On Fri, 2010-04-30 at 16:42 -0500, Xavier Toth wrote:
On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth(a)gmail.com>
wrote:
> I'm going to simplify this because a lot of the detail isn't import to
> the issue I'm working through. I'm taring some files, one of which
> happens to be labeled SystemHigh and the rest SystemLow. An init
> script, running SystemLow-SystemHigh, is later run on a different
> system which untars the file. tar generates a warning message about
> setfilecon failing for the file labeled SystemHigh and I see a
> SELINUX_ERR message in the audit log (security_validate_transition:
> denied for oldcontext=system_u:object_r:selinux_config_t:s0
> newcontext=system_u:object_r:selinux_config_t:s15:c0-c1023
> taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> am using run_init to run test this init script. What I'm confused
> about is that there are no AVCs (I did an semnodule -DB just to see if
> there were any dontaudits) and why there even is a failure as initrc_t
> uses the mls_file_write_all_levels marco. Also does anyone know of a
> way to see the contexts stored in the tar file?
>
> Ted
>
I see now, initrc_t policy doesn't use mls_file_upgrade but I still
don't like the no AVC bit.
The AVC isn't involved in that check. security_validate_transition()
and the mlsvalidatetrans constraints were introduced to enable a check
to be applied based on all 3 security contexts (old file context, new
file context, process context) simultaneously, which wasn't possible via
the pairwise AVC checks. selinux_inode_setxattr() invokes
security_validate_transition() after applying the AVC permission checks
during file relabeling.
--
Stephen Smalley
National Security Agency