FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-11-2010, 04:10 PM
Xavier Toth
 
Default talking to mcstrans in MLS enforcing on rhel6 beta

I'm a bit confused about something. mcstransd creates a socket and
through a transition rule it get labeled setrans_var_run_t (this is
also the type used with mls_trusted_object in the setrans policy)
however when other apps try and connect to it the target context type
is setrans_t which of course isn't trusted so no one can connect. As
an experiment I added setrans_t as a mls trusted object and then other
apps could connect. Not sure where the target context comes from on
connectto because the socket file is label setrans_var_run_t on the
disk. Something needs fixing just not sure what. Doesn't seem right to
add 'mls_trusted_object(setrans_t)'.

Ted
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-11-2010, 06:36 PM
Daniel J Walsh
 
Default talking to mcstrans in MLS enforcing on rhel6 beta

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2010 12:10 PM, Xavier Toth wrote:
> I'm a bit confused about something. mcstransd creates a socket and
> through a transition rule it get labeled setrans_var_run_t (this is
> also the type used with mls_trusted_object in the setrans policy)
> however when other apps try and connect to it the target context type
> is setrans_t which of course isn't trusted so no one can connect. As
> an experiment I added setrans_t as a mls trusted object and then other
> apps could connect. Not sure where the target context comes from on
> connectto because the socket file is label setrans_var_run_t on the
> disk. Something needs fixing just not sure what. Doesn't seem right to
> add 'mls_trusted_object(setrans_t)'.
>
> Ted
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Since connectto has a constraint on it, I think we need to add this also?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAkvpo7gACgkQrlYvE4MpobOuugCYo2aC2+irPv hnzmLDzKwIfdQN
MQCfd+sRrhhUQKVrb8WQZ72CEaRAcHs=
=I0Lq
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-11-2010, 09:13 PM
Stephen Smalley
 
Default talking to mcstrans in MLS enforcing on rhel6 beta

On Tue, 2010-05-11 at 11:10 -0500, Xavier Toth wrote:
> I'm a bit confused about something. mcstransd creates a socket and
> through a transition rule it get labeled setrans_var_run_t (this is
> also the type used with mls_trusted_object in the setrans policy)
> however when other apps try and connect to it the target context type
> is setrans_t which of course isn't trusted so no one can connect. As
> an experiment I added setrans_t as a mls trusted object and then other
> apps could connect. Not sure where the target context comes from on
> connectto because the socket file is label setrans_var_run_t on the
> disk. Something needs fixing just not sure what. Doesn't seem right to
> add 'mls_trusted_object(setrans_t)'.

When you create and bind a Unix domain socket in the file system
namespace (as opposed to the abstract namespace), there are two objects:
the socket itself (created upon the socket call, labeled with the label
of the creating process), and the file (created upon the bind call,
labeled in accordance with the usual file labeling behavior).
Connecting to such a socket requires both write access to the file and
connectto permission to the socket. So connectto is a socket-to-socket
(which looks like process-to-process since sockets are labeled based on
creating process and act as proxies/queues between processes) check.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org