Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode.
No AVCs produced.....
tom
Tom London wrote:
Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode.
No AVCs produced.....
tom
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try mount | cat
Problem is sysadm is transitioning to the mount command which is not allowed to write to tty devices. Normal users don't have the problem since they don't transition to mount.
Not sure how to solve.
Dan
On Thu, 2004-09-16 at 13:46, Daniel J Walsh wrote:
Problem is sysadm is transitioning to the mount command which is not allowed to write to tty devices. Normal users don't have the problem since they don't transition to mount.
Not sure how to solve.
You can allow mount_t to rw admin_tty_type:chr_file; it isn't the same situation as with a daemon where you want to prevent a compromised daemon from being able to access it.
Tom London wrote:
Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode.
No AVCs produced.....
tom
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try this.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use; can_exec(mount_t, { sbin_t bin_t }) allow mount_t device_t:dir r_dir_perms; ifdef(`distro_redhat', `
1. 'mount | cat' indeed works. 2. 'mount' from normal user also works. 3. patch applied and works!
Thanks! tom
On Thu, 16 Sep 2004 13:51:32 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote:
Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode.
No AVCs produced.....
tom
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try this.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use; can_exec(mount_t, { sbin_t bin_t }) allow mount_t device_t:dir r_dir_perms; ifdef(`distro_redhat', `
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, 17 Sep 2004 03:51, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote:
Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode. Works fine in permissive mode.
Try this.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400 +++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400 @@ -93,7 +93,8 @@ allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t mnt_t:dir { getattr }; -dontaudit mount_t { userdomain kernel_t}:fd use; +allow mount_t { userdomain }:fd use; +dontaudit mount_t { kernel_t}:fd use;
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132914
This is a bug in su which we have to get fixed.
In the mean time it's best to have ifdef(`distro_redhat' around that as no other distribution has this issue.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Russell Coker -
Stephen Smalley -
Tom London -
Tom London