On Tue, 2007-03-20 at 21:42 -0400, Paul Moore wrote: > On Tuesday 20 March 2007 6:27:20 pm Loulwa Salem wrote: > > I am seeing a strange behavior on my system. I am running with the latest > > and greatest kernel (.69) and packages freshly installed today from Steve's > > repo on a ppc system in Enforcing mode ofcourse. > > Note: The ssh_sysadm_login and allow_netlabel booleans are both on. > > > > Steps to reproduce the problem: > > - ssh into system with your admin user as sysadm role > > ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost > > - switch to root > > /bin/su - > > - execute any netlabel command > > netlabelctl cipsov4 add pass doi:1 tags:1 > > > > I am able to log in fine, and I expect the netlabel command to pass however > > I get a permission denied. > > I'm haven't verified this (I'm at home and don't have an LSPP machine handy) > but it was originally the case where you had to be in the secadm_r role to be > able to use netlabelctl. Unless Dan/Chris added the netlabel_mgmt_t domain > to the sysadm_r role I don't expect you'll be able to run netlabelctl. > > > ---- netlabel related records (the only 2 records I see when I get perm > > denied) type=SELINUX_ERR msg=audit(1174412941.179:771): > > security_compute_sid: invalid context > > ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for > > scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 > > tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process > > type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no > > exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 > > pid=3123 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=pts2 comm="bash" exe="/bin/bash" > > subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) > > Like Linda I'm also a little curious as to the invalid context message, > something is not right ... why is a non system user, i.e. not system_u, > running with the system_r role?
Pre-Fedora SELinux required use of run_init to launch system processes in the right user identity and role from an admin shell, but that was viewed as too radical a departure for users and too pervasive a change (e.g. rpm scriptlets, third party rpms, ...), so Fedora SELinux re-introduced automatic role transitions (role_transition statements) to automatically move system processes into system_r. Unfortunately, there is no such thing as a user_transition statement (we didn't envision a need for automatic user transitions, and thought they would encourage unsafe policy), so you can't also automatically move them into system_u. Hardened Gentoo dealt with the issue by directly integrating run_init-like functionality into their init system via a shared object (they have an unusual init system). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
