From: Miroslav Grepl <mgrepl@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
SELinux <selinux@tycho.nsa.gov>, Paul Moore <paul@paul-moore.com>
Subject: Re: get_default_context() hit the SIMPLE_TRANSACTION_LIMIT
Date: Fri, 13 Nov 2015 11:20:25 +0100 [thread overview]
Message-ID: <5645B969.9030905@redhat.com> (raw)
In-Reply-To: <5640ABE9.2060208@tycho.nsa.gov>
On 11/09/2015 03:21 PM, Stephen Smalley wrote:
> On 11/09/2015 08:43 AM, Miroslav Grepl wrote:
>> We are trying to get pam_selinux + systemd-user working on Fedora
>> Rawhide to avoid systemd-user running with init_t. The problem is with
>> init_t domain which is unconfined domain by default on Fedora.
>>
>>
>> echo -n system_u:system_r:init_t:s0 unconfined_u > /sys/fs/selinux/user
>> sh: echo: write error: Numerical result out of range
>>
>>
>> causes failsafe_context is used for SELinux user context as a result of
>> pam_selinux. With disabled unconfined.pp module it works as expected.
>>
>> The problem is also described here
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1274345
>
> In the past, I have suggested not using security_compute_user() anymore
> and taking a simplified version of this logic entirely to userspace,
> http://marc.info/?t=133054875600001&r=1&w=2
>
> Obviously we could increase the kernel limit, but think about what the
> get_ordered_context_list() code is doing: it is asking the kernel to
> compute the complete set of reachable contexts (which is this case is
> huge because you are going from an unconfined domain to a user
> authorized for the unconfined role) and then throwing away the vast
> majority of the returned contexts because they don't match anything in
> /etc/selinux/targeted/contexts/default_contexts or
> /etc/selinux/targeted/contexts/users/<seuser> and then ultimately only
> using the first (highest priority) context from the ordered list. So
> the kernel computation is mostly wasted. Better to just cut it out
> entirely.
You are correct. So we could skip security_compute_user() context at
all, pick it up from context files and check if a final user context is
valid.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
prev parent reply other threads:[~2015-11-13 10:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-09 13:43 get_default_context() hit the SIMPLE_TRANSACTION_LIMIT Miroslav Grepl
2015-11-09 14:21 ` Stephen Smalley
2015-11-13 10:20 ` Miroslav Grepl [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5645B969.9030905@redhat.com \
--to=mgrepl@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.