* SELINUX_ERR using chcon to set a printer to Secret
@ 2006-09-28 18:59 Matt Anderson
2006-09-28 19:33 ` Matt Anderson
0 siblings, 1 reply; 6+ messages in thread
From: Matt Anderson @ 2006-09-28 18:59 UTC (permalink / raw)
To: selinux
I am trying to develop the policy needed for CUPS to do labeled
printing. I've already got:
allow sysadm_t printer_device_t:chr_file { relabelfrom relabelto };
With that loaded however I still get the following message in my audit
log when I try to do:
[sysadm_r@orb dev]# chcon -l Secret /dev/lp0
type=SELINUX_ERR msg=audit(1159469257.883:92):
security_validate_transition: denied for
oldcontext=system_u:object_r:printer_device_t:s0
newcontext=system_u:object_r:printer_device_t:s2
taskcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c255 tclass=chr_file
Is this something that can be allowed in policy? How can I specify that
I want to authorize sysadm_r to adjust the level of a printer device file?
thanks
-matt
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SELINUX_ERR using chcon to set a printer to Secret
2006-09-28 18:59 SELINUX_ERR using chcon to set a printer to Secret Matt Anderson
@ 2006-09-28 19:33 ` Matt Anderson
2006-09-28 19:56 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Matt Anderson @ 2006-09-28 19:33 UTC (permalink / raw)
To: selinux
When I add the policy:
allow secadm_t printer_device_t:chr_file { getattr relabelfrom relabelto };
I'm able to perform the relabel from secadm_r. This meets my needs wrt
CUPS, but could one of the policy gurus point what in the policy allows
secadm_r to do this?
thanks
-matt
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SELINUX_ERR using chcon to set a printer to Secret
2006-09-28 19:33 ` Matt Anderson
@ 2006-09-28 19:56 ` Christopher J. PeBenito
2006-09-29 17:51 ` Daniel J Walsh
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2006-09-28 19:56 UTC (permalink / raw)
To: Matt Anderson; +Cc: selinux
On Thu, 2006-09-28 at 15:33 -0400, Matt Anderson wrote:
> When I add the policy:
>
> allow secadm_t printer_device_t:chr_file { getattr relabelfrom relabelto };
>
> I'm able to perform the relabel from secadm_r. This meets my needs wrt
> CUPS, but could one of the policy gurus point what in the policy allows
> secadm_r to do this?
You need MLS upgrade and/or downgrade permissions:
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SELINUX_ERR using chcon to set a printer to Secret
2006-09-28 19:56 ` Christopher J. PeBenito
@ 2006-09-29 17:51 ` Daniel J Walsh
2006-09-29 18:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Daniel J Walsh @ 2006-09-29 17:51 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Matt Anderson, selinux
Christopher J. PeBenito wrote:
> On Thu, 2006-09-28 at 15:33 -0400, Matt Anderson wrote:
>
>> When I add the policy:
>>
>> allow secadm_t printer_device_t:chr_file { getattr relabelfrom relabelto };
>>
>> I'm able to perform the relabel from secadm_r. This meets my needs wrt
>> CUPS, but could one of the policy gurus point what in the policy allows
>> secadm_r to do this?
>>
>
> You need MLS upgrade and/or downgrade permissions:
>
> mls_file_upgrade(secadm_t)
> mls_file_downgrade(secadm_t)
>
>
No those rules are already there. I think the problem is in
files_relabel_all_files
I believe it needs this patch
diff -u files.if~ files.if
--- files.if~ 2006-09-27 17:07:37.000000000 -0400
+++ files.if 2006-09-29 13:48:53.000000000 -0400
@@ -896,8 +896,8 @@
allow $1 { file_type $2 }:lnk_file { getattr relabelfrom
relabelto };
allow $1 { file_type $2 }:fifo_file { getattr relabelfrom
relabelto };
allow $1 { file_type $2 }:sock_file { getattr relabelfrom
relabelto };
- allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
- allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+ allow $1 { file_type $2 }:blk_file { getattr relabelfrom
relabelto };
+ allow $1 { file_type $2 }:chr_file { getattr relabelfrom
relabelto };
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SELINUX_ERR using chcon to set a printer to Secret
2006-09-29 17:51 ` Daniel J Walsh
@ 2006-09-29 18:23 ` Christopher J. PeBenito
2006-09-29 19:13 ` Daniel J Walsh
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2006-09-29 18:23 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Matt Anderson, selinux
On Fri, 2006-09-29 at 13:51 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2006-09-28 at 15:33 -0400, Matt Anderson wrote:
> >
> >> When I add the policy:
> >>
> >> allow secadm_t printer_device_t:chr_file { getattr relabelfrom relabelto };
> >>
> >> I'm able to perform the relabel from secadm_r. This meets my needs wrt
> >> CUPS, but could one of the policy gurus point what in the policy allows
> >> secadm_r to do this?
> >>
> >
> > You need MLS upgrade and/or downgrade permissions:
> >
> > mls_file_upgrade(secadm_t)
> > mls_file_downgrade(secadm_t)
> >
> >
> No those rules are already there. I think the problem is in
I was specifying what made secadm able to do that, as Matt asked :)
> files_relabel_all_files
>
> I believe it needs this patch
> - allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
> - allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
> + allow $1 { file_type $2 }:blk_file { getattr relabelfrom
> relabelto };
> + allow $1 { file_type $2 }:chr_file { getattr relabelfrom
> relabelto };
I don't agree with this, because there shouldn't be any blk_files and
chr_files that are file_type.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SELINUX_ERR using chcon to set a printer to Secret
2006-09-29 18:23 ` Christopher J. PeBenito
@ 2006-09-29 19:13 ` Daniel J Walsh
0 siblings, 0 replies; 6+ messages in thread
From: Daniel J Walsh @ 2006-09-29 19:13 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Matt Anderson, selinux
Christopher J. PeBenito wrote:
> On Fri, 2006-09-29 at 13:51 -0400, Daniel J Walsh wrote:
>
>> Christopher J. PeBenito wrote:
>>
>>> On Thu, 2006-09-28 at 15:33 -0400, Matt Anderson wrote:
>>>
>>>
>>>> When I add the policy:
>>>>
>>>> allow secadm_t printer_device_t:chr_file { getattr relabelfrom relabelto };
>>>>
>>>> I'm able to perform the relabel from secadm_r. This meets my needs wrt
>>>> CUPS, but could one of the policy gurus point what in the policy allows
>>>> secadm_r to do this?
>>>>
>>>>
>>> You need MLS upgrade and/or downgrade permissions:
>>>
>>> mls_file_upgrade(secadm_t)
>>> mls_file_downgrade(secadm_t)
>>>
>>>
>>>
>> No those rules are already there. I think the problem is in
>>
>
> I was specifying what made secadm able to do that, as Matt asked :)
>
>
>> files_relabel_all_files
>>
>> I believe it needs this patch
>> - allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
>> - allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
>> + allow $1 { file_type $2 }:blk_file { getattr relabelfrom
>> relabelto };
>> + allow $1 { file_type $2 }:chr_file { getattr relabelfrom
>> relabelto };
>>
>
> I don't agree with this, because there shouldn't be any blk_files and
> chr_files that are file_type.
>
>
Ok I misread the entire discussion.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-09-29 19:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-28 18:59 SELINUX_ERR using chcon to set a printer to Secret Matt Anderson
2006-09-28 19:33 ` Matt Anderson
2006-09-28 19:56 ` Christopher J. PeBenito
2006-09-29 17:51 ` Daniel J Walsh
2006-09-29 18:23 ` Christopher J. PeBenito
2006-09-29 19:13 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.