From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 27 Feb 2012 10:15:10 -0500
Subject: [refpolicy] Showing role attributes + issue when calling
 selinux utilities
In-Reply-To: <4F4AEB18.3090405@windriver.com>
References: <20120226131858.GA30221@siphos.be> <4F4AEB18.3090405@windriver.com>
Message-ID: <4F4B9DFE.8050207@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/26/12 21:31, Harry Ciao wrote:
> I am very glad finally someone else also discovered this issue. I had 
> discovered it months ago and posted a patch to fix it, however, it had 
> not been integrated or even acked.
> 
> Please search for my two emails entitled as "Make role attributes able 
> to type their "own" types." sent around 2011-12-15 to the refpolicy 
> mailing list.
> 
> Aside from new_roles and run_init_roles, some other role attributes such 
> as groupadd_roles, useradd_roles and chfn_roles should have been able to 
> type with their counterpart domains.

Sorry I missed that patch.  I'll go get it.
 
> On 02/26/2012 09:19 PM, Sven Vermeulen wrote:
>> Hi guys,
>>
>> Continuing the 20120215 release testing, I noticed that I can't call
>> run_init anymore:
>>
>>    ~# run_init
>>    -bash: /usr/sbin/run_init: Permission denied
>>
>> Same for newrole:
>>
>>    ~# newrole -r sysadm_r
>>    -bash: /usr/bin/newrole: Permission denied
>>
>> The denial is because of invalid context:
>>
>> ~# dmesg | tail -1
>> [ 6165.059146] type=1401 audit(1330261818.013:2712): security_compute_sid:
>> invalid context root:staff_r:newrole_t for scontext=root:staff_r:newrole_t
>> tcontext=root:staff_r:newrole_t tclass=unix_stream_socket
>>
>> It looks that it has something to do with the role attribute support,
>> because seutil_run_runinit has changed between 20110726 and 20120215 to that
>> regard:
>>
>>    ~$ ## 20110726 policy
>>    ~$ seshowif seutil_run_runinit
>>    interface(`seutil_run_runinit',`
>>            gen_require(`
>>                    type run_init_t;
>>                    role system_r;
>>            ')
>>
>>            auth_run_chk_passwd(run_init_t, $2)
>>            seutil_domtrans_runinit($1)
>>            role $2 types run_init_t;
>>
>>            allow $2 system_r;
>>    ')
>>
>>    ~$ ## 20120215 policy
>>    $ seshowif seutil_run_runinit
>>    interface(`seutil_run_runinit',`
>>            gen_require(`
>>                    attribute_role run_init_roles;
>>            ')
>>
>>            seutil_domtrans_runinit($1)
>>            roleattribute $2 run_init_roles;
>>    ')
>>
>> Do I need to include "allow $2 system_r" again here?
>>
>> Another question: is it possible to query the role attributes on the system?
>> seinfo only shows those for types...
>>
>> Wkr,
>> 	Sven Vermeulen
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com