Re: Strange behavior: type boundaries

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: Re: Strange behavior: type boundaries
Date: Mon, 22 Jun 2015 14:17:32 -0400	[thread overview]
Message-ID: <5588513C.2050309@tycho.nsa.gov> (raw)
In-Reply-To: <20150622180857.GB10451@localhost.localdomain>

On 06/22/2015 02:08 PM, Dominick Grift wrote:
> On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote:
> 
>>
>> In Fedora, we have unconfined_service_t domain for unconfined services
>> started by init. So there is init_t @bin_t -> unconfined_service_t and
>> we get op=security_bounded_transition for init_t against
>> unconfined_service_t. But of course it is not going to work with
>>
>> typebounds init_t unconfined_service_t;
>>
>> because there is
>>
>> # <audit-1401> op=security_compute_av reason=bounds
>> scontext=system_u:system_r:unconfined_service_t:s0
>> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint
>>
>> So this logic breaks our concept with unconfined_service_t.
>>
> 
> What is running in the unconfined_service_t domain in that event?

Nothing at the point of that message.  The message indicates a bounds
failure, which will then cause the kernel to fall back to the old
context if it was an automatic transition, or fail the exec with -EPERM
if it was explicitly requested via setexeccon().

next prev parent reply	other threads:[~2015-06-22 18:18 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-13 18:15 Strange behavior: type boundaries Dominick Grift
2015-03-13 18:26 ` Stephen Smalley
2015-03-13 18:43   ` Dominick Grift
2015-03-13 18:50     ` Stephen Smalley
2015-03-13 19:01       ` Dominick Grift
2015-03-14  7:22       ` Dominick Grift
2015-03-16 12:43         ` Stephen Smalley
2015-03-16 12:51           ` Steve Lawrence
2015-06-22 16:07           ` Miroslav Grepl
2015-06-22 16:28             ` Stephen Smalley
2015-06-22 18:13               ` Dominick Grift
2015-06-22 18:08             ` Dominick Grift
2015-06-22 18:17               ` Stephen Smalley [this message]
2015-06-22 18:29                 ` Dominick Grift
2015-06-22 20:35                 ` Miroslav Grepl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5588513C.2050309@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.