On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
On 08/29/11 08:33, Stephen Smalley wrote:
> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>> Together with Dan Walsh, Jan Chadima we made some changes in the openssh
>> package.
>>
>> But we have the following issue with the following code
>>
>> ...
>>
>> if (internal-sftp)
>> setuid()
>> getexecon(&scon)
>> setcon(scon)
>> freecon(scon)
>>
>> ...
>>
>> We have
>>
>> allow sshd_t unpriv_userdomain:process dyntransition
>>
>> rule but we get a constraint violation with the following AVC msg
>>
>> type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
>> for
>> pid=555 comm="sshd"
>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>> tcontext=staff_u:staff_r:staff_t:s0
>>
>> because of
>>
>> constrain process dyntransition
>> (
>> u1 == u2 and r1 == r2
>> )
>>
>> My question is why dyntrans is not allowed to change USER or ROLE.
>>
>>
>>
https://bugzilla.redhat.com/show_bug.cgi?id=729648
> I think just because we haven't previously had a system program using
> setcon(3) to switch its user/role.
Also because the theory we would be reproducing privilege bracketed
domains, so you'd be going to a different privilege in eg httpd_t ->
httpd_mycgi_t, and that would not require user or role changes.
Ok, I understand. Thanks.
Could we add an attribute to break this?