I want to remove DEFAULTUSER handling from get_context

All of lore.kernel.org
 help / color / mirror / Atom feed

* I want to remove DEFAULTUSER handling from get_context_list
@ 2010-07-27 19:00 Daniel J Walsh
  0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2010-07-27 19:00 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem we are seeing, is people running sshd as unconfined_t, is
failing to log users in as unconfined_t.  The reason is the
get_context_list function is looking for all transitions from
unconfined_t.  Since unconfined_t can execute all domains, the kernel
returns ERANGE error.  Then get_context_list fails over to DEFAULTUSER
(user_u), which is some ancient code used in RHEL4.  Since we introduced
seusers, this code does not make much sense.  unconfined_u is not
allowed to transition to user_u so the code fails.  If we remove this
code it will fail over to FAILSAFE_CONTEXT which I set up as
unconfined_r:unconfined_t

And everything works.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxPLLIACgkQrlYvE4MpobPyEwCff4shFQiYpROAfwtlKbg3I0EP
RH0An3QIg1lQUXcEhjcTjp1WvMRFmFUi
=+s4z
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-DEFAULTUSER.patch --]
[-- Type: text/plain, Size: 1235 bytes --]

diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index a50fca8..37d80f2 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -286,7 +286,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
 	if (buf[plen - 1] == '\n')
 		buf[plen - 1] = 0;
 
-      retry:
 	nlen = strlen(user) + 1 + plen + 1;
 	*newcon = malloc(nlen);
 	if (!(*newcon))
@@ -306,10 +305,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
 	if (security_check_context(*newcon) && errno != ENOENT) {
 		free(*newcon);
 		*newcon = 0;
-		if (strcmp(user, SELINUX_DEFAULTUSER)) {
-			user = SELINUX_DEFAULTUSER;
-			goto retry;
-		}
 		return -1;
 	}
 
@@ -418,13 +413,8 @@ int get_ordered_context_list(const char *user,
 
 	/* Determine the set of reachable contexts for the user. */
 	rc = security_compute_user(fromcon, user, &reachable);
-	if (rc < 0) {
-		/* Retry with the default SELinux user identity. */
-		user = SELINUX_DEFAULTUSER;
-		rc = security_compute_user(fromcon, user, &reachable);
-		if (rc < 0)
-			goto failsafe;
-	}
+	if (rc < 0)
+		goto failsafe;
 	nreach = 0;
 	for (ptr = reachable; *ptr; ptr++)
 		nreach++;

[-- Attachment #3: libselinux-DEFAULTUSER.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2010-07-27 19:00 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-27 19:00 I want to remove DEFAULTUSER handling from get_context_list Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.