From: ossman@cendio.se (Pierre Ossman) Date: Thu, 19 Dec 2013 21:17:30 +0100 Subject: [refpolicy] unexpected AVC. how to dig deeper? In-Reply-To: <52B31A6D.1020506@redhat.com> References: <20131219160216.714215db@ossman.lkpg.cendio.se> <52B31A6D.1020506@redhat.com> Message-ID: <20131219211730.7156ca6a@mjolnir.ossman.eu> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 19 Dec 2013 11:10:21 -0500 Daniel J Walsh wrote: > > Looks like constraint violations. > > You have a unconfined_u:system_r:thinklinc_session_t:s0 transitioning to a > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Which looks like you need to allow the domains to change role from system_r tp > unconfined_r and to change range from s0 to s0-s0:c0.c1023 > So normally type changes are generally allowed, but user and role changes are more protected in order to better track the user across processes? > If you ran your avc through audit2why it should tell you that you have a > constraint problem. I see. I've grown a bit too accustomed to the fact that audit2why will give me very low level suggestions without any clue as to what the refpolicy interface might be. So I stopped using it when trying to write policy files. > > Perhaps adding these will solve your problem. > domain_role_change_exemption(thinlinc_session_t) > mls_process_set_level(thinklinc_session_t) It seems they were already there, since I was using: auth_login_pgm_domain(thinlinc_session_t) I ran into these problems when I started trying to move away from abusing initrc_t. The current policy for this process is this: type thinlinc_session_exec_t; corecmd_executable_file(thinlinc_session_exec_t) type thinlinc_session_t; domain_type(thinlinc_session_t) domain_entry_file(thinlinc_session_t, thinlinc_session_exec_t) auth_login_pgm_domain(thinlinc_session_t) domtrans_pattern(thinlinc_agent_t, thinlinc_session_exec_t, thinlinc_session_t) auth_write_login_records(thinlinc_session_t) userdom_spec_domtrans_all_users(thinlinc_session_t) userdom_signal_all_users(thinlinc_session_t) allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid }; allow thinlinc_session_t self:process { getcap setsched setexec }; allow thinlinc_session_t self:fifo_file rw_fifo_file_perms; miscfiles_read_localization(thinlinc_session_t) kernel_read_kernel_sysctls(thinlinc_session_t) logging_append_all_logs(thinlinc_session_t) filetrans_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t, dir) manage_dirs_pattern(thinlinc_session_t, thinlinc_session_root_t, thinlinc_user_dir_t) filetrans_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t, dir) manage_dirs_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_t) manage_lnk_files_pattern(thinlinc_session_t, thinlinc_user_dir_t, thinlinc_user_dir_t) ifdef(`enable_mcs',` range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mcs_systemhigh; ') ifdef(`enable_mls',` range_transition thinlinc_agent_t thinlinc_session_t:process s0 - mls_systemhigh; ') Thank you for your help - -- Pierre Ossman Software Development Cendio AB http://cendio.com Teknikringen 8 http://twitter.com/ThinLinc 583 30 Link?ping http://facebook.com/ThinLinc Phone: +46-13-214600 http://plus.google.com/112509906846170010689 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlKzVFwACgkQopDLsoqlmELDlgD/ayNP+1GYsHU6kqhBoSXFhO8g nHP/utIZg8wdEw/lqt4A/2Klc20uwr229IQBLKGUV2EhY1Gf4QMTZl3lTyQ8W2Q2 =bo9j -----END PGP SIGNATURE-----