2016-08-31 11:09:47

by Lukas Vrabec

[permalink] [raw]
Subject: [refpolicy] Enforcing MLS policy and rescue mode

Hi,

I'm facing issue on RHEL7 with mls policy and enforcing state. System
not reacting after booting to rescue mode. Issue here is missing
transition rule where sulogin_t domain with s15:c0.c1023 trying to
transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
allow this.

On the other hand question is, if enforced MLS policy is supported in
rescue mode?

Thanks for help.
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.


2016-08-31 22:46:10

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] Enforcing MLS policy and rescue mode

On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote:
> Hi,
>
> I'm facing issue on RHEL7 with mls policy and enforcing state. System
> not reacting after booting to rescue mode. Issue here is missing
> transition rule where sulogin_t domain with s15:c0.c1023 trying to
> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
> allow this.
>
> On the other hand question is, if enforced MLS policy is supported in
> rescue mode?

It should be supported, even if it doesn't work right now. I believe
sulogin_t should probably have the same MLS range as local_login_t, as
they're of equivalent MLS sensitivity. With that in place, the
transition to sysadm_t should be allowed, regardless of the change of range.

--
Chris PeBenito

2016-09-02 08:43:50

by Lukas Vrabec

[permalink] [raw]
Subject: [refpolicy] Enforcing MLS policy and rescue mode

On 09/01/2016 12:46 AM, Chris PeBenito wrote:
> On 08/31/16 07:09, Lukas Vrabec via refpolicy wrote:
>> Hi,
>>
>> I'm facing issue on RHEL7 with mls policy and enforcing state. System
>> not reacting after booting to rescue mode. Issue here is missing
>> transition rule where sulogin_t domain with s15:c0.c1023 trying to
>> transition to sysadm_t with s0-s15:c0.c1023. I don't think that we want
>> allow this.
>>
>> On the other hand question is, if enforced MLS policy is supported in
>> rescue mode?
>
> It should be supported, even if it doesn't work right now. I believe
> sulogin_t should probably have the same MLS range as local_login_t, as
> they're of equivalent MLS sensitivity. With that in place, the
> transition to sysadm_t should be allowed, regardless of the change of
> range.
>
Hi Chris,
I change MLS range to sulogin_t same as local_login_t and rescue mode
start working.

Thank you for help!
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.