From: Laurent Bigonville <bigon@debian.org>
To: selinux@tycho.nsa.gov
Subject: Re: (Userspace) AVC denial generated even if allowed by the policy?
Date: Mon, 23 Nov 2015 10:43:30 +0100 [thread overview]
Message-ID: <5652DFC2.6090309@debian.org> (raw)
In-Reply-To: <20151123080806.GA5869@x250>
Le 23/11/15 09:08, Dominick Grift a écrit :
> On Mon, Nov 23, 2015 at 01:53:03AM +0100, Laurent Bigonville wrote:
>> Hi,
>>
>> I'm still looking at adding SELinux support in the "at" daemon and I now
>> have the following patch[0].
>>
>> With this patch, at seems to behave like the cron daemon, as explained in
>> the commit log:
>>
>> - When cron_userdomain_transition is set to off, a process for an
>> unconfined user will transition to unconfined_cronjob_t. For confined
>> user, the job is run as cronjob_t.
>>
>> - When cron_userdomain_transition is set to on, the processes are run
>> under the user default context.
>>
>> But every time an AVC denial is generated (with cron_userdomain_transition
>> set to off and the user running as staff_u, in permissive with unmodified
>> refpolicy):
>>
>> avc: denied { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0
>> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
>>
>> The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0
>>
>> But audit2{allow,why} are saying that this is already allowed in the policy
>>
>> Setting the cron_userdomain_transition boolean to on, I have the following
>> avc:
>>
>> avc: denied { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0
>> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
> I think this is weird as well since user_cron_spool_t is not actually
> executed as far as i know (and thus is not actually an entrypoint). The entrypoint permission is merely allowed so
> that crond_t/atd_t can calculate access to the target domains.
>
> So i do not see why these entrypoint events are hit in the first place
The code is explicitly doing that, I guess it's the design decision from
the original writer of the patch:
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
* a context that is appropriate for the context of
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
And that's why there is a entrypoint check:
selinux_check_access(user_context, file_context, "file", "entrypoint",
NULL);
next prev parent reply other threads:[~2015-11-23 9:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-23 0:53 (Userspace) AVC denial generated even if allowed by the policy? Laurent Bigonville
2015-11-23 8:08 ` Dominick Grift
2015-11-23 9:43 ` Laurent Bigonville [this message]
2015-11-23 15:34 ` Laurent Bigonville
2015-11-23 15:36 ` Laurent Bigonville
2015-11-23 16:21 ` Stephen Smalley
2015-11-23 17:25 ` Laurent Bigonville
2015-11-23 18:44 ` Stephen Smalley
2015-11-23 19:06 ` Laurent Bigonville
2015-11-23 20:31 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5652DFC2.6090309@debian.org \
--to=bigon@debian.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.