From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Strange AVC with latest rawhide kernel. To: Daniel J Walsh , Stephen Smalley , Paul Moore References: <1456423369.3702.42.camel@redhat.com> <56CF4574.3030709@tycho.nsa.gov> <1456426779.3702.52.camel@redhat.com> <56CF523A.7000503@tycho.nsa.gov> <1456429021.31341.34.camel@redhat.com> <56CF5A54.7020600@tycho.nsa.gov> <1456432101.3702.67.camel@redhat.com> <56CF6A08.6010305@tycho.nsa.gov> <1456491264.3481.2.camel@redhat.com> <56D07421.3090301@tycho.nsa.gov> <1456504426.3481.44.camel@redhat.com> <56D0AC79.8040600@tycho.nsa.gov> <1456518652.3481.51.camel@redhat.com> Cc: selinux@tycho.nsa.gov, Eric Paris From: James Carter Message-ID: <56D47178.3010006@tycho.nsa.gov> Date: Mon, 29 Feb 2016 11:27:36 -0500 MIME-Version: 1.0 In-Reply-To: <1456518652.3481.51.camel@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 02/26/2016 03:30 PM, Daniel J Walsh wrote: > On Fri, 2016-02-26 at 14:50 -0500, James Carter wrote: >> On 02/26/2016 11:33 AM, Daniel J Walsh wrote: >>> >>> >>> BTW I turned on the expand-check=1 in semanage.conf and semodule -B >>> went nuts and crashed. >>> >>> On this policy. >>> >>> policy_module(mypol, 1.0) >>> >>> require { >>> type svirt_lxc_net_t; >>> type docker_t; >>> type svirt_sandbox_file_t; >>> type unconfined_t; >>> } >>> allow unconfined_t svirt_sandbox_file_t:file entrypoint; >>> allow docker_t svirt_sandbox_file_t:file entrypoint; >>> typebounds unconfined_t docker_t; >>> typebounds docker_t svirt_lxc_net_t; >>> >>> >> I thought that maybe the toolchain couldn't handle an A bounds B >> bounds C >> relationship, but current versions handle that just fine and even >> versions back >> in June before I refactored the bounds checking could handle it. I >> only checked >> with checkpolicy and secilc, so there is a chance that something >> particular with >> modules caused this. >> >> I tried your module on Fedora 23 and the first bounds check fails. >> Nothing crazy >> happened though. I don't currently have a rawhide machine to try it >> on. >> > > I guess unconfined_t also needs docker_exec_t as an entrypoint. > > Still crashes. Here is the output and strace. > # strace -o /tmp/strace semodule -B 2> /tmp/out > Is your policy available somewhere, so I can try to reproduce this? Jim -- James Carter National Security Agency