From: bigon@debian.org (Laurent Bigonville) Date: Tue, 1 Dec 2015 17:26:11 +0100 Subject: [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on In-Reply-To: <565DC1D5.7020602@tresys.com> References: <5652F8F4.3090601@debian.org> <565DC1D5.7020602@tresys.com> Message-ID: <565DCA23.3070301@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le 01/12/15 16:50, Christopher J. PeBenito a ?crit : > On 11/23/2015 6:31 AM, Laurent Bigonville wrote: >> Hi, >> >> While testing my patch for the at daemon, I think I also found a bug in >> the policy. >> >> With the cron_userdomain_transition boolean set to off I see the >> following behavior, user bigon is unconfined_u, test is user_u and >> test_staff is staff_u >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> user_u:user_r:cronjob_t:s0 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:staff_r:cronjob_t:s0 >> >> >> Everything seems OK here. >> >> But when I toggle the boolean to on, I see the following behavior: >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> /usr/sbin/getdefaultcon: Invalid argument >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:sysadm_r:sysadm_t:s0 >> >> As you can see a default context cannot be computed for the user_u user >> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure >> this is intended) >> >> In the fedora policy I've found this patch >> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d >> >> >> If I'm _adding_ the user context to the default context >> >> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0 >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0 >> user_u:user_r:user_t:s0 >> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff >> system_u:system_r:crond_t:s0 >> staff_u:staff_r:staff_t:s0 >> >> I've attached a patch, am I understanding everything correctly here? > This makes sense, though the default_context files should probably be > updated similarly. Is the order relevant here?