* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on @ 2015-11-23 11:31 Laurent Bigonville 2015-11-23 12:00 ` Dominick Grift 2015-12-01 15:50 ` Christopher J. PeBenito 0 siblings, 2 replies; 9+ messages in thread From: Laurent Bigonville @ 2015-11-23 11:31 UTC (permalink / raw) To: refpolicy Hi, While testing my patch for the at daemon, I think I also found a bug in the policy. With the cron_userdomain_transition boolean set to off I see the following behavior, user bigon is unconfined_u, test is user_u and test_staff is staff_u bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 user_u:user_r:cronjob_t:s0 bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff system_u:system_r:crond_t:s0 staff_u:staff_r:cronjob_t:s0 Everything seems OK here. But when I toggle the boolean to on, I see the following behavior: bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 /usr/sbin/getdefaultcon: Invalid argument bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff system_u:system_r:crond_t:s0 staff_u:sysadm_r:sysadm_t:s0 As you can see a default context cannot be computed for the user_u user and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure this is intended) In the fedora policy I've found this patch https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d If I'm _adding_ the user context to the default context bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 user_u:user_r:user_t:s0 bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff system_u:system_r:crond_t:s0 staff_u:staff_r:staff_t:s0 I've attached a patch, am I understanding everything correctly here? Cheers, Laurent Bigonville -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-the-user-cronjobs-to-run-in-their-userdomain.patch Type: text/x-patch Size: 4973 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20151123/597b9346/attachment.bin ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-11-23 11:31 [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on Laurent Bigonville @ 2015-11-23 12:00 ` Dominick Grift 2015-11-23 12:15 ` Laurent Bigonville 2015-12-01 15:50 ` Christopher J. PeBenito 1 sibling, 1 reply; 9+ messages in thread From: Dominick Grift @ 2015-11-23 12:00 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote: > Hi, > > While testing my patch for the at daemon, I think I also found a bug in the > policy. > > With the cron_userdomain_transition boolean set to off I see the following > behavior, user bigon is unconfined_u, test is user_u and test_staff is > staff_u > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:cronjob_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:cronjob_t:s0 > > > Everything seems OK here. > > But when I toggle the boolean to on, I see the following behavior: > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 > > As you can see a default context cannot be computed for the user_u user and > the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure this is > intended) > > In the fedora policy I've found this patch https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d > > If I'm _adding_ the user context to the default context > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 > > I've attached a patch, am I understanding everything correctly here? > > Cheers, > > Laurent Bigonville > >From c8aa69e51d8781da782a50dbdf20b258288093d4 Mon Sep 17 00:00:00 2001 > From: Laurent Bigonville <bigon@bigon.be> > Date: Mon, 23 Nov 2015 12:25:13 +0100 > Subject: [PATCH] Allow the user cronjobs to run in their userdomain > > When cron_userdomain_transition boolean is set to on, the user cronjobs > are supposed to run in their domains. Without this patch the default > context is not properly computed: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 this is not a accurate description since it expects a user name and not a selinux user id (right?) > > With this patch applied: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 idem ditto > --- > config/appconfig-mcs/staff_u_default_contexts | 2 +- > config/appconfig-mcs/user_u_default_contexts | 2 +- > config/appconfig-mls/staff_u_default_contexts | 2 +- > config/appconfig-mls/user_u_default_contexts | 2 +- > config/appconfig-standard/staff_u_default_contexts | 2 +- > config/appconfig-standard/user_u_default_contexts | 2 +- > 6 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mcs/staff_u_default_contexts > +++ b/config/appconfig-mcs/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mcs/user_u_default_contexts > +++ b/config/appconfig-mcs/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mls/staff_u_default_contexts > +++ b/config/appconfig-mls/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mls/user_u_default_contexts > +++ b/config/appconfig-mls/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts > index c2a5ea8..300694c 100644 > --- a/config/appconfig-standard/staff_u_default_contexts > +++ b/config/appconfig-standard/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t > system_r:remote_login_t staff_r:staff_t > system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t > -system_r:crond_t staff_r:cronjob_t > +system_r:crond_t staff_r:staff_t staff_r:cronjob_t > system_r:xdm_t staff_r:staff_t > staff_r:staff_su_t staff_r:staff_t > staff_r:staff_sudo_t staff_r:staff_t > diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts > index f5bfac3..63b7eec 100644 > --- a/config/appconfig-standard/user_u_default_contexts > +++ b/config/appconfig-standard/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t user_r:user_t > system_r:remote_login_t user_r:user_t > system_r:sshd_t user_r:user_t > -system_r:crond_t user_r:cronjob_t > +system_r:crond_t user_r:user_t user_r:cronjob_t > system_r:xdm_t user_r:user_t > user_r:user_su_t user_r:user_t > user_r:user_sudo_t user_r:user_t > -- > 2.6.2 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWUv/LAAoJENAR6kfG5xmcRFoMAJgHxvER+k3j+LtnWa50Zds9 jAosAWKYXFGtpm1jZitfkZrF2z+dwhRWicl/GXRFQmk1aoEe9Z7ygmWeGOB3Fi1F DTCEH6Shwt9B2UM6odoZ/4DN0Sapf1XpKHcaqg/Um13BuxBdF9xC5E0pxOKLf6D4 6kwR2LsuOjT5cittNaWKTMJ9GT6+Ua1/jQVwpDHBzcIDbIGbdDAvIZYhyPoRuGbG OYqIbB7sAiXwOIQEphICjJDwwhObYIP8DsTmpYG+sfIL0/CDfnXzGh6lou3+tgRJ ha4u271Ptk+vUxNp8AMd7zjtlEHmD671Pbx0nmxfEk6ewJ4qOCuxdMMXqJFD5Ocp VyfBEAWMfaOT8KJeYwQd6sw4ZGrCDXLvQ6kjI3HwXsn0HZsAYLQCCUBFM1FlewdG A5kVaD/fCzij9EcIPW5mo72ZqLrpwtj5Qgdu3s+j4vJOT2dqPgYD6yGaUArjiaGg NTjBVPtj/FwWbKSTXK72wMhP6XNSf2sivg50iKCqZA== =SpoQ -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-11-23 12:00 ` Dominick Grift @ 2015-11-23 12:15 ` Laurent Bigonville 2015-11-23 12:39 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Laurent Bigonville @ 2015-11-23 12:15 UTC (permalink / raw) To: refpolicy Le 23/11/15 13:00, Dominick Grift a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote: >> [...] >> >> >> When cron_userdomain_transition boolean is set to on, the user cronjobs >> are supposed to run in their domains. Without this patch the default >> context is not properly computed: >> >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 >> /usr/sbin/getdefaultcon: Invalid argument >> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 >> staff_u:sysadm_r:sysadm_t:s0 > this is not a accurate description since it expects a user name and not a > selinux user id (right?) > >> With this patch applied: >> >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 >> user_u:user_r:user_t:s0 >> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 >> staff_u:staff_r:staff_t:s0 > idem ditto Yes indeed, it was to make the thing more clear for the reader ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-11-23 12:15 ` Laurent Bigonville @ 2015-11-23 12:39 ` Dominick Grift 0 siblings, 0 replies; 9+ messages in thread From: Dominick Grift @ 2015-11-23 12:39 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Nov 23, 2015 at 01:15:07PM +0100, Laurent Bigonville wrote: > Le 23/11/15 13:00, Dominick Grift a ?crit : > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote: > >> [...] > >> > >> > >> When cron_userdomain_transition boolean is set to on, the user cronjobs > >> are supposed to run in their domains. Without this patch the default > >> context is not properly computed: > >> > >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > >> /usr/sbin/getdefaultcon: Invalid argument > >> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 > >> staff_u:sysadm_r:sysadm_t:s0 > > this is not a accurate description since it expects a user name and not a > > selinux user id (right?) > > > >> With this patch applied: > >> > >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > >> user_u:user_r:user_t:s0 > >> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 > >> staff_u:staff_r:staff_t:s0 > > idem ditto > > Yes indeed, it was to make the thing more clear for the reader I do not think that this attempt succeeds, instead it is actually confusing. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWUwj3AAoJENAR6kfG5xmcZwEL/R/vvjBaiEpvMwuuusDhtGrZ G/KBJz8BBZyK9KoLRXJVNwLKXaqFpu2HYe97FVYC+1HRe7a9zvdasQkeEq46Ukbs ixVF7ox6R5zufEvtfGFAfi+MZZwY3IOEJLtO1gbW47c7NOC6HputsdgTb9yzFpCY KWGKCkgIGO0S1yea+nqF919sZZuBZ0qllwsMRmBPJIaGg3Qh3Ux1AeA+2ASYcdh0 dwKh4+tlkckKVLdbbw02eqNQCoI2nQXBIqBoxepIu3hs3TTufByzqVdUbCxANJ5b +6SO1cjNT/famW//w1Nois/16qDTJAJB38C3vMCPiaGsthoiKDaGj5AVwThoB47N QAE7MAFkfIfsWgMRboXNo77SBpmmTUKAV7dIJ6rZrCmuEdImnc1Bq5c67MwrF1fZ lpdPgGhGq0Gn15F5c+RmSRGXtpcQljFDf1daojfzE4+VD6Dm1Boqe/drk9nZWdLN ujXV9JKBXDoGcAt0Q+QVsAv6OFI7nyEOkZpzeO8V6A== =gI9G -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-11-23 11:31 [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on Laurent Bigonville 2015-11-23 12:00 ` Dominick Grift @ 2015-12-01 15:50 ` Christopher J. PeBenito 2015-12-01 16:26 ` Laurent Bigonville 1 sibling, 1 reply; 9+ messages in thread From: Christopher J. PeBenito @ 2015-12-01 15:50 UTC (permalink / raw) To: refpolicy On 11/23/2015 6:31 AM, Laurent Bigonville wrote: > Hi, > > While testing my patch for the at daemon, I think I also found a bug in > the policy. > > With the cron_userdomain_transition boolean set to off I see the > following behavior, user bigon is unconfined_u, test is user_u and > test_staff is staff_u > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:cronjob_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:cronjob_t:s0 > > > Everything seems OK here. > > But when I toggle the boolean to on, I see the following behavior: > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 > > As you can see a default context cannot be computed for the user_u user > and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure > this is intended) > > In the fedora policy I've found this patch > https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d > > > If I'm _adding_ the user context to the default context > > bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff > system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 > > I've attached a patch, am I understanding everything correctly here? This makes sense, though the default_context files should probably be updated similarly. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-12-01 15:50 ` Christopher J. PeBenito @ 2015-12-01 16:26 ` Laurent Bigonville 2015-12-02 14:35 ` Christopher J. PeBenito 0 siblings, 1 reply; 9+ messages in thread From: Laurent Bigonville @ 2015-12-01 16:26 UTC (permalink / raw) To: refpolicy Le 01/12/15 16:50, Christopher J. PeBenito a ?crit : > On 11/23/2015 6:31 AM, Laurent Bigonville wrote: >> Hi, >> >> While testing my patch for the at daemon, I think I also found a bug in >> the policy. >> >> With the cron_userdomain_transition boolean set to off I see the >> following behavior, user bigon is unconfined_u, test is user_u and >> test_staff is staff_u >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> user_u:user_r:cronjob_t:s0 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:staff_r:cronjob_t:s0 >> >> >> Everything seems OK here. >> >> But when I toggle the boolean to on, I see the following behavior: >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> /usr/sbin/getdefaultcon: Invalid argument >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:sysadm_r:sysadm_t:s0 >> >> As you can see a default context cannot be computed for the user_u user >> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure >> this is intended) >> >> In the fedora policy I've found this patch >> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d >> >> >> If I'm _adding_ the user context to the default context >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> user_u:user_r:user_t:s0 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:staff_r:staff_t:s0 >> >> I've attached a patch, am I understanding everything correctly here? > This makes sense, though the default_context files should probably be > updated similarly. Is the order relevant here? ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-12-01 16:26 ` Laurent Bigonville @ 2015-12-02 14:35 ` Christopher J. PeBenito 2015-12-03 14:33 ` Laurent Bigonville 0 siblings, 1 reply; 9+ messages in thread From: Christopher J. PeBenito @ 2015-12-02 14:35 UTC (permalink / raw) To: refpolicy On 12/1/2015 11:26 AM, Laurent Bigonville wrote: > Le 01/12/15 16:50, Christopher J. PeBenito a ?crit : >> On 11/23/2015 6:31 AM, Laurent Bigonville wrote: >>> Hi, >>> >>> While testing my patch for the at daemon, I think I also found a bug in >>> the policy. >>> >>> With the cron_userdomain_transition boolean set to off I see the >>> following behavior, user bigon is unconfined_u, test is user_u and >>> test_staff is staff_u >>> >>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >>> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >>> user_u:user_r:cronjob_t:s0 >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >>> system_u:system_r:crond_t:s0 >>> staff_u:staff_r:cronjob_t:s0 >>> >>> >>> Everything seems OK here. >>> >>> But when I toggle the boolean to on, I see the following behavior: >>> >>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >>> /usr/sbin/getdefaultcon: Invalid argument >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >>> system_u:system_r:crond_t:s0 >>> staff_u:sysadm_r:sysadm_t:s0 >>> >>> As you can see a default context cannot be computed for the user_u user >>> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure >>> this is intended) >>> >>> In the fedora policy I've found this patch >>> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d >>> >>> >>> If I'm _adding_ the user context to the default context >>> >>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >>> user_u:user_r:user_t:s0 >>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >>> system_u:system_r:crond_t:s0 >>> staff_u:staff_r:staff_t:s0 >>> >>> I've attached a patch, am I understanding everything correctly here? >> This makes sense, though the default_context files should probably be >> updated similarly. > Is the order relevant here? For each line, the order is relevant. The libraries will choose the first partial context that will result in a valid context. I'd have to look at the code to see if it will skip partial contexts if the context is valid but the transition is denied. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-12-02 14:35 ` Christopher J. PeBenito @ 2015-12-03 14:33 ` Laurent Bigonville 2015-12-03 15:57 ` Christopher J. PeBenito 0 siblings, 1 reply; 9+ messages in thread From: Laurent Bigonville @ 2015-12-03 14:33 UTC (permalink / raw) To: refpolicy Le 02/12/15 15:35, Christopher J. PeBenito a ?crit : > On 12/1/2015 11:26 AM, Laurent Bigonville wrote: >> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit : >>> This makes sense, though the default_context files should probably >>> be updated similarly. >> Is the order relevant here? > For each line, the order is relevant. The libraries will choose the > first partial context that will result in a valid context. I'd have to > look at the code to see if it will skip partial contexts if the context > is valid but the transition is denied. And in this precise case, do you have a specific order for these contexts in the default_contexts file? ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on 2015-12-03 14:33 ` Laurent Bigonville @ 2015-12-03 15:57 ` Christopher J. PeBenito 0 siblings, 0 replies; 9+ messages in thread From: Christopher J. PeBenito @ 2015-12-03 15:57 UTC (permalink / raw) To: refpolicy On 12/3/2015 9:33 AM, Laurent Bigonville wrote: > Le 02/12/15 15:35, Christopher J. PeBenito a ?crit : >> On 12/1/2015 11:26 AM, Laurent Bigonville wrote: >>> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit : >>>> This makes sense, though the default_context files should probably >>>> be updated similarly. >>> Is the order relevant here? >> For each line, the order is relevant. The libraries will choose the >> first partial context that will result in a valid context. I'd have to >> look at the code to see if it will skip partial contexts if the context >> is valid but the transition is denied. > And in this precise case, do you have a specific order for these > contexts in the default_contexts file? I think it should be like the user default_context files, where the user domains are first, so those are chosen if the cron_userdomain_transition is true. If false, then it should fall through to the cronjob domains. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2015-12-03 15:57 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-11-23 11:31 [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on Laurent Bigonville 2015-11-23 12:00 ` Dominick Grift 2015-11-23 12:15 ` Laurent Bigonville 2015-11-23 12:39 ` Dominick Grift 2015-12-01 15:50 ` Christopher J. PeBenito 2015-12-01 16:26 ` Laurent Bigonville 2015-12-02 14:35 ` Christopher J. PeBenito 2015-12-03 14:33 ` Laurent Bigonville 2015-12-03 15:57 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.