get_default_context() hit the SIMPLE_TRANSACTION

All of lore.kernel.org
 help / color / mirror / Atom feed

* get_default_context() hit the SIMPLE_TRANSACTION_LIMIT
@ 2015-11-09 13:43 Miroslav Grepl
  2015-11-09 14:21 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Miroslav Grepl @ 2015-11-09 13:43 UTC (permalink / raw)
  To: SELinux

We are trying to get pam_selinux + systemd-user working on Fedora
Rawhide to avoid systemd-user running with init_t. The problem is with
init_t domain which is unconfined domain by default on Fedora.

echo -n system_u:system_r:init_t:s0 unconfined_u > /sys/fs/selinux/user
sh: echo: write error: Numerical result out of range

causes failsafe_context is used for SELinux user context as a result of
pam_selinux. With disabled unconfined.pp module it works as expected.

The problem is also described here

https://bugzilla.redhat.com/show_bug.cgi?id=1274345

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: get_default_context() hit the SIMPLE_TRANSACTION_LIMIT
  2015-11-09 13:43 get_default_context() hit the SIMPLE_TRANSACTION_LIMIT Miroslav Grepl
@ 2015-11-09 14:21 ` Stephen Smalley
  2015-11-13 10:20   ` Miroslav Grepl
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2015-11-09 14:21 UTC (permalink / raw)
  To: Miroslav Grepl, SELinux, Paul Moore

On 11/09/2015 08:43 AM, Miroslav Grepl wrote:
> We are trying to get pam_selinux + systemd-user working on Fedora
> Rawhide to avoid systemd-user running with init_t. The problem is with
> init_t domain which is unconfined domain by default on Fedora.
>
>
> echo -n system_u:system_r:init_t:s0 unconfined_u > /sys/fs/selinux/user
> sh: echo: write error: Numerical result out of range
>
>
> causes failsafe_context is used for SELinux user context as a result of
> pam_selinux. With disabled unconfined.pp module it works as expected.
>
> The problem is also described here
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1274345

In the past, I have suggested not using security_compute_user() anymore 
and taking a simplified version of this logic entirely to userspace,
http://marc.info/?t=133054875600001&r=1&w=2

Obviously we could increase the kernel limit, but think about what the 
get_ordered_context_list() code is doing:  it is asking the kernel to 
compute the complete set of reachable contexts (which is this case is 
huge because you are going from an unconfined domain to a user 
authorized for the unconfined role) and then throwing away the vast 
majority of the returned contexts because they don't match anything in 
/etc/selinux/targeted/contexts/default_contexts or 
/etc/selinux/targeted/contexts/users/<seuser> and then ultimately only 
using the first (highest priority) context from the ordered list.  So 
the kernel computation is mostly wasted.  Better to just cut it out 
entirely.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: get_default_context() hit the SIMPLE_TRANSACTION_LIMIT
  2015-11-09 14:21 ` Stephen Smalley
@ 2015-11-13 10:20   ` Miroslav Grepl
  0 siblings, 0 replies; 3+ messages in thread
From: Miroslav Grepl @ 2015-11-13 10:20 UTC (permalink / raw)
  To: Stephen Smalley, SELinux, Paul Moore

On 11/09/2015 03:21 PM, Stephen Smalley wrote:
> On 11/09/2015 08:43 AM, Miroslav Grepl wrote:
>> We are trying to get pam_selinux + systemd-user working on Fedora
>> Rawhide to avoid systemd-user running with init_t. The problem is with
>> init_t domain which is unconfined domain by default on Fedora.
>>
>>
>> echo -n system_u:system_r:init_t:s0 unconfined_u > /sys/fs/selinux/user
>> sh: echo: write error: Numerical result out of range
>>
>>
>> causes failsafe_context is used for SELinux user context as a result of
>> pam_selinux. With disabled unconfined.pp module it works as expected.
>>
>> The problem is also described here
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1274345
> 
> In the past, I have suggested not using security_compute_user() anymore
> and taking a simplified version of this logic entirely to userspace,
> http://marc.info/?t=133054875600001&r=1&w=2
> 
> Obviously we could increase the kernel limit, but think about what the
> get_ordered_context_list() code is doing:  it is asking the kernel to
> compute the complete set of reachable contexts (which is this case is
> huge because you are going from an unconfined domain to a user
> authorized for the unconfined role) and then throwing away the vast
> majority of the returned contexts because they don't match anything in
> /etc/selinux/targeted/contexts/default_contexts or
> /etc/selinux/targeted/contexts/users/<seuser> and then ultimately only
> using the first (highest priority) context from the ordered list.  So
> the kernel computation is mostly wasted.  Better to just cut it out
> entirely.

You are correct. So we could skip security_compute_user() context at
all, pick it up from context files and check if a final user context is
valid.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-11-13 10:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-09 13:43 get_default_context() hit the SIMPLE_TRANSACTION_LIMIT Miroslav Grepl
2015-11-09 14:21 ` Stephen Smalley
2015-11-13 10:20   ` Miroslav Grepl

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.