* is any use of runcon by arbitrary users valid when enforcing?
@ 2007-10-07 7:01 Jim Meyering
2007-10-07 12:09 ` Daniel J Walsh
2007-10-09 13:17 ` Stephen Smalley
0 siblings, 2 replies; 4+ messages in thread
From: Jim Meyering @ 2007-10-07 7:01 UTC (permalink / raw)
To: selinux
In a simple test of runcon for coreutils test suite, I used the following,
but see that it's failing in an enforcing F8t3 environment:
[from coreutils/tests/misc/runcon]
...
cat <<\EOF > exp || framework_failure
runcon: runcon may be used only on a SELinux kernel
EOF
fail=0
# This test works even on systems without SELinux.
# On such a system it fails with the above diagnostic, which is fine.
# Before the no-reorder change, it would have failed with a diagnostic
# about -j being an invalid option.
runcon -t unconfined_t true -j 2> out && : > exp
compare out exp || fail=1
(exit $fail); exit $fail
Is there any similar use of runcon that can be expected to succeed?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: is any use of runcon by arbitrary users valid when enforcing? 2007-10-07 7:01 is any use of runcon by arbitrary users valid when enforcing? Jim Meyering @ 2007-10-07 12:09 ` Daniel J Walsh 2007-10-09 13:17 ` Stephen Smalley 1 sibling, 0 replies; 4+ messages in thread From: Daniel J Walsh @ 2007-10-07 12:09 UTC (permalink / raw) To: Jim Meyering; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Meyering wrote: > In a simple test of runcon for coreutils test suite, I used the following, > but see that it's failing in an enforcing F8t3 environment: > [from coreutils/tests/misc/runcon] > > ... > cat <<\EOF > exp || framework_failure > runcon: runcon may be used only on a SELinux kernel > EOF > > fail=0 > > # This test works even on systems without SELinux. > # On such a system it fails with the above diagnostic, which is fine. > # Before the no-reorder change, it would have failed with a diagnostic > # about -j being an invalid option. > runcon -t unconfined_t true -j 2> out && : > exp > > compare out exp || fail=1 > > (exit $fail); exit $fail > > Is there any similar use of runcon that can be expected to succeed? > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. This would only work on a system that allowed the running domain to transition to unconfined_t. If this is an automated test, then it is probably running in initrc_t. So for your test environment I would load a policy module that would allow the transition from initrc_t to unconfined_t or any other transitions that you need. This is what the internel test suites at Red Hat do, to eliminate avc's caused by the test environment. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHCMyNrlYvE4MpobMRAis2AKCXrQq5c2bi1qUlRezIKKTL5F/vtwCdGaAi 88T9O+oAHVsW0dOnnI1KT0A= =yqe9 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: is any use of runcon by arbitrary users valid when enforcing? 2007-10-07 7:01 is any use of runcon by arbitrary users valid when enforcing? Jim Meyering 2007-10-07 12:09 ` Daniel J Walsh @ 2007-10-09 13:17 ` Stephen Smalley 2007-10-09 16:01 ` Jim Meyering 1 sibling, 1 reply; 4+ messages in thread From: Stephen Smalley @ 2007-10-09 13:17 UTC (permalink / raw) To: Jim Meyering Cc: selinux, Daniel J Walsh, Christopher J. PeBenito, Karl MacMillan On Sun, 2007-10-07 at 09:01 +0200, Jim Meyering wrote: > In a simple test of runcon for coreutils test suite, I used the following, > but see that it's failing in an enforcing F8t3 environment: > [from coreutils/tests/misc/runcon] > > ... > cat <<\EOF > exp || framework_failure > runcon: runcon may be used only on a SELinux kernel > EOF > > fail=0 > > # This test works even on systems without SELinux. > # On such a system it fails with the above diagnostic, which is fine. > # Before the no-reorder change, it would have failed with a diagnostic > # about -j being an invalid option. > runcon -t unconfined_t true -j 2> out && : > exp > > compare out exp || fail=1 > > (exit $fail); exit $fail > > Is there any similar use of runcon that can be expected to succeed? How does it fail? The runcon in rawhide (coreutils-6.9-6.fc8) appears to work fine when invoked as above aside from needing to specify -- to stop option processing before it reaches the -j. This was while enforcing with selinux-policy-3.0.8-18.fc8. Possibly your system was left in a strange state after an update (I have seen that in rawhide, where a policy update left some processes with invalidated contexts). However, the above test is clearly policy-specific; a policy may or may not define unconfined_t, and a policy may or may not allow users to set their exec context at all. Under strict or mls policy, the above should fail. runcon `id -Z` true would be slightly more general (i.e. run in my own context), but it too could fail since some policies may prohibit users from writing to /proc/self/attr/exec altogether. Possibly you could distinguish based on exit code as to whether the cause was a permission failure? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: is any use of runcon by arbitrary users valid when enforcing? 2007-10-09 13:17 ` Stephen Smalley @ 2007-10-09 16:01 ` Jim Meyering 0 siblings, 0 replies; 4+ messages in thread From: Jim Meyering @ 2007-10-09 16:01 UTC (permalink / raw) To: Stephen Smalley Cc: selinux, Daniel J Walsh, Christopher J. PeBenito, Karl MacMillan Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Sun, 2007-10-07 at 09:01 +0200, Jim Meyering wrote: >> In a simple test of runcon for coreutils test suite, I used the following, >> but see that it's failing in an enforcing F8t3 environment: >> [from coreutils/tests/misc/runcon] >> >> ... >> cat <<\EOF > exp || framework_failure >> runcon: runcon may be used only on a SELinux kernel >> EOF >> >> fail=0 >> >> # This test works even on systems without SELinux. >> # On such a system it fails with the above diagnostic, which is fine. >> # Before the no-reorder change, it would have failed with a diagnostic >> # about -j being an invalid option. >> runcon -t unconfined_t true -j 2> out && : > exp >> >> compare out exp || fail=1 >> >> (exit $fail); exit $fail >> >> Is there any similar use of runcon that can be expected to succeed? > > How does it fail? The runcon in rawhide (coreutils-6.9-6.fc8) appears I think it failed with one of these: runcon: invalid context: ... Invalid argument runcon: unable to set security context ... > to work fine when invoked as above aside from needing to specify -- to > stop option processing before it reaches the -j. This was while > enforcing with selinux-policy-3.0.8-18.fc8. Possibly your system was > left in a strange state after an update (I have seen that in rawhide, > where a policy update left some processes with invalidated contexts). Ahh... maybe that's it. It _was_ after a rawhide update. Since then, I've updated at least once and rebooted with the new kernel, and I can no longer reproduce it. > However, the above test is clearly policy-specific; a policy may or may > not define unconfined_t, and a policy may or may not allow users to set > their exec context at all. Under strict or mls policy, the above should > fail. > > runcon `id -Z` true would be slightly more general (i.e. run in my own > context), Good idea. I've just done that: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=3e53920470cf34 > but it too could fail since some policies may prohibit users > from writing to /proc/self/attr/exec altogether. > > Possibly you could distinguish based on exit code as to whether the > cause was a permission failure? Is that sort of set-up common? Currently, runcon distinguishes these three types of failure: 1 if `runcon' itself fails 126 if COMMAND is found but cannot be invoked 127 if COMMAND cannot be found the exit status of COMMAND otherwise I'll deal with that if anyone ever reports the problem. >From the amount of SELinux feedback I get for coreutils, I suspect I'm the only one who tests coreutils on SELinux-enabled systems. FWIW, you'll be glad to know I've opted to leave in the controversial SELinux bits we talked about a few months ago, and coreutils-6.10 isn't far off. In case any of you are interested, snapshots are here: http://meyering.net/cu/ http://meyering.net/cu/coreutils-6.9-ss.tar.gz http://meyering.net/cu/coreutils-6.9-ss.tar.gz.sig Or via git: http://git.sv.gnu.org/gitweb/?p=coreutils.git git clone git://git.sv.gnu.org/coreutils -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-09-28 16:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-10-07 7:01 is any use of runcon by arbitrary users valid when enforcing? Jim Meyering 2007-10-07 12:09 ` Daniel J Walsh 2007-10-09 13:17 ` Stephen Smalley 2007-10-09 16:01 ` Jim Meyering
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.