From: martin@martinorr.name (Martin Orr)
Date: Mon, 01 Mar 2010 17:48:28 +0000
Subject: [refpolicy] Possible regression and bug
	in	userdom_base_user_template
In-Reply-To: <20100301170324.GI3990@myhost.felk.cvut.cz>
References: <20100301102220.GF3990@myhost.felk.cvut.cz>
	<1267450925.30557.7.camel@gorn.columbia.tresys.com>
	<20100301150133.GG3990@myhost.felk.cvut.cz>
	<1267457544.30557.30.camel@gorn.columbia.tresys.com>
	<20100301170324.GI3990@myhost.felk.cvut.cz>
Message-ID: <20100301174828.pdj3qn7guaswg8g8@legacy.mxes.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon  1 Mar 17:03:24 2010, Michal Svoboda wrote:

> Christopher J. PeBenito wrote:
>> I don't know what you are referring to; I don't see such access in
>> refpolicy.  I can see that the base user template can read usr_t files,
>> but not execute them.  I even added a test user that only called the
>> template and opened up the compiled policy with apol; it still did not
>> have an execute permission on usr_t.
>
> This is weird.
>
> # cat foo.te
> policy_module(foo,1.0.0)
>
> userdom_base_user_template(foo)
>
> # sesearch --allow -s foo_t -p execute_no_trans
> Found 2 semantic av rules:
>    allow foo_t usr_t : file { ioctl read getattr lock execute
>    				execute_no_trans open } ;
>    allow foo_t ld_so_t : file { read getattr execute execute_no_trans 
> open } ;
>
> # aptitude show selinux-policy-default |grep -i vers
> Version: 2:0.2.20091117-1
>
> Either the policy changed since then or this is a debian only patch...

Yes, this is a Debian only patch.  According to my history, it was 
added somewhere between 0.0.20080702-1 and 0.0.20080702-4.

-- 
Martin Orr