Paul Moore wrote:
On Wednesday, March 21 2007 4:21:42 pm Stephen Smalley wrote:
On Wed, 2007-03-21 at 16:13 -0400, Paul Moore wrote:
This leads me to two questions:
* Why does the 'netlabel_mgmt_t' domain not have write access to the
'sysadm_tty_device_t' object when the terminal context should be
included in the 'admin_terminal' type attribute which is used in the
call to 'netlabel_run_mgmt()' via 'userdom_security_administrator()'
for 'sysadm_r'?
MLS-related denial?
I don't think so as everything in this case should be at SystemLow, however,
I'm not seeing any avc denials in the audit logs so I can't say for certain
at this point.
I have always seen this problem but for some reason didn't report it thinking it
just behaves that way !! As you said the command succeeds (adding a cipso map in
my case below) and I see the record in the audit log but no output is printed ..
even when I am doing a listing of the cipso mapping.
Here are the AVCs I got when I tried netlabelctl from the console as
root/sysadm_r/sysadm_t:SystemLow-SystemHigh
At first I didn't see any AVC then I installed the enable audit module
semodule -b /usr/share/selinux/mls/enableaudit.pp
type=AVC msg=audit(1174495637.654:2701): avc: denied { use } for pid=8126
comm="netlabelctl" name="hvc0" dev=tmpfs ino=2576
scontext=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1174495637.654:2701): avc: denied { use } for pid=8126
comm="netlabelctl" name="hvc0" dev=tmpfs ino=2576
scontext=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1174495637.654:2701): avc: denied { use } for pid=8126
comm="netlabelctl" name="hvc0" dev=tmpfs ino=2576
scontext=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tclass=fd
type=SYSCALL msg=audit(1174495637.654:2701): arch=14 syscall=11 success=yes
exit=0 a0=101155e8 a1=10117eb0 a2=1011bd18 a3=0 items=0 ppid=1769 pid=8126
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="netlabelctl" exe="/sbin/netlabelctl"
subj=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1174495637.654:2701): path="/dev/hvc0"
type=AVC_PATH msg=audit(1174495637.654:2701): path="/dev/hvc0"
type=AVC_PATH msg=audit(1174495637.654:2701): path="/dev/hvc0"
type=MAC_CIPSOV4_ADD msg=audit(1174495637.683:2702): netlabel: auid=0
subj=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=1 cipso_type=pass res=1
type=SYSCALL msg=audit(1174495637.683:2702): arch=14 syscall=102 success=yes
exit=48 a0=10 a1=f976f844 a2=0 a3=10020398 items=0 ppid=1769 pid=8126 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="netlabelctl" exe="/sbin/netlabelctl"
subj=root:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
- Loulwa
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
