constraint violation problem

Mon May 20 07:41:32 UTC 2013

On Mon, 2013-05-20 at 09:28 +0300, Thorsten Scherf wrote:
> On [Sun, 19.05.2013 17:15], Dominick Grift wrote:
> >On Sun, 2013-05-19 at 14:15 +0300, Thorsten Scherf wrote:
> >> Following setup:
> >>
> >> iucv instance is started via upstart to make iucv connections available
> >> in a z/VM environment:
> >>
> >> # cat /etc/init/iucv.conf
> >> start on runlevel [2345]
> >> stop on runlevel [01]
> >> respawn
> >> exec /usr/bin/iucvtty lnxterm
> >>
> >> iucvtty is running in init_t:
> >>
> >> # ps -efZ|grep iucv
> >> system_u:system_r:init_t:s0     root      1788     1  0 13:56 ? 00:00:00 /usr/bin/iucvtty lnxterm
> >>
> >> Using ts-shell to connect from a central server to this system produces
> >> the following AVC:
> >>
> >> type=AVC msg=audit(1368960989.210:22183): avc:  denied  { transition }
> >> for  pid=1761 comm="login" path="/bin/bash" dev=dasda3 ino=379
> >> scontext=system_u:system_r:local_login_t:s0
> >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=process
> >> type=SYSCALL msg=audit(1368960989.210:22183): arch=80000016 syscall=11
> >> per=400000 success=yes exit=11 a0=b6070570 a1=3fffffbd920 a2=b6083870
> >> a3=4a42fac3a0 items=0 ppid=1756 pid=1761 auid=500 uid=500 gid=500
> >> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=3
> >> comm="bash" exe="/bin/bash"
> >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> >>
> >> This is the output from audit2allow:
> >>
> >> #!!!! This avc is a constraint violation.  You will need to add an
> >> attribute to either the source or target type to make it work.
> >> #Contraint rule:
> >> allow local_login_t unconfined_t:process transition;
> >>
> >> What is the recommended way to avoid this AVC?
> >>
> >
> >i think this is a mcs constraint issue:
> >
> >cat > mytest.te <<EOF
> >policy_module(mytest, 1.0.0)
> >gen_require(` type local_login_t; ')
> >mcs_process_set_categories(local_login_t)
> >EOF
> >
> >make -f /usr/share/selinux/devel/Makefile mytest.pp
> >sudo semodule -i mytest.pp
> 
> This indeed fixed it. Is this something that should go into the default
> policy? Digging through the mcs_process_set_categories interface, all it
> does, is to set the mcssetcats attribute on local_login_t.
> 

This issue is probably related to your new daemon, which currently in
not confined. It probably runs the login program, but because its not
confined, it run the login program with no categories.

In fedora the login program usually runs with access to all categories.
It inherits acces to all categories from its parent process (whichever
that is in recent fedora)

If the login program has access to all categories then it can use them
to set categories on login user domains, but in your case it doesnt have
access to the categories it wants to set on unconfined_u login in.

so allowing local_login_t to set categories is a workaround in this case

But the real fix is probably to confine that iucv daemon properly. if
thats done then my hack isnt needed anymore