odd behavior of newrole setting level

odd behavior of newrole setting level

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

Can someone explain why the first newrole (newrole -l s0) from the
commands below fails while the second newrole (newrole -l SystemLow)
succeeds. I am using Fedora 12 fully updated, the mls policy and the
mcstrans label translation service. s0 is mapped to SystemLow.

Thanks,

Andy

$ id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
$ newrole -l s0
staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context
$ newrole -l SystemLow
Password:
$ id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
$ newrole -l s0-s0
Password:
$ id -Z
staff_u:staff_r:staff_t:SystemLow





[-- Attachment #2: Type: text/html, Size: 1014 bytes --]

Re: odd behavior of newrole setting level

[Daniel J Walsh]

On 01/26/2010 10:12 PM, Andy Warner wrote:
> Can someone explain why the first newrole (newrole -l s0) from the
> commands below fails while the second newrole (newrole -l SystemLow)
> succeeds. I am using Fedora 12 fully updated, the mls policy and the
> mcstrans label translation service. s0 is mapped to SystemLow.
> 
> Thanks,
> 
> Andy
> 
> $ id -Z
> staff_u:staff_r:staff_t:SystemLow-SystemHigh
> $ newrole -l s0
> staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context
> $ newrole -l SystemLow
> Password:
> $ id -Z
> staff_u:staff_r:staff_t:SystemLow-SystemHigh
> $ newrole -l s0-s0
> Password:
> $ id -Z
> staff_u:staff_r:staff_t:SystemLow
> 
> 
> 
> 
> 
Looks like a bug in mcstrans.

Translated s0 into s0-SystemHigh I would guess.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: odd behavior of newrole setting level

[Joe Nall]

On Jan 27, 2010, at 8:13 AM, Daniel J Walsh wrote:

> On 01/26/2010 10:12 PM, Andy Warner wrote:
>> Can someone explain why the first newrole (newrole -l s0) from the
>> commands below fails while the second newrole (newrole -l SystemLow)
>> succeeds. I am using Fedora 12 fully updated, the mls policy and the
>> mcstrans label translation service. s0 is mapped to SystemLow.
>> 
>> Thanks,
>> 
>> Andy
>> 
>> $ id -Z
>> staff_u:staff_r:staff_t:SystemLow-SystemHigh
>> $ newrole -l s0
>> staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context
>> $ newrole -l SystemLow
>> Password:
>> $ id -Z
>> staff_u:staff_r:staff_t:SystemLow-SystemHigh
>> $ newrole -l s0-s0
>> Password:
>> $ id -Z
>> staff_u:staff_r:staff_t:SystemLow
>> 
>> 
>> 
>> 
>> 
> Looks like a bug in mcstrans.

I'll take a look. I can duplicate the behavior.

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: odd behavior of newrole setting level

[Stephen Smalley]

On Wed, 2010-01-27 at 10:14 -0600, Joe Nall wrote:
> On Jan 27, 2010, at 8:13 AM, Daniel J Walsh wrote:
> 
> > On 01/26/2010 10:12 PM, Andy Warner wrote:
> >> Can someone explain why the first newrole (newrole -l s0) from the
> >> commands below fails while the second newrole (newrole -l SystemLow)
> >> succeeds. I am using Fedora 12 fully updated, the mls policy and the
> >> mcstrans label translation service. s0 is mapped to SystemLow.
> >> 
> >> Thanks,
> >> 
> >> Andy
> >> 
> >> $ id -Z
> >> staff_u:staff_r:staff_t:SystemLow-SystemHigh
> >> $ newrole -l s0
> >> staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context
> >> $ newrole -l SystemLow
> >> Password:
> >> $ id -Z
> >> staff_u:staff_r:staff_t:SystemLow-SystemHigh
> >> $ newrole -l s0-s0
> >> Password:
> >> $ id -Z
> >> staff_u:staff_r:staff_t:SystemLow
> >> 
> >> 
> >> 
> >> 
> >> 
> > Looks like a bug in mcstrans.
> 
> I'll take a look. I can duplicate the behavior.

Perhaps mcstrans doesn't try any translation of the high level if the
low level is already in raw/kernel form?

What is happening as far as newrole is concerned is this:
- It fetches the caller's context via getprevcon, getting
"SystemLow-SystemHigh" due to mcstrans running,
- It then builds a new range using the user-supplied level ("s0") and
the high level from the caller's range ("SystemHigh"), thus forming
"s0-SystemHigh" as the new range.  This is because newrole only changes
the current/low level by default, leaving the clearance/high level
unchanged.
- It combines that with the rest of the context, and calls
security_check_context() to check validity.

mcstrans should then translate it to s0-s15:c0.c1024 or whatever, but
appears to be yielding the identity function on it instead.

newrole could of course use getprevcon_raw() instead, but then we might
have a reverse mixture, e.g. SystemLow-s15:c0.c1024 in the newrole -l
SystemLow case.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.