about selinux_validate_context

Sandra Rueda ruedarod at cse.psu.edu
Wed May 5 13:38:28 UTC 2010 

Hello again, 

I am sorry for my lack of precision in the previous e-mail. 
I am actually using the reference policy, and I am curious about this rule.

These are the interfaces/templates calls that end in the rule that I included in my previous e-mail: 
> selinux_validate_context is called by userdom_common_user_template (in userdomain.if)
> userdom_common_user_template is called by userdom_unpriv_user_template (in unpriv_user.te)

The line in unpriv_user.te is: 
userdom_unpriv_user_template(user)

I am not sure what interface/template call remove since the same template (userdom_unpriv_user_template) is called for secadm, staff, and auditadm ... which seems strange ... does it not ?  
I guess I can create a second set of template/calls without the call to selinux_validate_context. Does this sound reasonable? 

Thanks for your advice, 
Sandra

On May 4, 2010, at 12:52 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/04/2010 12:40 PM, Sandra Rueda wrote:
>> Hello, 
>> 
>> I am getting the following rule in my SELinux policy: 
>> allow user_t security_t:file {read write};
>> 
>> I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t. 
>> Are these permissions required to validate a security context? 
>> Should they be granted to user_t?
>> 
>> Thanks, 
>> Sandra
>> 
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> 
> The way a security context is validated is by writing to the
> /security/context kernel interface.  Which would generate this AVC.  If
> you want the user_t user to be able to validate a context, then you need
> this interface.
> 
> A better solution would probably be to write policy for the application
> that the user is executing that needs to validate policy and allow this
> the access.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
> 2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
> =5QKI
> -----END PGP SIGNATURE-----

More information about the selinux mailing list