sshd constraint violation issue
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 29 12:33:04 UTC 2011
On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
> Together with Dan Walsh, Jan Chadima we made some changes in the openssh
> package.
>
> But we have the following issue with the following code
>
> ...
>
> if (internal-sftp)
> setuid()
> getexecon(&scon)
> setcon(scon)
> freecon(scon)
>
> ...
>
> We have
>
> allow sshd_t unpriv_userdomain:process dyntransition
>
> rule but we get a constraint violation with the following AVC msg
>
> type=AVC msg=audit(1314348650.561:7910): avc: denied { dyntransition }
> for
> pid=555 comm="sshd"
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:staff_t:s0
>
> because of
>
> constrain process dyntransition
> (
> u1 == u2 and r1 == r2
> )
>
> My question is why dyntrans is not allowed to change USER or ROLE.
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=729648
I think just because we haven't previously had a system program using
setcon(3) to switch its user/role.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list