From: Miroslav Grepl <mgrepl@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Subject: Re: Strange behavior: type boundaries
Date: Mon, 22 Jun 2015 22:35:48 +0200 [thread overview]
Message-ID: <558871A4.60107@redhat.com> (raw)
In-Reply-To: <5588513C.2050309@tycho.nsa.gov>
On 06/22/2015 08:17 PM, Stephen Smalley wrote:
> On 06/22/2015 02:08 PM, Dominick Grift wrote:
>> On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote:
>>
>>>
>>> In Fedora, we have unconfined_service_t domain for unconfined services
>>> started by init. So there is init_t @bin_t -> unconfined_service_t and
>>> we get op=security_bounded_transition for init_t against
>>> unconfined_service_t. But of course it is not going to work with
>>>
>>> typebounds init_t unconfined_service_t;
>>>
>>> because there is
>>>
>>> # <audit-1401> op=security_compute_av reason=bounds
>>> scontext=system_u:system_r:unconfined_service_t:s0
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint
>>>
>>> So this logic breaks our concept with unconfined_service_t.
>>>
>>
>> What is running in the unconfined_service_t domain in that event?
>
> Nothing at the point of that message. The message indicates a bounds
> failure, which will then cause the kernel to fall back to the old
> context if it was an automatic transition, or fail the exec with -EPERM
> if it was explicitly requested via setexeccon().
>
Please, forget about it. It works as expected. Sorry for the noise.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
prev parent reply other threads:[~2015-06-22 20:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 18:15 Strange behavior: type boundaries Dominick Grift
2015-03-13 18:26 ` Stephen Smalley
2015-03-13 18:43 ` Dominick Grift
2015-03-13 18:50 ` Stephen Smalley
2015-03-13 19:01 ` Dominick Grift
2015-03-14 7:22 ` Dominick Grift
2015-03-16 12:43 ` Stephen Smalley
2015-03-16 12:51 ` Steve Lawrence
2015-06-22 16:07 ` Miroslav Grepl
2015-06-22 16:28 ` Stephen Smalley
2015-06-22 18:13 ` Dominick Grift
2015-06-22 18:08 ` Dominick Grift
2015-06-22 18:17 ` Stephen Smalley
2015-06-22 18:29 ` Dominick Grift
2015-06-22 20:35 ` Miroslav Grepl [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558871A4.60107@redhat.com \
--to=mgrepl@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.