Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
This is a pretty serious problem -- people need to be able to install packages via cloud-init.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/27/2013 05:05 PM, Matthew Miller wrote:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
This is a pretty serious problem -- people need to be able to install packages via cloud-init.
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you?
On Mon, Dec 02, 2013 at 10:11:14AM -0500, Daniel J Walsh wrote:
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you?
Thanks -- building a new image to test it out now.
On Mon, Dec 02, 2013 at 01:00:08PM -0500, Matthew Miller wrote:
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you?
Thanks -- building a new image to test it out now.
And, that works.
Now off to draft some release criteria around this kind of thing. :)
On Mon, 2013-12-02 at 10:11 -0500, Daniel J Walsh wrote:
On 11/27/2013 05:05 PM, Matthew Miller wrote:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
This is a pretty serious problem -- people need to be able to install packages via cloud-init.
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you? --
i do not see how:
+ rpm_transition_script(cloud_init_t)
fixes this issue:
avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
yum is labeled rpm_exec_t:
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum
there is a rule that makes processes with the cloud_init_t type transition from cloud_init_t to rpm_t on rpm_exec_t:
rpm_domtrans(cloud_init_t)
so if that rule was applied at the point of the test than this event shouldnt have occurred ... unless i am missing something
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/02/2013 01:51 PM, Dominick Grift wrote:
On Mon, 2013-12-02 at 10:11 -0500, Daniel J Walsh wrote:
On 11/27/2013 05:05 PM, Matthew Miller wrote:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
This is a pretty serious problem -- people need to be able to install packages via cloud-init.
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you? --
i do not see how:
- rpm_transition_script(cloud_init_t)
fixes this issue:
avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
yum is labeled rpm_exec_t:
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum
there is a rule that makes processes with the cloud_init_t type transition from cloud_init_t to rpm_t on rpm_exec_t:
rpm_domtrans(cloud_init_t)
so if that rule was applied at the point of the test than this event shouldnt have occurred ... unless i am missing something
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
We already added a rpm_domtrans(cloud_init_t) rule. My understanding was they were still getting the transition rule, which was causing problems. I was thinking that the tool had sucked in rpm/yum rules rather then executing a separate binary.
On Mon, 2013-12-02 at 14:41 -0500, Daniel J Walsh wrote:
avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
We already added a rpm_domtrans(cloud_init_t) rule. My understanding was they were still getting the transition rule, which was causing problems. I was thinking that the tool had sucked in rpm/yum rules rather then executing a separate binary.
I see your point but if that is the case then why is "yum" in comm=?
The way i see it, yum command was executed, and so the transition should have taken place. That is assuming that the transition rule was in place when the test was done.
Maybe the avc denial above was't accurate for the latest issue
I am just saying that with the info i have at my disposal, things do not add up.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/02/2013 02:48 PM, Dominick Grift wrote:
On Mon, 2013-12-02 at 14:41 -0500, Daniel J Walsh wrote:
avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
We already added a rpm_domtrans(cloud_init_t) rule. My understanding was they were still getting the transition rule, which was causing problems. I was thinking that the tool had sucked in rpm/yum rules rather then executing a separate binary.
I see your point but if that is the case then why is "yum" in comm=?
The way i see it, yum command was executed, and so the transition should have taken place. That is assuming that the transition rule was in place when the test was done.
Maybe the avc denial above was't accurate for the latest issue
I am just saying that with the info i have at my disposal, things do not add up.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree I don't think it was every tested with the latest policy.
selinux@lists.fedoraproject.org