From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 2 Dec 2015 09:35:36 -0500
Subject: [refpolicy] Transition not working as expected with boolean
 cron_userdomain_transition set to on
In-Reply-To: <565DCA23.3070301@debian.org>
References: <5652F8F4.3090601@debian.org> <565DC1D5.7020602@tresys.com>
	<565DCA23.3070301@debian.org>
Message-ID: <565F01B8.6060602@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/1/2015 11:26 AM, Laurent Bigonville wrote:
> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
>> On 11/23/2015 6:31 AM, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> While testing my patch for the at daemon, I think I also found a bug in
>>> the policy.
>>>
>>> With the cron_userdomain_transition boolean set to off I see the
>>> following behavior, user bigon is unconfined_u, test is user_u and
>>> test_staff is staff_u
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> user_u:user_r:cronjob_t:s0
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:staff_r:cronjob_t:s0
>>>
>>>
>>> Everything seems OK here.
>>>
>>> But when I toggle the boolean to on, I see the following behavior:
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> /usr/sbin/getdefaultcon: Invalid argument
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:sysadm_r:sysadm_t:s0
>>>
>>> As you can see a default context cannot be computed for the user_u user
>>> and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure
>>> this is intended)
>>>
>>> In the fedora policy I've found this patch
>>> https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d
>>>
>>>
>>> If I'm _adding_ the user context to the default context
>>>
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
>>> user_u:user_r:user_t:s0
>>> bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff
>>> system_u:system_r:crond_t:s0
>>> staff_u:staff_r:staff_t:s0
>>>
>>> I've attached a patch, am I understanding everything correctly here?
>> This makes sense, though the default_context files should probably be
>> updated similarly.
> Is the order relevant here?

For each line, the order is relevant.  The libraries will choose the
first partial context that will result in a valid context.  I'd have to
look at the code to see if it will skip partial contexts if the context
is valid but the transition is denied.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com