Linda Knippers wrote:
Are only users cleared to SystemHigh supposed to be able to see translated
labels?
That seems to be the way it works right now with mcstransd. The unix
domain socket between libselinux and mcstransd is SystemHigh so while
commands (ls -Z) run on behalf of a regular user (default SystemLow)
try to translate the labels and can write the request to the socket
but the daemon can't send the response.
For example, this works:
[EMAIL PROTECTED] ~]# ls -lZd /bin
drwxr-xr-x root root system_u:object_r:bin_t:SystemLow /bin
This doesn't:
[EMAIL PROTECTED] ~]$ ls -lZd /bin
drwxr-xr-x root root system_u:object_r:bin_t:s0 /bin
This is broken. I am not sure how to handle this? I have changed it
back to SystemLow-SystemHigh
which allows it to work properly but I think we need some constraints to
prevent someone from getting translations at a higher level then they
are authorized for.
and generates these:
type=AVC msg=audit(1159373436.221:602): avc: denied { write } for pid=1862
comm="mcstransd" name="[9948]" dev=sockfs ino=9948
scontext=system_u:system_r:setrans_t:s15:c0.c1023
tcontext=system_u:system_r:setrans_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1159373436.221:602): arch=40000003 syscall=146 success=no
exit=-13 a0=5 a1=bfa03dc8 a2=3 a3=3 items=0 ppid=1 pid=1862 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="mcstransd" exe="/sbin/mcstransd"
subj=system_u:system_r:setrans_t:s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1159373436.221:602): path="socket:[9948]"
The socket looks like this:
bash-3.1# ls -alZ /var/run/setrans/.setrans-unix
srwxrwxrwx root root system_u:object_r:setrans_var_run_t:SystemHigh
/var/run/setrans/.setrans-unix
I
-- ljk
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
