From: Daniel J Walsh <dwalsh@redhat.com>
To: SELinux <selinux@tycho.nsa.gov>
Subject: I want to remove DEFAULTUSER handling from get_context_list
Date: Tue, 27 Jul 2010 15:00:02 -0400 [thread overview]
Message-ID: <4C4F2CB2.5050804@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 962 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The problem we are seeing, is people running sshd as unconfined_t, is
failing to log users in as unconfined_t. The reason is the
get_context_list function is looking for all transitions from
unconfined_t. Since unconfined_t can execute all domains, the kernel
returns ERANGE error. Then get_context_list fails over to DEFAULTUSER
(user_u), which is some ancient code used in RHEL4. Since we introduced
seusers, this code does not make much sense. unconfined_u is not
allowed to transition to user_u so the code fails. If we remove this
code it will fail over to FAILSAFE_CONTEXT which I set up as
unconfined_r:unconfined_t
And everything works.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxPLLIACgkQrlYvE4MpobPyEwCff4shFQiYpROAfwtlKbg3I0EP
RH0An3QIg1lQUXcEhjcTjp1WvMRFmFUi
=+s4z
-----END PGP SIGNATURE-----
[-- Attachment #2: libselinux-DEFAULTUSER.patch --]
[-- Type: text/plain, Size: 1235 bytes --]
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index a50fca8..37d80f2 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -286,7 +286,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
if (buf[plen - 1] == '\n')
buf[plen - 1] = 0;
- retry:
nlen = strlen(user) + 1 + plen + 1;
*newcon = malloc(nlen);
if (!(*newcon))
@@ -306,10 +305,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
if (security_check_context(*newcon) && errno != ENOENT) {
free(*newcon);
*newcon = 0;
- if (strcmp(user, SELINUX_DEFAULTUSER)) {
- user = SELINUX_DEFAULTUSER;
- goto retry;
- }
return -1;
}
@@ -418,13 +413,8 @@ int get_ordered_context_list(const char *user,
/* Determine the set of reachable contexts for the user. */
rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0) {
- /* Retry with the default SELinux user identity. */
- user = SELINUX_DEFAULTUSER;
- rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0)
- goto failsafe;
- }
+ if (rc < 0)
+ goto failsafe;
nreach = 0;
for (ptr = reachable; *ptr; ptr++)
nreach++;
[-- Attachment #3: libselinux-DEFAULTUSER.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]
reply other threads:[~2010-07-27 19:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C4F2CB2.5050804@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.