From: ossman@cendio.se (Pierre Ossman)
Date: Thu, 24 Mar 2011 11:08:58 +0100
Subject: [refpolicy] help getting our application ThinLinc working with
 the reference policy
In-Reply-To: <20110324110048.53087a1c@ossman.lkpg.cendio.se>
References: <20110323163515.4af59493@ossman.lkpg.cendio.se>
	<4D8A389F.5060307@redhat.com>
	<20110324110048.53087a1c@ossman.lkpg.cendio.se>
Message-ID: <20110324110858.2654ccda@ossman.lkpg.cendio.se>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 24 Mar 2011 11:00:48 +0100
Pierre Ossman <ossman@cendio.se> wrote:

> 
> sshd_t seemed a bit too blatantly wrong, but login_t might be an
> acceptable temporary fix. It does seem to have the privileges needed.
> 

Scratch that. It works on Fedora 14, but not RHEL 6. I get:

==> secure <==
Mar 24 11:04:07 localhost tl-session: pam_selinux(thinlinc:session): Open Session
Mar 24 11:04:07 localhost tl-session: pam_selinux(thinlinc:session): Username= user1 SELinux User = unconfined_u Level= s0-s0:c0.c1023
Mar 24 11:04:07 localhost tl-session: pam_selinux(thinlinc:session): Selected Security Context user_u:user_r:policykit_grant_t:s0
Mar 24 11:04:07 localhost tl-session: pam_selinux(thinlinc:session): Checking if user_u:user_r:policykit_grant_t:s0 mls range valid for  user_u:user_r:policykit_grant_t:s0
Mar 24 11:04:07 localhost tl-session: pam_selinux(thinlinc:session): Security context user_u:user_r:policykit_grant_t:s0 is not allowed for user_u:user_r:policykit_grant_t:s0

==> audit/audit.log <==
type=USER_ROLE_CHANGE msg=audit(1300961047.135:33481): user pid=4696 uid=0 auid=501 ses=763 subj=unconfined_u:system_r:initrc_t:s0 msg='pam: default-context=user_u:user_r:policykit_grant_t:s0 selected-context=user_u:user_r:policykit_grant_t:s0: exe="/opt/thinlinc/libexec/tl-session" hostname=? addr=? terminal=? res=failed'
type=USER_ROLE_CHANGE msg=audit(1300961047.136:33482): user pid=4696 uid=0 auid=501 ses=763 subj=unconfined_u:system_r:initrc_t:s0 msg='pam: default-context=user_u:user_r:policykit_grant_t:s0 selected-context=?: exe="/opt/thinlinc/libexec/tl-session" hostname=? addr=? terminal=? res=failed'

Given that it is still saying initrc_t for tl-session, it seems that
the transition to login_t wasn't allowed. Seems t be correctly tagged
on disk:

- -rwxr-xr-x. root root system_u:object_r:login_exec_t:s0 /opt/thinlinc/libexec/tl-session

Rgds
- -- 
Pierre Ossman            OpenSource-based Thin Client Technology
System Developer         Telephone: +46-13-21 46 00
Cendio AB                Web: http://www.cendio.com

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAk2LGDwACgkQ7b8eESbyJLjWkQCg20ywa2nGzvgMYpz3Q8DfdA+L
v4sAoIMKg1rFx3TS6VZoWvrsyMbhGaB3
=GCaN
-----END PGP SIGNATURE-----