From mboxrd@z Thu Jan 1 00:00:00 1970 From: dac.override@gmail.com (Dominick Grift) Date: Mon, 23 Nov 2015 13:00:15 +0100 Subject: [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on In-Reply-To: <5652F8F4.3090601@debian.org> References: <5652F8F4.3090601@debian.org> Message-ID: <20151123120014.GA826@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote: > Hi, > > While testing my patch for the at daemon, I think I also found a bug in the > policy. > > With the cron_userdomain_transition boolean set to off I see the following > behavior, user bigon is unconfined_u, test is user_u and test_staff is > staff_u > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:cronjob_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:cronjob_t:s0 > > > Everything seems OK here. > > But when I toggle the boolean to on, I see the following behavior: > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 > > As you can see a default context cannot be computed for the user_u user and > the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure this is > intended) > > In the fedora policy I've found this patch https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d > > If I'm _adding_ the user context to the default context > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 > > I've attached a patch, am I understanding everything correctly here? > > Cheers, > > Laurent Bigonville > >From c8aa69e51d8781da782a50dbdf20b258288093d4 Mon Sep 17 00:00:00 2001 > From: Laurent Bigonville > Date: Mon, 23 Nov 2015 12:25:13 +0100 > Subject: [PATCH] Allow the user cronjobs to run in their userdomain > > When cron_userdomain_transition boolean is set to on, the user cronjobs > are supposed to run in their domains. Without this patch the default > context is not properly computed: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 this is not a accurate description since it expects a user name and not a selinux user id (right?) > > With this patch applied: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 idem ditto > --- > config/appconfig-mcs/staff_u_default_contexts | 2 +- > config/appconfig-mcs/user_u_default_contexts | 2 +- > config/appconfig-mls/staff_u_default_contexts | 2 +- > config/appconfig-mls/user_u_default_contexts | 2 +- > config/appconfig-standard/staff_u_default_contexts | 2 +- > config/appconfig-standard/user_u_default_contexts | 2 +- > 6 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mcs/staff_u_default_contexts > +++ b/config/appconfig-mcs/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mcs/user_u_default_contexts > +++ b/config/appconfig-mcs/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mls/staff_u_default_contexts > +++ b/config/appconfig-mls/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mls/user_u_default_contexts > +++ b/config/appconfig-mls/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts > index c2a5ea8..300694c 100644 > --- a/config/appconfig-standard/staff_u_default_contexts > +++ b/config/appconfig-standard/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t > system_r:remote_login_t staff_r:staff_t > system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t > -system_r:crond_t staff_r:cronjob_t > +system_r:crond_t staff_r:staff_t staff_r:cronjob_t > system_r:xdm_t staff_r:staff_t > staff_r:staff_su_t staff_r:staff_t > staff_r:staff_sudo_t staff_r:staff_t > diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts > index f5bfac3..63b7eec 100644 > --- a/config/appconfig-standard/user_u_default_contexts > +++ b/config/appconfig-standard/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t user_r:user_t > system_r:remote_login_t user_r:user_t > system_r:sshd_t user_r:user_t > -system_r:crond_t user_r:cronjob_t > +system_r:crond_t user_r:user_t user_r:cronjob_t > system_r:xdm_t user_r:user_t > user_r:user_su_t user_r:user_t > user_r:user_sudo_t user_r:user_t > -- > 2.6.2 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWUv/LAAoJENAR6kfG5xmcRFoMAJgHxvER+k3j+LtnWa50Zds9 jAosAWKYXFGtpm1jZitfkZrF2z+dwhRWicl/GXRFQmk1aoEe9Z7ygmWeGOB3Fi1F DTCEH6Shwt9B2UM6odoZ/4DN0Sapf1XpKHcaqg/Um13BuxBdF9xC5E0pxOKLf6D4 6kwR2LsuOjT5cittNaWKTMJ9GT6+Ua1/jQVwpDHBzcIDbIGbdDAvIZYhyPoRuGbG OYqIbB7sAiXwOIQEphICjJDwwhObYIP8DsTmpYG+sfIL0/CDfnXzGh6lou3+tgRJ ha4u271Ptk+vUxNp8AMd7zjtlEHmD671Pbx0nmxfEk6ewJ4qOCuxdMMXqJFD5Ocp VyfBEAWMfaOT8KJeYwQd6sw4ZGrCDXLvQ6kjI3HwXsn0HZsAYLQCCUBFM1FlewdG A5kVaD/fCzij9EcIPW5mo72ZqLrpwtj5Qgdu3s+j4vJOT2dqPgYD6yGaUArjiaGg NTjBVPtj/FwWbKSTXK72wMhP6XNSf2sivg50iKCqZA== =SpoQ -----END PGP SIGNATURE-----