* [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users
@ 2012-09-22 13:21 Laurent Bigonville
2012-10-08 21:21 ` Laurent Bigonville
0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-09-22 13:21 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
This is necessary for at least pulseaudio and libvirtd running in the
user session.
---
policy/users | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/users b/policy/users
index c4ebc7e..8d13fbc 100644
--- a/policy/users
+++ b/policy/users
@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, staff, staff_r sysadm_r system_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users
2012-09-22 13:21 [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users Laurent Bigonville
@ 2012-10-08 21:21 ` Laurent Bigonville
2012-10-09 14:00 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-10-08 21:21 UTC (permalink / raw)
To: refpolicy
Le Sat, 22 Sep 2012 15:21:32 +0200,
Laurent Bigonville <bigon@debian.org> a ?crit :
> From: Laurent Bigonville <bigon@bigon.be>
>
> This is necessary for at least pulseaudio and libvirtd running in the
> user session.
> ---
> policy/users | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/users b/policy/users
> index c4ebc7e..8d13fbc 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 -
> mls_systemhigh, mcs_allcats) # permit any access to such users, then
> remove this entry. #
> gen_user(user_u, user, user_r, s0, s0)
> -gen_user(staff_u, staff, staff_r sysadm_r
> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
> mcs_allcats) +gen_user(staff_u, staff, staff_r sysadm_r system_r
> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
> mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 -
> mls_systemhigh, mcs_allcats) # Until order dependence is fixed for
> users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 -
> mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined,
> unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) #
> # The following users correspond to Unix identities.
Any thoughts on that patch?
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users
2012-10-08 21:21 ` Laurent Bigonville
@ 2012-10-09 14:00 ` Christopher J. PeBenito
2012-10-09 18:57 ` Laurent Bigonville
0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-10-09 14:00 UTC (permalink / raw)
To: refpolicy
On 10/08/12 17:21, Laurent Bigonville wrote:
> Le Sat, 22 Sep 2012 15:21:32 +0200,
> Laurent Bigonville <bigon@debian.org> a ??crit :
>
>> From: Laurent Bigonville <bigon@bigon.be>
>>
>> This is necessary for at least pulseaudio and libvirtd running in the
>> user session.
>> ---
>> policy/users | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/users b/policy/users
>> index c4ebc7e..8d13fbc 100644
>> --- a/policy/users
>> +++ b/policy/users
>> @@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) # permit any access to such users, then
>> remove this entry. #
>> gen_user(user_u, user, user_r, s0, s0)
>> -gen_user(staff_u, staff, staff_r sysadm_r
>> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
>> mcs_allcats) +gen_user(staff_u, staff, staff_r sysadm_r system_r
>> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
>> mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) # Until order dependence is fixed for
>> users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined,
>> unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) #
>> # The following users correspond to Unix identities.
>
> Any thoughts on that patch?
The patch would need to be updated to be controlled by the direct_sysadm_daemon build option, as it is with the root seuser.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users
2012-10-09 14:00 ` Christopher J. PeBenito
@ 2012-10-09 18:57 ` Laurent Bigonville
2012-10-09 19:01 ` Sven Vermeulen
0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-10-09 18:57 UTC (permalink / raw)
To: refpolicy
Le Tue, 9 Oct 2012 10:00:21 -0400,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 10/08/12 17:21, Laurent Bigonville wrote:
> >
> > Any thoughts on that patch?
>
> The patch would need to be updated to be controlled by the
> direct_sysadm_daemon build option, as it is with the root seuser.
>
My initial issue was that when dbus was starting pulseaudio and libvirt,
logged-in using my unconfined user, it was trying to transition the
process to unconfined_u:system_r:{pulseaudio_t,virtd_t} and it was
exploding as the label was invalid.
So if the policy is compiled without direct_sysadm_daemon I guess that
this issue will persist.
Also I've added the system_r role to the staff_u to be consistant (and
because it's also done in the Fedora policy)
Laurent Bigonville
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users
2012-10-09 18:57 ` Laurent Bigonville
@ 2012-10-09 19:01 ` Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-09 19:01 UTC (permalink / raw)
To: refpolicy
On Tue, Oct 9, 2012 at 8:57 PM, Laurent Bigonville <bigon@debian.org> wrote:
> Also I've added the system_r role to the staff_u to be consistant (and
> because it's also done in the Fedora policy)
It also makes sense the moment you use init scripts that are "named"
for a specific service, like nscd_initrc_exec_t. For a user to be able
to use this, he needs to be granted the *_admin() towards his user
domain, but also the system_r role to the SELinux user itself
(otherwise this won't work)).
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-09 19:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-22 13:21 [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users Laurent Bigonville
2012-10-08 21:21 ` Laurent Bigonville
2012-10-09 14:00 ` Christopher J. PeBenito
2012-10-09 18:57 ` Laurent Bigonville
2012-10-09 19:01 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.