[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

checkpolicy constraints bug

To: "SE-Linux" <selinux@xxxxxxxxxxxxx>
Subject: checkpolicy constraints bug
From: Russell Coker <russell@xxxxxxxxxxxx>
Date: Wed, 10 Aug 2005 23:32:45 +1000
Reply-to: russell@xxxxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: KMail/1.8.2

constrain process transition
      ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
ifdef(`crond.te', `
         or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`userhelper.te',
      `or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
      `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
       or (t1 == priv_system_role and r2 == system_r )
        );


The above section in the constraints file for the strict policy works with 
checkpolicy version 1.23.1-1 (FC4 release) but fails with 1.25.3-1 (latest 
rawhide).

type=AVC msg=audit(1123680529.941:1493682): avc:  denied  { transition } for  
pid=3242 comm="bash" name="sshd" dev=dm-0 ino=69461 
scontext=root:sysadm_r:sysadm_t tcontext=root:system_r:initrc_t 
tclass=process
type=SYSCALL msg=audit(1123680529.941:1493682): arch=40000003 syscall=11 
success=no exit=-13 a0=8cbea88 a1=8cbd2c8 a2=8cbbc30 a3=1 items=1 pid=3242 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" 
exe="/bin/bash"
type=AVC_PATH msg=audit(1123680529.941:1493682):  path="/etc/rc.d/init.d/sshd"
type=CWD msg=audit(1123680529.941:1493682):  cwd="/root"
type=PATH msg=audit(1123680529.941:1493682): item=0 name="/etc/init.d/sshd" 
flags=101  inode=69461 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00


Above is the relevant section from the audit.log file.  Nothing else changed 
apart from the checkpolicy version, downgrading to the old version makes 
checkpolicy produce a binary policy that works.

I will be happy to provide the policy.conf as well as both versions of the 
binary if desired.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: checkpolicy constraints bug
  - From: Stephen Smalley

Prev by Date: Re: Category Translation patch for MCS/MLS Policy
Next by Date: Updated Policy in Sourceforge CVS
Previous by thread: radvd.te
Next by thread: Re: checkpolicy constraints bug
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.