From: Laurent Bigonville <bigon@debian.org>
To: selinux@tycho.nsa.gov
Subject: (Userspace) AVC denial generated even if allowed by the policy?
Date: Mon, 23 Nov 2015 01:53:03 +0100 [thread overview]
Message-ID: <5652636F.2060609@debian.org> (raw)
Hi,
I'm still looking at adding SELinux support in the "at" daemon and I now
have the following patch[0].
With this patch, at seems to behave like the cron daemon, as explained
in the commit log:
- When cron_userdomain_transition is set to off, a process for an
unconfined user will transition to unconfined_cronjob_t. For confined
user, the job is run as cronjob_t.
- When cron_userdomain_transition is set to on, the processes are run
under the user default context.
But every time an AVC denial is generated (with
cron_userdomain_transition set to off and the user running as staff_u,
in permissive with unmodified refpolicy):
avc: denied { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0
tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0
But audit2{allow,why} are saying that this is already allowed in the policy
Setting the cron_userdomain_transition boolean to on, I have the
following avc:
avc: denied { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0
tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
The job runs as (id -Z): staff_u:sysadm_r:sysadm_t:s0
So as said it seems to work, but I'm not sure why this AVC denial is
generated.
sesearch shows:
$ sesearch -ATSC -t user_cron_spool_t -c file -p entrypoint
Found 6 semantic av rules:
allow files_unconfined_type file_type : file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton execute_no_trans entrypoint open
audit_access } ;
DT allow unconfined_t user_cron_spool_t : file entrypoint ; [
cron_userdomain_transition ]
DT allow user_t user_cron_spool_t : file entrypoint ; [
cron_userdomain_transition ]
EF allow cronjob_t user_cron_spool_t : file entrypoint ; [
cron_userdomain_transition ]
DT allow staff_t user_cron_spool_t : file entrypoint ; [
cron_userdomain_transition ]
DT allow sysadm_t user_cron_spool_t : file entrypoint ; [
cron_userdomain_transition ]
Did I overlooked something?
Cheers,
Laurent Bigonville
[0]
https://anonscm.debian.org/cgit/users/bigon/at.git/commit/?h=selinux&id=0112f006b74a36f7200e315575fd25d78e11b170
next reply other threads:[~2015-11-23 0:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 0:53 Laurent Bigonville [this message]
2015-11-23 8:08 ` (Userspace) AVC denial generated even if allowed by the policy? Dominick Grift
2015-11-23 9:43 ` Laurent Bigonville
2015-11-23 15:34 ` Laurent Bigonville
2015-11-23 15:36 ` Laurent Bigonville
2015-11-23 16:21 ` Stephen Smalley
2015-11-23 17:25 ` Laurent Bigonville
2015-11-23 18:44 ` Stephen Smalley
2015-11-23 19:06 ` Laurent Bigonville
2015-11-23 20:31 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5652636F.2060609@debian.org \
--to=bigon@debian.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.