* odd behavior of newrole setting level @ 2010-01-27 3:12 Andy Warner 2010-01-27 14:13 ` Daniel J Walsh 0 siblings, 1 reply; 4+ messages in thread From: Andy Warner @ 2010-01-27 3:12 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 575 bytes --] Can someone explain why the first newrole (newrole -l s0) from the commands below fails while the second newrole (newrole -l SystemLow) succeeds. I am using Fedora 12 fully updated, the mls policy and the mcstrans label translation service. s0 is mapped to SystemLow. Thanks, Andy $ id -Z staff_u:staff_r:staff_t:SystemLow-SystemHigh $ newrole -l s0 staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context $ newrole -l SystemLow Password: $ id -Z staff_u:staff_r:staff_t:SystemLow-SystemHigh $ newrole -l s0-s0 Password: $ id -Z staff_u:staff_r:staff_t:SystemLow [-- Attachment #2: Type: text/html, Size: 1014 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: odd behavior of newrole setting level 2010-01-27 3:12 odd behavior of newrole setting level Andy Warner @ 2010-01-27 14:13 ` Daniel J Walsh 2010-01-27 16:14 ` Joe Nall 0 siblings, 1 reply; 4+ messages in thread From: Daniel J Walsh @ 2010-01-27 14:13 UTC (permalink / raw) To: Andy Warner; +Cc: selinux On 01/26/2010 10:12 PM, Andy Warner wrote: > Can someone explain why the first newrole (newrole -l s0) from the > commands below fails while the second newrole (newrole -l SystemLow) > succeeds. I am using Fedora 12 fully updated, the mls policy and the > mcstrans label translation service. s0 is mapped to SystemLow. > > Thanks, > > Andy > > $ id -Z > staff_u:staff_r:staff_t:SystemLow-SystemHigh > $ newrole -l s0 > staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context > $ newrole -l SystemLow > Password: > $ id -Z > staff_u:staff_r:staff_t:SystemLow-SystemHigh > $ newrole -l s0-s0 > Password: > $ id -Z > staff_u:staff_r:staff_t:SystemLow > > > > > Looks like a bug in mcstrans. Translated s0 into s0-SystemHigh I would guess. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: odd behavior of newrole setting level 2010-01-27 14:13 ` Daniel J Walsh @ 2010-01-27 16:14 ` Joe Nall 2010-01-27 20:36 ` Stephen Smalley 0 siblings, 1 reply; 4+ messages in thread From: Joe Nall @ 2010-01-27 16:14 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Andy Warner, selinux On Jan 27, 2010, at 8:13 AM, Daniel J Walsh wrote: > On 01/26/2010 10:12 PM, Andy Warner wrote: >> Can someone explain why the first newrole (newrole -l s0) from the >> commands below fails while the second newrole (newrole -l SystemLow) >> succeeds. I am using Fedora 12 fully updated, the mls policy and the >> mcstrans label translation service. s0 is mapped to SystemLow. >> >> Thanks, >> >> Andy >> >> $ id -Z >> staff_u:staff_r:staff_t:SystemLow-SystemHigh >> $ newrole -l s0 >> staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context >> $ newrole -l SystemLow >> Password: >> $ id -Z >> staff_u:staff_r:staff_t:SystemLow-SystemHigh >> $ newrole -l s0-s0 >> Password: >> $ id -Z >> staff_u:staff_r:staff_t:SystemLow >> >> >> >> >> > Looks like a bug in mcstrans. I'll take a look. I can duplicate the behavior. joe -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: odd behavior of newrole setting level 2010-01-27 16:14 ` Joe Nall @ 2010-01-27 20:36 ` Stephen Smalley 0 siblings, 0 replies; 4+ messages in thread From: Stephen Smalley @ 2010-01-27 20:36 UTC (permalink / raw) To: Joe Nall; +Cc: Daniel J Walsh, Andy Warner, selinux On Wed, 2010-01-27 at 10:14 -0600, Joe Nall wrote: > On Jan 27, 2010, at 8:13 AM, Daniel J Walsh wrote: > > > On 01/26/2010 10:12 PM, Andy Warner wrote: > >> Can someone explain why the first newrole (newrole -l s0) from the > >> commands below fails while the second newrole (newrole -l SystemLow) > >> succeeds. I am using Fedora 12 fully updated, the mls policy and the > >> mcstrans label translation service. s0 is mapped to SystemLow. > >> > >> Thanks, > >> > >> Andy > >> > >> $ id -Z > >> staff_u:staff_r:staff_t:SystemLow-SystemHigh > >> $ newrole -l s0 > >> staff_u:staff_r:staff_t:s0-SystemHigh is not a valid context > >> $ newrole -l SystemLow > >> Password: > >> $ id -Z > >> staff_u:staff_r:staff_t:SystemLow-SystemHigh > >> $ newrole -l s0-s0 > >> Password: > >> $ id -Z > >> staff_u:staff_r:staff_t:SystemLow > >> > >> > >> > >> > >> > > Looks like a bug in mcstrans. > > I'll take a look. I can duplicate the behavior. Perhaps mcstrans doesn't try any translation of the high level if the low level is already in raw/kernel form? What is happening as far as newrole is concerned is this: - It fetches the caller's context via getprevcon, getting "SystemLow-SystemHigh" due to mcstrans running, - It then builds a new range using the user-supplied level ("s0") and the high level from the caller's range ("SystemHigh"), thus forming "s0-SystemHigh" as the new range. This is because newrole only changes the current/low level by default, leaving the clearance/high level unchanged. - It combines that with the rest of the context, and calls security_check_context() to check validity. mcstrans should then translate it to s0-s15:c0.c1024 or whatever, but appears to be yielding the identity function on it instead. newrole could of course use getprevcon_raw() instead, but then we might have a reverse mixture, e.g. SystemLow-s15:c0.c1024 in the newrole -l SystemLow case. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-01-27 20:36 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-01-27 3:12 odd behavior of newrole setting level Andy Warner 2010-01-27 14:13 ` Daniel J Walsh 2010-01-27 16:14 ` Joe Nall 2010-01-27 20:36 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.