Hi,
While testing my patch for the at daemon, I think I also found a bug in
the policy.
With the cron_userdomain_transition boolean set to off I see the
following behavior, user bigon is unconfined_u, test is user_u and
test_staff is staff_u
bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
user_u:user_r:cronjob_t:s0
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
system_u:system_r:crond_t:s0
staff_u:staff_r:cronjob_t:s0
Everything seems OK here.
But when I toggle the boolean to on, I see the following behavior:
bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
/usr/sbin/getdefaultcon: Invalid argument
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
system_u:system_r:crond_t:s0
staff_u:sysadm_r:sysadm_t:s0
As you can see a default context cannot be computed for the user_u user
and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
this is intended)
In the fedora policy I've found this patch
https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
If I'm _adding_ the user context to the default context
bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
user_u:user_r:user_t:s0
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
system_u:system_r:crond_t:s0
staff_u:staff_r:staff_t:s0
I've attached a patch, am I understanding everything correctly here?
Cheers,
Laurent Bigonville
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-the-user-cronjobs-to-run-in-their-userdomain.patch
Type: text/x-patch
Size: 4973 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20151123/597b9346/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote:
> Hi,
>
> While testing my patch for the at daemon, I think I also found a bug in the
> policy.
>
> With the cron_userdomain_transition boolean set to off I see the following
> behavior, user bigon is unconfined_u, test is user_u and test_staff is
> staff_u
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:cronjob_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:cronjob_t:s0
>
>
> Everything seems OK here.
>
> But when I toggle the boolean to on, I see the following behavior:
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
>
> As you can see a default context cannot be computed for the user_u user and
> the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure this is
> intended)
>
> In the fedora policy I've found this patch https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
>
> If I'm _adding_ the user context to the default context
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
>
> I've attached a patch, am I understanding everything correctly here?
>
> Cheers,
>
> Laurent Bigonville
> >From c8aa69e51d8781da782a50dbdf20b258288093d4 Mon Sep 17 00:00:00 2001
> From: Laurent Bigonville <[email protected]>
> Date: Mon, 23 Nov 2015 12:25:13 +0100
> Subject: [PATCH] Allow the user cronjobs to run in their userdomain
>
> When cron_userdomain_transition boolean is set to on, the user cronjobs
> are supposed to run in their domains. Without this patch the default
> context is not properly computed:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
this is not a accurate description since it expects a user name and not a
selinux user id (right?)
>
> With this patch applied:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
idem ditto
> ---
> config/appconfig-mcs/staff_u_default_contexts | 2 +-
> config/appconfig-mcs/user_u_default_contexts | 2 +-
> config/appconfig-mls/staff_u_default_contexts | 2 +-
> config/appconfig-mls/user_u_default_contexts | 2 +-
> config/appconfig-standard/staff_u_default_contexts | 2 +-
> config/appconfig-standard/user_u_default_contexts | 2 +-
> 6 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mcs/staff_u_default_contexts
> +++ b/config/appconfig-mcs/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mcs/user_u_default_contexts
> +++ b/config/appconfig-mcs/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mls/staff_u_default_contexts
> +++ b/config/appconfig-mls/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mls/user_u_default_contexts
> +++ b/config/appconfig-mls/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
> index c2a5ea8..300694c 100644
> --- a/config/appconfig-standard/staff_u_default_contexts
> +++ b/config/appconfig-standard/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
> system_r:remote_login_t staff_r:staff_t
> system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
> -system_r:crond_t staff_r:cronjob_t
> +system_r:crond_t staff_r:staff_t staff_r:cronjob_t
> system_r:xdm_t staff_r:staff_t
> staff_r:staff_su_t staff_r:staff_t
> staff_r:staff_sudo_t staff_r:staff_t
> diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
> index f5bfac3..63b7eec 100644
> --- a/config/appconfig-standard/user_u_default_contexts
> +++ b/config/appconfig-standard/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t user_r:user_t
> system_r:remote_login_t user_r:user_t
> system_r:sshd_t user_r:user_t
> -system_r:crond_t user_r:cronjob_t
> +system_r:crond_t user_r:user_t user_r:cronjob_t
> system_r:xdm_t user_r:user_t
> user_r:user_su_t user_r:user_t
> user_r:user_sudo_t user_r:user_t
> --
> 2.6.2
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWUv/LAAoJENAR6kfG5xmcRFoMAJgHxvER+k3j+LtnWa50Zds9
jAosAWKYXFGtpm1jZitfkZrF2z+dwhRWicl/GXRFQmk1aoEe9Z7ygmWeGOB3Fi1F
DTCEH6Shwt9B2UM6odoZ/4DN0Sapf1XpKHcaqg/Um13BuxBdF9xC5E0pxOKLf6D4
6kwR2LsuOjT5cittNaWKTMJ9GT6+Ua1/jQVwpDHBzcIDbIGbdDAvIZYhyPoRuGbG
OYqIbB7sAiXwOIQEphICjJDwwhObYIP8DsTmpYG+sfIL0/CDfnXzGh6lou3+tgRJ
ha4u271Ptk+vUxNp8AMd7zjtlEHmD671Pbx0nmxfEk6ewJ4qOCuxdMMXqJFD5Ocp
VyfBEAWMfaOT8KJeYwQd6sw4ZGrCDXLvQ6kjI3HwXsn0HZsAYLQCCUBFM1FlewdG
A5kVaD/fCzij9EcIPW5mo72ZqLrpwtj5Qgdu3s+j4vJOT2dqPgYD6yGaUArjiaGg
NTjBVPtj/FwWbKSTXK72wMhP6XNSf2sivg50iKCqZA==
=SpoQ
-----END PGP SIGNATURE-----
Le 23/11/15 13:00, Dominick Grift a ?crit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote:
>> [...]
>>
>>
>> When cron_userdomain_transition boolean is set to on, the user cronjobs
>> are supposed to run in their domains. Without this patch the default
>> context is not properly computed:
>>
>> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
>> /usr/sbin/getdefaultcon: Invalid argument
>> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
>> staff_u:sysadm_r:sysadm_t:s0
> this is not a accurate description since it expects a user name and not a
> selinux user id (right?)
>
>> With this patch applied:
>>
>> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
>> user_u:user_r:user_t:s0
>> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
>> staff_u:staff_r:staff_t:s0
> idem ditto
Yes indeed, it was to make the thing more clear for the reader
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, Nov 23, 2015 at 01:15:07PM +0100, Laurent Bigonville wrote:
> Le 23/11/15 13:00, Dominick Grift a ?crit :
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote:
> >> [...]
> >>
> >>
> >> When cron_userdomain_transition boolean is set to on, the user cronjobs
> >> are supposed to run in their domains. Without this patch the default
> >> context is not properly computed:
> >>
> >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> >> /usr/sbin/getdefaultcon: Invalid argument
> >> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
> >> staff_u:sysadm_r:sysadm_t:s0
> > this is not a accurate description since it expects a user name and not a
> > selinux user id (right?)
> >
> >> With this patch applied:
> >>
> >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> >> user_u:user_r:user_t:s0
> >> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
> >> staff_u:staff_r:staff_t:s0
> > idem ditto
>
> Yes indeed, it was to make the thing more clear for the reader
I do not think that this attempt succeeds, instead it is actually
confusing.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWUwj3AAoJENAR6kfG5xmcZwEL/R/vvjBaiEpvMwuuusDhtGrZ
G/KBJz8BBZyK9KoLRXJVNwLKXaqFpu2HYe97FVYC+1HRe7a9zvdasQkeEq46Ukbs
ixVF7ox6R5zufEvtfGFAfi+MZZwY3IOEJLtO1gbW47c7NOC6HputsdgTb9yzFpCY
KWGKCkgIGO0S1yea+nqF919sZZuBZ0qllwsMRmBPJIaGg3Qh3Ux1AeA+2ASYcdh0
dwKh4+tlkckKVLdbbw02eqNQCoI2nQXBIqBoxepIu3hs3TTufByzqVdUbCxANJ5b
+6SO1cjNT/famW//w1Nois/16qDTJAJB38C3vMCPiaGsthoiKDaGj5AVwThoB47N
QAE7MAFkfIfsWgMRboXNo77SBpmmTUKAV7dIJ6rZrCmuEdImnc1Bq5c67MwrF1fZ
lpdPgGhGq0Gn15F5c+RmSRGXtpcQljFDf1daojfzE4+VD6Dm1Boqe/drk9nZWdLN
ujXV9JKBXDoGcAt0Q+QVsAv6OFI7nyEOkZpzeO8V6A==
=gI9G
-----END PGP SIGNATURE-----
On 11/23/2015 6:31 AM, Laurent Bigonville wrote:
> Hi,
>
> While testing my patch for the at daemon, I think I also found a bug in
> the policy.
>
> With the cron_userdomain_transition boolean set to off I see the
> following behavior, user bigon is unconfined_u, test is user_u and
> test_staff is staff_u
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:cronjob_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:cronjob_t:s0
>
>
> Everything seems OK here.
>
> But when I toggle the boolean to on, I see the following behavior:
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
>
> As you can see a default context cannot be computed for the user_u user
> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
> this is intended)
>
> In the fedora policy I've found this patch
> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
>
>
> If I'm _adding_ the user context to the default context
>
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
>
> I've attached a patch, am I understanding everything correctly here?
This makes sense, though the default_context files should probably be
updated similarly.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
> On 11/23/2015 6:31 AM, Laurent Bigonville wrote:
>> Hi,
>>
>> While testing my patch for the at daemon, I think I also found a bug in
>> the policy.
>>
>> With the cron_userdomain_transition boolean set to off I see the
>> following behavior, user bigon is unconfined_u, test is user_u and
>> test_staff is staff_u
>>
>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>> user_u:user_r:cronjob_t:s0
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>> system_u:system_r:crond_t:s0
>> staff_u:staff_r:cronjob_t:s0
>>
>>
>> Everything seems OK here.
>>
>> But when I toggle the boolean to on, I see the following behavior:
>>
>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>> /usr/sbin/getdefaultcon: Invalid argument
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>> system_u:system_r:crond_t:s0
>> staff_u:sysadm_r:sysadm_t:s0
>>
>> As you can see a default context cannot be computed for the user_u user
>> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
>> this is intended)
>>
>> In the fedora policy I've found this patch
>> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
>>
>>
>> If I'm _adding_ the user context to the default context
>>
>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>> user_u:user_r:user_t:s0
>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>> system_u:system_r:crond_t:s0
>> staff_u:staff_r:staff_t:s0
>>
>> I've attached a patch, am I understanding everything correctly here?
> This makes sense, though the default_context files should probably be
> updated similarly.
Is the order relevant here?
On 12/1/2015 11:26 AM, Laurent Bigonville wrote:
> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
>> On 11/23/2015 6:31 AM, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> While testing my patch for the at daemon, I think I also found a bug in
>>> the policy.
>>>
>>> With the cron_userdomain_transition boolean set to off I see the
>>> following behavior, user bigon is unconfined_u, test is user_u and
>>> test_staff is staff_u
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> user_u:user_r:cronjob_t:s0
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:staff_r:cronjob_t:s0
>>>
>>>
>>> Everything seems OK here.
>>>
>>> But when I toggle the boolean to on, I see the following behavior:
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> /usr/sbin/getdefaultcon: Invalid argument
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:sysadm_r:sysadm_t:s0
>>>
>>> As you can see a default context cannot be computed for the user_u user
>>> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
>>> this is intended)
>>>
>>> In the fedora policy I've found this patch
>>> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
>>>
>>>
>>> If I'm _adding_ the user context to the default context
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> user_u:user_r:user_t:s0
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:staff_r:staff_t:s0
>>>
>>> I've attached a patch, am I understanding everything correctly here?
>> This makes sense, though the default_context files should probably be
>> updated similarly.
> Is the order relevant here?
For each line, the order is relevant. The libraries will choose the
first partial context that will result in a valid context. I'd have to
look at the code to see if it will skip partial contexts if the context
is valid but the transition is denied.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le 02/12/15 15:35, Christopher J. PeBenito a ?crit :
> On 12/1/2015 11:26 AM, Laurent Bigonville wrote:
>> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
>>> This makes sense, though the default_context files should probably
>>> be updated similarly.
>> Is the order relevant here?
> For each line, the order is relevant. The libraries will choose the
> first partial context that will result in a valid context. I'd have to
> look at the code to see if it will skip partial contexts if the context
> is valid but the transition is denied.
And in this precise case, do you have a specific order for these
contexts in the default_contexts file?
On 12/3/2015 9:33 AM, Laurent Bigonville wrote:
> Le 02/12/15 15:35, Christopher J. PeBenito a ?crit :
>> On 12/1/2015 11:26 AM, Laurent Bigonville wrote:
>>> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
>>>> This makes sense, though the default_context files should probably
>>>> be updated similarly.
>>> Is the order relevant here?
>> For each line, the order is relevant. The libraries will choose the
>> first partial context that will result in a valid context. I'd have to
>> look at the code to see if it will skip partial contexts if the context
>> is valid but the transition is denied.
> And in this precise case, do you have a specific order for these
> contexts in the default_contexts file?
I think it should be like the user default_context files, where the user
domains are first, so those are chosen if the cron_userdomain_transition
is true. If false, then it should fall through to the cronjob domains.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com