about selinux_validate_context
Sandra Rueda
ruedarod at cse.psu.edu
Wed May 5 13:38:28 UTC 2010
Hello again,
I am sorry for my lack of precision in the previous e-mail.
I am actually using the reference policy, and I am curious about this rule.
These are the interfaces/templates calls that end in the rule that I included in my previous e-mail:
> selinux_validate_context is called by userdom_common_user_template (in userdomain.if)
> userdom_common_user_template is called by userdom_unpriv_user_template (in unpriv_user.te)
The line in unpriv_user.te is:
userdom_unpriv_user_template(user)
I am not sure what interface/template call remove since the same template (userdom_unpriv_user_template) is called for secadm, staff, and auditadm ... which seems strange ... does it not ?
I guess I can create a second set of template/calls without the call to selinux_validate_context. Does this sound reasonable?
Thanks for your advice,
Sandra
On May 4, 2010, at 12:52 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/04/2010 12:40 PM, Sandra Rueda wrote:
>> Hello,
>>
>> I am getting the following rule in my SELinux policy:
>> allow user_t security_t:file {read write};
>>
>> I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t.
>> Are these permissions required to validate a security context?
>> Should they be granted to user_t?
>>
>> Thanks,
>> Sandra
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> The way a security context is validated is by writing to the
> /security/context kernel interface. Which would generate this AVC. If
> you want the user_t user to be able to validate a context, then you need
> this interface.
>
> A better solution would probably be to write policy for the application
> that the user is executing that needs to validate policy and allow this
> the access.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
> 2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
> =5QKI
> -----END PGP SIGNATURE-----
More information about the selinux
mailing list