FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-30-2010, 08:38 PM
Xavier Toth
 
Default tar xvf --xattrs warning/error in MLS enforcing

I'm going to simplify this because a lot of the detail isn't import to
the issue I'm working through. I'm taring some files, one of which
happens to be labeled SystemHigh and the rest SystemLow. An init
script, running SystemLow-SystemHigh, is later run on a different
system which untars the file. tar generates a warning message about
setfilecon failing for the file labeled SystemHigh and I see a
SELINUX_ERR message in the audit log (security_validate_transition:
denied for oldcontext=system_ubject_r:selinux_config_t:s0
newcontext=system_ubject_r:selinux_config_t:s15: c0-c1023
taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
am using run_init to run test this init script. What I'm confused
about is that there are no AVCs (I did an semnodule -DB just to see if
there were any dontaudits) and why there even is a failure as initrc_t
uses the mls_file_write_all_levels marco. Also does anyone know of a
way to see the contexts stored in the tar file?

Ted
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-30-2010, 09:42 PM
Xavier Toth
 
Default tar xvf --xattrs warning/error in MLS enforcing

On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth@gmail.com> wrote:
> I'm going to simplify this because a lot of the detail isn't import to
> the issue I'm working through. I'm taring some files, one of which
> happens to be labeled SystemHigh and the rest SystemLow. An init
> script, running SystemLow-SystemHigh, is later run on a different
> system which untars the file. tar generates a warning message about
> setfilecon failing for the file labeled SystemHigh and I see a
> SELINUX_ERR message in the audit log (security_validate_transition:
> denied for oldcontext=system_ubject_r:selinux_config_t:s0
> newcontext=system_ubject_r:selinux_config_t:s15: c0-c1023
> taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> am using run_init to run test this init script. What I'm confused
> about is that there are no AVCs (I did an semnodule -DB just to see if
> there were any dontaudits) and why there even is a failure as initrc_t
> uses the mls_file_write_all_levels marco. Also does anyone know of a
> way to see the contexts stored in the tar file?
>
> Ted
>

I see now, initrc_t policy doesn't use mls_file_upgrade but I still
don't like the no AVC bit.

Ted
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-03-2010, 03:01 PM
Stephen Smalley
 
Default tar xvf --xattrs warning/error in MLS enforcing

On Fri, 2010-04-30 at 16:42 -0500, Xavier Toth wrote:
> On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth@gmail.com> wrote:
> > I'm going to simplify this because a lot of the detail isn't import to
> > the issue I'm working through. I'm taring some files, one of which
> > happens to be labeled SystemHigh and the rest SystemLow. An init
> > script, running SystemLow-SystemHigh, is later run on a different
> > system which untars the file. tar generates a warning message about
> > setfilecon failing for the file labeled SystemHigh and I see a
> > SELINUX_ERR message in the audit log (security_validate_transition:
> > denied for oldcontext=system_ubject_r:selinux_config_t:s0
> > newcontext=system_ubject_r:selinux_config_t:s15: c0-c1023
> > taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> > am using run_init to run test this init script. What I'm confused
> > about is that there are no AVCs (I did an semnodule -DB just to see if
> > there were any dontaudits) and why there even is a failure as initrc_t
> > uses the mls_file_write_all_levels marco. Also does anyone know of a
> > way to see the contexts stored in the tar file?
> >
> > Ted
> >
>
> I see now, initrc_t policy doesn't use mls_file_upgrade but I still
> don't like the no AVC bit.

The AVC isn't involved in that check. security_validate_transition()
and the mlsvalidatetrans constraints were introduced to enable a check
to be applied based on all 3 security contexts (old file context, new
file context, process context) simultaneously, which wasn't possible via
the pairwise AVC checks. selinux_inode_setxattr() invokes
security_validate_transition() after applying the AVC permission checks
during file relabeling.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org