All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dominick Grift <dac.override@gmail.com>,
	Daniel J Walsh <dwalsh@redhat.com>,
	Miroslav Grepl <mgrepl@redhat.com>,
	selinux@tycho.nsa.gov
Subject: Re: strange pam_selinux behavior
Date: Fri, 25 Mar 2016 12:31:46 -0400	[thread overview]
Message-ID: <56F567F2.8030507@tycho.nsa.gov> (raw)
In-Reply-To: <56F56129.3080509@gmail.com>

On 03/25/2016 12:02 PM, Dominick Grift wrote:
> I set out to try mcstransd again today. After doing to searching i
> found a clue about the requirement to add accesscheck=1 to
> setrans.conf to at least enable checking of the translate av perm.
> 
> So i added a few auditallow rules that should catch at least some
> checks however: nothing shows up in the logs.
> 
> Either i am overlooking something or the mcstransd object manager is
> broken

Yes, I mentioned the lack of this access check in
http://article.gmane.org/gmane.comp.security.selinux/22011

However, the mcscolor code within mcstrans still does a check of the
context contains permission.  This is only exercised if something calls
selinux_raw_context_to_color() in libselinux, and if one has a
secolor.conf.  That was added for SELinux-aware graphical applications
which display security contexts in order to associate color schemes with
security contexts.

Likely unused in Fedora but may be used in various MLS desktop solutions
built on SELinux.

  reply	other threads:[~2016-03-25 16:31 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-23 17:58 strange pam_selinux behavior Dominick Grift
2016-03-23 18:32 ` Dominick Grift
2016-03-23 18:37   ` Dominick Grift
2016-03-23 19:08     ` Stephen Smalley
2016-03-23 19:09       ` Dominick Grift
2016-03-23 19:41         ` Dominick Grift
2016-03-24 13:14           ` Miroslav Grepl
2016-03-24 13:24             ` Dominick Grift
2016-03-24 13:30               ` Miroslav Grepl
2016-03-24 14:01                 ` Dominick Grift
2016-03-24 14:31                 ` Dominick Grift
2016-03-24 20:42                   ` Daniel J Walsh
2016-03-24 20:52                     ` Dominick Grift
2016-03-25 16:02                     ` Dominick Grift
2016-03-25 16:31                       ` Stephen Smalley [this message]
2016-03-25 16:45                         ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56F567F2.8030507@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=dac.override@gmail.com \
    --cc=dwalsh@redhat.com \
    --cc=mgrepl@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.