sshd constraint violation issue

Daniel J Walsh dwalsh at redhat.com
Mon Aug 29 14:47:01 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2011 10:43 AM, Stephen Smalley wrote:
> On Mon, 2011-08-29 at 10:36 -0400, Christopher J. PeBenito wrote:
>> On 08/29/11 11:10, Miroslav Grepl wrote:
>>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>>>> On 08/29/11 08:33, Stephen Smalley wrote:
>>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>>>> in the openssh package.
>>>>>> 
>>>>>> But we have the following issue with the following code
>>>>>> 
>>>>>> ...
>>>>>> 
>>>>>> if (internal-sftp) setuid() getexecon(&scon) 
>>>>>> setcon(scon) freecon(scon)
>>>>>> 
>>>>>> ...
>>>>>> 
>>>>>> We have
>>>>>> 
>>>>>> allow sshd_t unpriv_userdomain:process dyntransition
>>>>>> 
>>>>>> rule but we get a constraint violation with the following
>>>>>> AVC msg
>>>>>> 
>>>>>> type=AVC msg=audit(1314348650.561:7910): avc:  denied  { 
>>>>>> dyntransition } for pid=555 comm="sshd" 
>>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 
>>>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>>> 
>>>>>> because of
>>>>>> 
>>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 
>>>>>> )
>>>>>> 
>>>>>> My question is why dyntrans is not allowed to change USER
>>>>>> or ROLE.
>>>>>> 
>>>>>> 
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>>>> I think just because we haven't previously had a system
>>>>> program using setcon(3) to switch its user/role.
>>>> Also because the theory we would be reproducing privilege
>>>> bracketed domains, so you'd be going to a different privilege
>>>> in eg httpd_t -> httpd_mycgi_t, and that would not require
>>>> user or role changes.
>>>> 
>>> Ok, I understand. Thanks.
>>> 
>>> Could we add an attribute to break this?
>> 
>> Yes, we could add one.  The question is if we want the same
>> attribute as the regular transition or a new one.  i.e. I'm
>> thinking
>> 
>> constran process dyntranstion ( u1 == u2 or ( t1 ==
>> can_change_process_identity and t2 == process_user_target ) );
>> 
>> constran process dyntranstion ( r1 == r2 or ( t1 ==
>> can_change_process_identity and t2 == process_user_target ) );
>> 
>> do we want can_change_process_identity attribute or a new one?
> 
> If so, then might as well just coalesce into the existing
> constraint on transition permission.
> 


Ok I like Stephen's better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5bpmUACgkQrlYvE4MpobMUeACfU9LpITibnF4o7wZXGo+5qm/f
lQsAoObV7G/yf3OAVa1MNMH65QSKQFM3
=T/Ju
-----END PGP SIGNATURE-----

More information about the selinux mailing list