From: Steve Lawrence <slawrence@tresys.com>
To: Sven Vermeulen <sven.vermeulen@siphos.be>,
SELinux <selinux@tycho.nsa.gov>
Subject: Re: SELinux Userspace Release: 20140826-rc6
Date: Tue, 2 Dec 2014 10:03:49 -0500 [thread overview]
Message-ID: <547DD4D5.4020209@tresys.com> (raw)
In-Reply-To: <CAPzO=NzR1kCWTE1fzNo7cFj8v=mEk1K81hFv1bQZLW2piUq7uQ@mail.gmail.com>
On 11/27/2014 03:14 PM, Sven Vermeulen wrote:
> On Thu, Nov 27, 2014 at 6:38 PM, Dominick Grift <dac.override@gmail.com> wrote:
>> On Thu, Nov 27, 2014 at 01:23:13PM +0100, Sven Vermeulen wrote:
>>>
>>> So in this case, object_r is assigned (during migration) to system_u,
>>> unconfined_u and user_u, but not to root, staff_u, sysadm_u and
>>> testrole_u.
>>>
>>> Those roles still work though. Is showing object_r in the "SELinux
>>> Roles" part cosmetic perhaps?
>>>
>>
>> Strange ... as far as i know object_r needs to be associated with everyone
>>
>> Is your output of seinfo -xu consistent with that of semanage user (as far as roles associated with identities is concerned)?
>
> It is not. seinfo -xu shows object_r to be associated with *all* roles
> (as you suggested) whereas the "semanage user -l" output shows it
> missing with a few of them.
>
> This is the only inconsistency though - the rest of the output does match.
>
First of all, sorry about the delayed response.
I agree that this inconsistency is a problem. It looks like the problem
is in CIL. Dominick is right in that object_r is implicitly associated
with all roles, but CIL sets a bit to make the user/object_r
association, even though it is unnecessary. This appears to have caused
the behavior change in some of the tools. We just need to special case
object_r to not make the association and rely on the implied association
existing. This has been fixed in CIL [1] and will be part of the next
release candidate.
- Steve
[1]
https://github.com/SELinuxProject/cil/commit/08520e91db86bdbb8ce393afa35c1465bdc7f63b
prev parent reply other threads:[~2014-12-02 15:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-12 13:50 SELinux Userspace Release: 20140826-rc6 Steve Lawrence
2014-11-14 21:09 ` Sven Vermeulen
2014-11-24 10:15 ` Sven Vermeulen
2014-11-24 11:26 ` Dominick Grift
2014-11-24 15:15 ` Sven Vermeulen
2014-11-27 12:23 ` Sven Vermeulen
2014-11-27 17:38 ` Dominick Grift
2014-11-27 20:14 ` Sven Vermeulen
2014-12-02 15:03 ` Steve Lawrence [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=547DD4D5.4020209@tresys.com \
--to=slawrence@tresys.com \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.