-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/29/2011 10:38 AM, Daniel J Walsh wrote:
On 08/29/2011 11:10 AM, Miroslav Grepl wrote:
> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>> On 08/29/11 08:33, Stephen Smalley wrote:
>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>> in the openssh package.
>>>>
>>>> But we have the following issue with the following code
>>>>
>>>> ...
>>>>
>>>> if (internal-sftp) setuid() getexecon(&scon) setcon(scon)
>>>> freecon(scon)
>>>>
>>>> ...
>>>>
>>>> We have
>>>>
>>>> allow sshd_t unpriv_userdomain:process dyntransition
>>>>
>>>> rule but we get a constraint violation with the following
>>>> AVC msg
>>>>
>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
>>>> dyntransition } for pid=555 comm="sshd"
>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>
>>>> because of
>>>>
>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 )
>>>>
>>>> My question is why dyntrans is not allowed to change USER
>>>> or ROLE.
>>>>
>>>>
>>>>
https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>> I think just because we haven't previously had a system
>>> program using setcon(3) to switch its user/role.
>> Also because the theory we would be reproducing privilege
>> bracketed domains, so you'd be going to a different privilege
>> in eg httpd_t -> httpd_mycgi_t, and that would not require user
>> or role changes.
>>
> Ok, I understand. Thanks.
> Could we add an attribute to break this?
Or say it is ok for a userdomain?
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
onstrain process dyntransition
(
(u1 == u2 and r1 == r2) or t2 = unpriv_userdomain
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk5bpgcACgkQrlYvE4MpobMH5wCeIGOdIP97XmOVHU1nS/EQmLM5
K3kAnjN7w5o7JFd3CB+tEgkh/JE67gmi
=UVh1
-----END PGP SIGNATURE-----