Hi,
I'm having problems with this AVC on RHEL6:
type=AVC msg=audit(1387461339.290:123): avc: denied { transition } for pid=2548 comm="tl-session" path="/opt/thinlinc/libexec/tl-xinit" dev=dm-0 ino=789253 scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
I'm at a loss to why though as I have this in my policy:
userdom_spec_domtrans_all_users(thinlinc_session_t)
I even checked that the temporary file got an appropriate allow rule:
allow thinlinc_session_t userdomain:process transition;
I need some help in debugging this further. What could prevent this
allow line from being respected?
Rgds
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Link?ping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131219/227ecf4b/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/19/2013 10:02 AM, Pierre Ossman wrote:
> Hi,
>
> I'm having problems with this AVC on RHEL6:
>
> type=AVC msg=audit(1387461339.290:123): avc: denied { transition } for
> pid=2548 comm="tl-session" path="/opt/thinlinc/libexec/tl-xinit" dev=dm-0
> ino=789253 scontext=unconfined_u:system_r:thinlinc_session_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> I'm at a loss to why though as I have this in my policy:
>
> userdom_spec_domtrans_all_users(thinlinc_session_t)
>
> I even checked that the temporary file got an appropriate allow rule:
>
> allow thinlinc_session_t userdomain:process transition;
>
> I need some help in debugging this further. What could prevent this allow
> line from being respected?
>
> Rgds
>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Looks like constraint violations.
You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Which looks like you need to allow the domains to change role from system_r tp
unconfined_r and to change range from s0 to s0-s0:c0.c1023
If you ran your avc through audit2why it should tell you that you have a
constraint problem.
Perhaps adding these will solve your problem.
domain_role_change_exemption(thinlinc_session_t)
mls_process_set_level(thinklinc_session_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKzGm0ACgkQrlYvE4MpobNdNwCcDlM6gult53uwr4RxRuJIyKGz
/hIAoK6v+6/H6Nj8tP43S6rRCtHqo4wd
=JKia
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 19 Dec 2013 11:10:21 -0500
Daniel J Walsh <[email protected]> wrote:
>
> Looks like constraint violations.
>
> You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> Which looks like you need to allow the domains to change role from system_r tp
> unconfined_r and to change range from s0 to s0-s0:c0.c1023
>
So normally type changes are generally allowed, but user and role
changes are more protected in order to better track the user across
processes?
> If you ran your avc through audit2why it should tell you that you have a
> constraint problem.
I see. I've grown a bit too accustomed to the fact that audit2why will
give me very low level suggestions without any clue as to what the
refpolicy interface might be. So I stopped using it when trying to
write policy files.
>
> Perhaps adding these will solve your problem.
> domain_role_change_exemption(thinlinc_session_t)
> mls_process_set_level(thinklinc_session_t)
It seems they were already there, since I was using:
auth_login_pgm_domain(thinlinc_session_t)
I ran into these problems when I started trying to move away from
abusing initrc_t. The current policy for this process is this:
type thinlinc_session_exec_t;
corecmd_executable_file(thinlinc_session_exec_t)
type thinlinc_session_t;
domain_type(thinlinc_session_t)
domain_entry_file(thinlinc_session_t, thinlinc_session_exec_t)
auth_login_pgm_domain(thinlinc_session_t)
domtrans_pattern(thinlinc_agent_t, thinlinc_session_exec_t, thinlinc_session_t)
auth_write_login_records(thinlinc_session_t)
userdom_spec_domtrans_all_users(thinlinc_session_t)
userdom_signal_all_users(thinlinc_session_t)
allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
allow thinlinc_session_t self:process { getcap setsched setexec };
allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
miscfiles_read_localization(thinlinc_session_t)
kernel_read_kernel_sysctls(thinlinc_session_t)
logging_append_all_logs(thinlinc_session_t)
filetrans_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t, dir)
manage_dirs_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t)
filetrans_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t, dir)
manage_dirs_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t)
manage_lnk_files_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_dir_t)
ifdef(`enable_mcs',`
range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mcs_systemhigh;
')
ifdef(`enable_mls',`
range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mls_systemhigh;
')
Thank you for your help
- --
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Link?ping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/112509906846170010689
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlKzVFwACgkQopDLsoqlmELDlgD/ayNP+1GYsHU6kqhBoSXFhO8g
nHP/utIZg8wdEw/lqt4A/2Klc20uwr229IQBLKGUV2EhY1Gf4QMTZl3lTyQ8W2Q2
=bo9j
-----END PGP SIGNATURE-----