Hello again,
I am sorry for my lack of precision in the previous e-mail.
I am actually using the reference policy, and I am curious about this rule.
These are the interfaces/templates calls that end in the rule that I included in my
previous e-mail:
selinux_validate_context is called by userdom_common_user_template
(in userdomain.if)
userdom_common_user_template is called by userdom_unpriv_user_template (in
unpriv_user.te)
The line in unpriv_user.te is:
userdom_unpriv_user_template(user)
I am not sure what interface/template call remove since the same template
(userdom_unpriv_user_template) is called for secadm, staff, and auditadm ... which seems
strange ... does it not ?
I guess I can create a second set of template/calls without the call to
selinux_validate_context. Does this sound reasonable?
Thanks for your advice,
Sandra
On May 4, 2010, at 12:52 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/04/2010 12:40 PM, Sandra Rueda wrote:
> Hello,
>
> I am getting the following rule in my SELinux policy:
> allow user_t security_t:file {read write};
>
> I traced it and I found the interface selinux_validate_context grants permissions to
read and write files with type security_t.
> Are these permissions required to validate a security context?
> Should they be granted to user_t?
>
> Thanks,
> Sandra
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The way a security context is validated is by writing to the
/security/context kernel interface. Which would generate this AVC. If
you want the user_t user to be able to validate a context, then you need
this interface.
A better solution would probably be to write policy for the application
that the user is executing that needs to validate policy and allow this
the access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
=5QKI
-----END PGP SIGNATURE-----