Hi,
I'm facing issue on RHEL7 with mls policy and enforcing state. System
not reacting after booting to rescue mode. Issue here is missing
transition rule where sulogin_t domain with s15:c0.c1023 trying to
transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
allow this.
On the other hand question is, if enforced MLS policy is supported in
rescue mode?
Thanks for help.
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote:
> Hi,
>
> I'm facing issue on RHEL7 with mls policy and enforcing state. System
> not reacting after booting to rescue mode. Issue here is missing
> transition rule where sulogin_t domain with s15:c0.c1023 trying to
> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
> allow this.
>
> On the other hand question is, if enforced MLS policy is supported in
> rescue mode?
It should be supported, even if it doesn't work right now. I believe
sulogin_t should probably have the same MLS range as local_login_t, as
they're of equivalent MLS sensitivity. With that in place, the
transition to sysadm_t should be allowed, regardless of the change of range.
--
Chris PeBenito
On 09/01/2016 12:46 AM, Chris PeBenito wrote:
> On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote:
>> Hi,
>>
>> I'm facing issue on RHEL7 with mls policy and enforcing state. System
>> not reacting after booting to rescue mode. Issue here is missing
>> transition rule where sulogin_t domain with s15:c0.c1023 trying to
>> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
>> allow this.
>>
>> On the other hand question is, if enforced MLS policy is supported in
>> rescue mode?
>
> It should be supported, even if it doesn't work right now. I believe
> sulogin_t should probably have the same MLS range as local_login_t, as
> they're of equivalent MLS sensitivity. With that in place, the
> transition to sysadm_t should be allowed, regardless of the change of
> range.
>
Hi Chris,
I change MLS range to sulogin_t same as local_login_t and rescue mode
start working.
Thank you for help!
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.