56CF523A.7000503@tycho.nsa.gov> <1456429021.31341.34.camel@redhat.com> <56CF5A54.7020600@tycho.nsa.gov> <1456432101.3702.67.camel@redhat.com> <56CF6A08.6010305@tycho.nsa.gov> <1456491264.3481.2.camel@redhat.com> <56D07421.3090301@tycho.nsa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Fri, 2016-02-26 at 10:49 -0500, Stephen Smalley wrote: > On 02/26/2016 10:46 AM, Paul Moore wrote: > > > > On Fri, Feb 26, 2016 at 7:54 AM, Daniel J Walsh > > wrote: > > > > > > On Thu, 2016-02-25 at 15:54 -0500, Stephen Smalley wrote: > > > > > > > > On 02/25/2016 03:28 PM, Daniel J Walsh wrote: > > > > > > > > > > Currently typebounds only allows one instance. > > > > It is a hierarchy, where each child has a single parent.  So > > > > you can > > > > define hierarchies like: > > > > typebounds unconfined_t docker_t; > > > > typebounds docker_t svirt_lxc_net_t; > > > > and then they can both transition because they are both > > > > ancestors. > > > Awesome idea. > > Would that resolve all your problems Dan with Docker, runc, etc.? > > > > > > From our discussions the other day I thought you needed the > > > ability to > > transition to svirt_lxc_net_t from domains other than unconfined_t > > and > > docker_t ... or was I misunderstanding you? > > > Note that it is only exec-based transitions that are affected by  > NO_NEW_PRIVS, so one can always leverage dynamic transitions (i.e.  > setcon) without requiring typebounds. > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho > .nsa.gov. > > BTW I turned on the expand-check=1 in semanage.conf and semodule -B went nuts and crashed. On this policy. policy_module(mypol, 1.0) require { type svirt_lxc_net_t; type docker_t; type svirt_sandbox_file_t; type unconfined_t; } allow unconfined_t svirt_sandbox_file_t:file entrypoint; allow docker_t svirt_sandbox_file_t:file entrypoint; typebounds unconfined_t docker_t; typebounds docker_t svirt_lxc_net_t;