Re: [HACKERS] [v9.2] Add GUC sepgsql.client_label

Fri, 24 Feb 2012 06:18:27 -0800 

On 2012-02-24 14:20, Kohei KaiGai wrote:


It seems to me you try to expand categories of the client.
The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
It is not an admitted operations because of increasion of categories.



Yes I had my eye on the missing c0.c1023 before but couldn't remember 
changing it, so wrongfully assumed that it would be semantically 
equivalent to c0.c1023.

LOG:  SELinux: denied { dyntransition }
scontext=unconfined_u:unconfined_r:unconfined_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process

May I see your /etc/selinux/targeted/seusers ?

I think "__default__" entry is configured to "unconfined_u:s0", instead of
"unconfined_u:s0:c0.c1023" as default.

In my environment, it is configured as follows:

   [root@iwashi ~]# cat /etc/selinux/targeted/seusers
   # This file is auto-generated by libsemanage
   # Do not edit directly.

   system_u:system_u:s0-s0:c0.c1023
   root:unconfined_u:s0-s0:c0.c1023
   __default__:unconfined_u:s0-s0:c0.c1023<=== (*)



[mgrid@mgfedora ~]$ cat /etc/selinux/targeted/seusers
# This file is auto-generated by libsemanage
# Do not edit directly.

system_u:system_u:s0-s0:c0.c1023
root:unconfined_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023

but still

[mgrid@mgfedora ~]$ id -Z
system_u:unconfined_r:unconfined_t:s0

(I changed bash to run in the unconfined_u context before starting the 
regression test)


and

[root@mgfedora targeted]# id -Z
system_u:unconfined_r:unconfined_t:s0


When I created a new test user, it's selinux context showed the c0.c1023 
- I don't know what's fishy about the mgrid user and root that causes 
c0.c1023 to be absent. Maybe I should reinstall this virtual machine. 
After setting the user "mgrid" on s0-s0:c0.c1023 with


semanage login -a -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 mgrid

the regression tests pass :-)

test label                    ... ok
test dml                      ... ok
test create                   ... ok
test misc                     ... ok

I'll continue reviewing the patch.

--
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data





--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers





























					Reply via email to