* [refpolicy] unexpected AVC. how to dig deeper?
@ 2013-12-19 15:02 Pierre Ossman
2013-12-19 16:10 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Pierre Ossman @ 2013-12-19 15:02 UTC (permalink / raw)
To: refpolicy
Hi,
I'm having problems with this AVC on RHEL6:
type=AVC msg=audit(1387461339.290:123): avc: denied { transition } for pid=2548 comm="tl-session" path="/opt/thinlinc/libexec/tl-xinit" dev=dm-0 ino=789253 scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
I'm at a loss to why though as I have this in my policy:
userdom_spec_domtrans_all_users(thinlinc_session_t)
I even checked that the temporary file got an appropriate allow rule:
allow thinlinc_session_t userdomain:process transition;
I need some help in debugging this further. What could prevent this
allow line from being respected?
Rgds
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Link?ping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131219/227ecf4b/attachment.bin
^ permalink raw reply [flat|nested] 3+ messages in thread* [refpolicy] unexpected AVC. how to dig deeper? 2013-12-19 15:02 [refpolicy] unexpected AVC. how to dig deeper? Pierre Ossman @ 2013-12-19 16:10 ` Daniel J Walsh 2013-12-19 20:17 ` Pierre Ossman 0 siblings, 1 reply; 3+ messages in thread From: Daniel J Walsh @ 2013-12-19 16:10 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/19/2013 10:02 AM, Pierre Ossman wrote: > Hi, > > I'm having problems with this AVC on RHEL6: > > type=AVC msg=audit(1387461339.290:123): avc: denied { transition } for > pid=2548 comm="tl-session" path="/opt/thinlinc/libexec/tl-xinit" dev=dm-0 > ino=789253 scontext=unconfined_u:system_r:thinlinc_session_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process > > I'm at a loss to why though as I have this in my policy: > > userdom_spec_domtrans_all_users(thinlinc_session_t) > > I even checked that the temporary file got an appropriate allow rule: > > allow thinlinc_session_t userdomain:process transition; > > I need some help in debugging this further. What could prevent this allow > line from being respected? > > Rgds > > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Looks like constraint violations. You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Which looks like you need to allow the domains to change role from system_r tp unconfined_r and to change range from s0 to s0-s0:c0.c1023 If you ran your avc through audit2why it should tell you that you have a constraint problem. Perhaps adding these will solve your problem. domain_role_change_exemption(thinlinc_session_t) mls_process_set_level(thinklinc_session_t) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKzGm0ACgkQrlYvE4MpobNdNwCcDlM6gult53uwr4RxRuJIyKGz /hIAoK6v+6/H6Nj8tP43S6rRCtHqo4wd =JKia -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] unexpected AVC. how to dig deeper? 2013-12-19 16:10 ` Daniel J Walsh @ 2013-12-19 20:17 ` Pierre Ossman 0 siblings, 0 replies; 3+ messages in thread From: Pierre Ossman @ 2013-12-19 20:17 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 19 Dec 2013 11:10:21 -0500 Daniel J Walsh <dwalsh@redhat.com> wrote: > > Looks like constraint violations. > > You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Which looks like you need to allow the domains to change role from system_r tp > unconfined_r and to change range from s0 to s0-s0:c0.c1023 > So normally type changes are generally allowed, but user and role changes are more protected in order to better track the user across processes? > If you ran your avc through audit2why it should tell you that you have a > constraint problem. I see. I've grown a bit too accustomed to the fact that audit2why will give me very low level suggestions without any clue as to what the refpolicy interface might be. So I stopped using it when trying to write policy files. > > Perhaps adding these will solve your problem. > domain_role_change_exemption(thinlinc_session_t) > mls_process_set_level(thinklinc_session_t) It seems they were already there, since I was using: auth_login_pgm_domain(thinlinc_session_t) I ran into these problems when I started trying to move away from abusing initrc_t. The current policy for this process is this: type thinlinc_session_exec_t; corecmd_executable_file(thinlinc_session_exec_t) type thinlinc_session_t; domain_type(thinlinc_session_t) domain_entry_file(thinlinc_session_t, thinlinc_session_exec_t) auth_login_pgm_domain(thinlinc_session_t) domtrans_pattern(thinlinc_agent_t, thinlinc_session_exec_t, thinlinc_session_t) auth_write_login_records(thinlinc_session_t) userdom_spec_domtrans_all_users(thinlinc_session_t) userdom_signal_all_users(thinlinc_session_t) allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid }; allow thinlinc_session_t self:process { getcap setsched setexec }; allow thinlinc_session_t self:fifo_file rw_fifo_file_perms; miscfiles_read_localization(thinlinc_session_t) kernel_read_kernel_sysctls(thinlinc_session_t) logging_append_all_logs(thinlinc_session_t) filetrans_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t, dir) manage_dirs_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t) filetrans_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t, dir) manage_dirs_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t) manage_lnk_files_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_dir_t) ifdef(`enable_mcs',` range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mcs_systemhigh; ') ifdef(`enable_mls',` range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mls_systemhigh; ') Thank you for your help - -- Pierre Ossman Software Development Cendio AB http://cendio.com Teknikringen 8 http://twitter.com/ThinLinc 583 30 Link?ping http://facebook.com/ThinLinc Phone: +46-13-214600 http://plus.google.com/112509906846170010689 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlKzVFwACgkQopDLsoqlmELDlgD/ayNP+1GYsHU6kqhBoSXFhO8g nHP/utIZg8wdEw/lqt4A/2Klc20uwr229IQBLKGUV2EhY1Gf4QMTZl3lTyQ8W2Q2 =bo9j -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-19 20:17 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-12-19 15:02 [refpolicy] unexpected AVC. how to dig deeper? Pierre Ossman 2013-12-19 16:10 ` Daniel J Walsh 2013-12-19 20:17 ` Pierre Ossman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.