FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-04-2010, 04:40 PM
Sandra Rueda
 
Default about selinux_validate_context

Hello,

I am getting the following rule in my SELinux policy:
allow user_t security_t:file {read write};

I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t.
Are these permissions required to validate a security context?
Should they be granted to user_t?

Thanks,
Sandra

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-04-2010, 04:52 PM
Daniel J Walsh
 
Default about selinux_validate_context

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/2010 12:40 PM, Sandra Rueda wrote:
> Hello,
>
> I am getting the following rule in my SELinux policy:
> allow user_t security_t:file {read write};
>
> I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t.
> Are these permissions required to validate a security context?
> Should they be granted to user_t?
>
> Thanks,
> Sandra
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The way a security context is validated is by writing to the
/security/context kernel interface. Which would generate this AVC. If
you want the user_t user to be able to validate a context, then you need
this interface.

A better solution would probably be to write policy for the application
that the user is executing that needs to validate policy and allow this
the access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
=5QKI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-05-2010, 01:38 PM
Sandra Rueda
 
Default about selinux_validate_context

Hello again,

I am sorry for my lack of precision in the previous e-mail.
I am actually using the reference policy, and I am curious about this rule.

These are the interfaces/templates calls that end in the rule that I included in my previous e-mail:
> selinux_validate_context is called by userdom_common_user_template (in userdomain.if)
> userdom_common_user_template is called by userdom_unpriv_user_template (in unpriv_user.te)

The line in unpriv_user.te is:
userdom_unpriv_user_template(user)

I am not sure what interface/template call remove since the same template (userdom_unpriv_user_template) is called for secadm, staff, and auditadm ... which seems strange ... does it not ?
I guess I can create a second set of template/calls without the call to selinux_validate_context. Does this sound reasonable?

Thanks for your advice,
Sandra

On May 4, 2010, at 12:52 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/04/2010 12:40 PM, Sandra Rueda wrote:
>> Hello,
>>
>> I am getting the following rule in my SELinux policy:
>> allow user_t security_t:file {read write};
>>
>> I traced it and I found the interface selinux_validate_context grants permissions to read and write files with type security_t.
>> Are these permissions required to validate a security context?
>> Should they be granted to user_t?
>>
>> Thanks,
>> Sandra
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> The way a security context is validated is by writing to the
> /security/context kernel interface. Which would generate this AVC. If
> you want the user_t user to be able to validate a context, then you need
> this interface.
>
> A better solution would probably be to write policy for the application
> that the user is executing that needs to validate policy and allow this
> the access.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvgUOgACgkQrlYvE4MpobNSxwCg1lWRxrTE/x/shfZJ04BNXJE3
> 2WwAoI/b5LZbIrhGkz4fNLLeWeFQFUmS
> =5QKI
> -----END PGP SIGNATURE-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-05-2010, 02:35 PM
Daniel J Walsh
 
Default about selinux_validate_context

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are trying to setup a least priv user look at roles/guest.te and
xguest.te.

They use userdom_restricted_user_template and
userdom_restricted_xwindows_user_template

Which are considered the least privs required for a login user.

user_t/staff_t are full users. Meaning they should be allowed to do
everything a user on a non SELinux system is without any Capabilities.

If they require to execute an application that requires capabilities, a
transition rule is defined.

userdom_restricted_user_template gives you a user which can not use the
network, any capabilities, no exec in homedir. No X.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvhgjIACgkQrlYvE4MpobOFYACgvkn+rUDFJF 0bHi8khPzBARoD
KI4Amwc2kIXZV0hjQ2XepJISsEEyjQq4
=+kMy
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org