From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: Strange behavior: type boundaries
Date: Mon, 22 Jun 2015 20:29:20 +0200 [thread overview]
Message-ID: <20150622182919.GD10451@localhost.localdomain> (raw)
In-Reply-To: <5588513C.2050309@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]
On Mon, Jun 22, 2015 at 02:17:32PM -0400, Stephen Smalley wrote:
> On 06/22/2015 02:08 PM, Dominick Grift wrote:
> > On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote:
> >
> >>
> >> In Fedora, we have unconfined_service_t domain for unconfined services
> >> started by init. So there is init_t @bin_t -> unconfined_service_t and
> >> we get op=security_bounded_transition for init_t against
> >> unconfined_service_t. But of course it is not going to work with
> >>
> >> typebounds init_t unconfined_service_t;
> >>
> >> because there is
> >>
> >> # <audit-1401> op=security_compute_av reason=bounds
> >> scontext=system_u:system_r:unconfined_service_t:s0
> >> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint
> >>
> >> So this logic breaks our concept with unconfined_service_t.
> >>
> >
> > What is running in the unconfined_service_t domain in that event?
>
> Nothing at the point of that message. The message indicates a bounds
> failure, which will then cause the kernel to fall back to the old
> context if it was an automatic transition, or fail the exec with -EPERM
> if it was explicitly requested via setexeccon().
>
Sounds reasonable to me (it just seems I can't get easily used to that message but that is probably just because it does not happen often)
But yes at that point, suppose you know you have something to target.
I still would like to know what triggered this. Only thing i can think of is systemd-importd
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2015-06-22 18:29 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 18:15 Strange behavior: type boundaries Dominick Grift
2015-03-13 18:26 ` Stephen Smalley
2015-03-13 18:43 ` Dominick Grift
2015-03-13 18:50 ` Stephen Smalley
2015-03-13 19:01 ` Dominick Grift
2015-03-14 7:22 ` Dominick Grift
2015-03-16 12:43 ` Stephen Smalley
2015-03-16 12:51 ` Steve Lawrence
2015-06-22 16:07 ` Miroslav Grepl
2015-06-22 16:28 ` Stephen Smalley
2015-06-22 18:13 ` Dominick Grift
2015-06-22 18:08 ` Dominick Grift
2015-06-22 18:17 ` Stephen Smalley
2015-06-22 18:29 ` Dominick Grift [this message]
2015-06-22 20:35 ` Miroslav Grepl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150622182919.GD10451@localhost.localdomain \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.