From: Miroslav Grepl <mgrepl@redhat.com>
To: Dominick Grift <dac.override@gmail.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Subject: Re: strange pam_selinux behavior
Date: Thu, 24 Mar 2016 14:30:23 +0100 [thread overview]
Message-ID: <56F3EBEF.7050808@redhat.com> (raw)
In-Reply-To: <56F3EA88.1020703@gmail.com>
On 03/24/2016 02:24 PM, Dominick Grift wrote:
> On 03/24/2016 02:14 PM, Miroslav Grepl wrote:
>
> <snip>
>
>>>
>>> added the access vector back in but that seems to not make any
>>> differenc e.
>
>> So you are still getting the same error message, right?
>
>
> not quite right:
>
> It now longer shows this: "Failed to translate security class context"
>
> So that part seems to have been fixed by adding the access vector
>
> however this error is still the same:
>
>> pam_selinux(sshd:session): Security context
>> wheel.id:wheel.role:wheel.subj:s0-s0:c0.c1023 is not allowed for
>> wheel.id:wheel.role:wheel.s ubj:s0-s0:c0.c1023 Mar 24 13:43:03 void
>> sshd[14723]: pam_selinux(sshd:session): Unable to get valid context
>> for kcinimod
>
> So looking at the code:
>
>> src_context = context_new (src); dst_context = context_new (dst);
>> context_range_set(dst_context, context_range_get(src_context)); if
>> (debug) pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range
>> valid for %s", dst, context_str(dst_context));
>
>> retval = security_compute_av(context_str(dst_context), dst, class,
>> bit, &avd); context_free(src_context); context_free(dst_context);
>> if (retval || ((bit & avd.allowed) != bit)) return 0;
>
>> return 1;
>
> it appears that security_compute_av returns bad. But i can't figure
> out how to reproduce that with "compute_av":
>
> # compute_av wheel.id:wheel.role:wheel.subj:s0-s0:c0.c1023
> wheel.id:wheel.role:wheel.subj:s0-s0:c0.c1023 process
>
> allowed = { fork sigchld sigkill signull signal getsched setsched
> setpgid getattr setfscreate }
>
> This works fine with stock fedora policy BTW. this seems to be a DSSP
> specific issue. I am wondering if my policy has a bug somewhere...
That's my point. If it is a bug in your policy or there is a bug related
to CIL. I can try to install your DSSP policy and check it.
>
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
next prev parent reply other threads:[~2016-03-24 13:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 17:58 strange pam_selinux behavior Dominick Grift
2016-03-23 18:32 ` Dominick Grift
2016-03-23 18:37 ` Dominick Grift
2016-03-23 19:08 ` Stephen Smalley
2016-03-23 19:09 ` Dominick Grift
2016-03-23 19:41 ` Dominick Grift
2016-03-24 13:14 ` Miroslav Grepl
2016-03-24 13:24 ` Dominick Grift
2016-03-24 13:30 ` Miroslav Grepl [this message]
2016-03-24 14:01 ` Dominick Grift
2016-03-24 14:31 ` Dominick Grift
2016-03-24 20:42 ` Daniel J Walsh
2016-03-24 20:52 ` Dominick Grift
2016-03-25 16:02 ` Dominick Grift
2016-03-25 16:31 ` Stephen Smalley
2016-03-25 16:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F3EBEF.7050808@redhat.com \
--to=mgrepl@redhat.com \
--cc=dac.override@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.