MLS/MCS Constraints causing problems for unconfined_t.

MLS/MCS Constraints causing problems for unconfined_t.

[Daniel J Walsh]

Currently unconfined_t can not read the pid of certain domains in 
targeted policy that are running at s0-s0:c0.c255
For instance audit2allow will give the following after a reboot. since 
the shutdown process tries to killall processes and reads these.

allow unconfined_t auditd_t:file read;
allow unconfined_t crond_t:file read;
allow unconfined_t cupsd_t:file read;
allow unconfined_t hald_t:file read;
allow unconfined_t udev_t:file read;
allow unconfined_t self:file read;
allow unconfined_t xdm_t:file read;

Also if a sysadm run top it will generate this kind of AVC messages.  
These are somewhat expected, should we dontaudit these?  Will dontaudit 
work on an MLS Constraint failure?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS/MCS Constraints causing problems for unconfined_t.

[Stephen Smalley]

On Mon, 2006-01-09 at 11:13 -0500, Daniel J Walsh wrote:
> Currently unconfined_t can not read the pid of certain domains in 
> targeted policy that are running at s0-s0:c0.c255
> For instance audit2allow will give the following after a reboot. since 
> the shutdown process tries to killall processes and reads these.
> 
> allow unconfined_t auditd_t:file read;
> allow unconfined_t crond_t:file read;
> allow unconfined_t cupsd_t:file read;
> allow unconfined_t hald_t:file read;
> allow unconfined_t udev_t:file read;
> allow unconfined_t self:file read;
> allow unconfined_t xdm_t:file read;
> 
> Also if a sysadm run top it will generate this kind of AVC messages.  
> These are somewhat expected, should we dontaudit these?  Will dontaudit 
> work on an MLS Constraint failure?

For MCS, the obvious question is why are these domains running ranged?
For MLS, is unconfined_t used?

dontaudit will suppress audit messages caused by a constraint if the
types and class match.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS/MCS Constraints causing problems for unconfined_t.

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2006-01-09 at 11:13 -0500, Daniel J Walsh wrote:
>   
>> Currently unconfined_t can not read the pid of certain domains in 
>> targeted policy that are running at s0-s0:c0.c255
>> For instance audit2allow will give the following after a reboot. since 
>> the shutdown process tries to killall processes and reads these.
>>
>> allow unconfined_t auditd_t:file read;
>> allow unconfined_t crond_t:file read;
>> allow unconfined_t cupsd_t:file read;
>> allow unconfined_t hald_t:file read;
>> allow unconfined_t udev_t:file read;
>> allow unconfined_t self:file read;
>> allow unconfined_t xdm_t:file read;
>>
>> Also if a sysadm run top it will generate this kind of AVC messages.  
>> These are somewhat expected, should we dontaudit these?  Will dontaudit 
>> work on an MLS Constraint failure?
>>     
>
> For MCS, the obvious question is why are these domains running ranged?
>   
Things like login programs need to allow the user to login at certain 
ranges via seusers.

So if I can login as s0-s0:c0,c4 login programs and cron need to be able 
to start jobs at that level.

Similarly if cups needs to be able to print labeled files.


> For MLS, is unconfined_t used?
>
> dontaudit will suppress audit messages caused by a constraint if the
> types and class match.
>
>   
No but I just see top as staff user triggering lots of AVC.  So Iguess 
we should allow and dontaudit them.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.