sshd constraint violation issue
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 29 14:45:27 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/29/2011 10:38 AM, Daniel J Walsh wrote:
> On 08/29/2011 11:10 AM, Miroslav Grepl wrote:
>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>>> On 08/29/11 08:33, Stephen Smalley wrote:
>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>>> in the openssh package.
>>>>>
>>>>> But we have the following issue with the following code
>>>>>
>>>>> ...
>>>>>
>>>>> if (internal-sftp) setuid() getexecon(&scon) setcon(scon)
>>>>> freecon(scon)
>>>>>
>>>>> ...
>>>>>
>>>>> We have
>>>>>
>>>>> allow sshd_t unpriv_userdomain:process dyntransition
>>>>>
>>>>> rule but we get a constraint violation with the following
>>>>> AVC msg
>>>>>
>>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied {
>>>>> dyntransition } for pid=555 comm="sshd"
>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>>
>>>>> because of
>>>>>
>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 )
>>>>>
>>>>> My question is why dyntrans is not allowed to change USER
>>>>> or ROLE.
>>>>>
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>>> I think just because we haven't previously had a system
>>>> program using setcon(3) to switch its user/role.
>>> Also because the theory we would be reproducing privilege
>>> bracketed domains, so you'd be going to a different privilege
>>> in eg httpd_t -> httpd_mycgi_t, and that would not require user
>>> or role changes.
>>>
>> Ok, I understand. Thanks.
>
>> Could we add an attribute to break this?
>
>
> Or say it is ok for a userdomain?
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
onstrain process dyntransition
(
(u1 == u2 and r1 == r2) or t2 = unpriv_userdomain
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5bpgcACgkQrlYvE4MpobMH5wCeIGOdIP97XmOVHU1nS/EQmLM5
K3kAnjN7w5o7JFd3CB+tEgkh/JE67gmi
=UVh1
-----END PGP SIGNATURE-----
More information about the selinux
mailing list