From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 1 Dec 2015 10:50:45 -0500
Subject: [refpolicy] Transition not working as expected with boolean
 cron_userdomain_transition set to on
In-Reply-To: <5652F8F4.3090601@debian.org>
References: <5652F8F4.3090601@debian.org>
Message-ID: <565DC1D5.7020602@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/23/2015 6:31 AM, Laurent Bigonville wrote:
> Hi,
> 
> While testing my patch for the at daemon, I think I also found a bug in
> the policy.
> 
> With the cron_userdomain_transition boolean set to off I see the
> following behavior, user bigon is unconfined_u, test is user_u and
> test_staff is staff_u
> 
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:cronjob_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:cronjob_t:s0
> 
> 
> Everything seems OK here.
> 
> But when I toggle the boolean to on, I see the following behavior:
> 
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
> 
> As you can see a default context cannot be computed for the user_u user
> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
> this is intended)
> 
> In the fedora policy I've found this patch
> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
> 
> 
> If I'm _adding_ the user context to the default context
> 
> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
> system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
> 
> I've attached a patch, am I understanding everything correctly here?

This makes sense, though the default_context files should probably be
updated similarly.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com