date:20170202

openshift label issue

2017-02-02 Thread Kashif ali

Hi,
  i'm facing issue while running openshift, openshift have
unconfined_service_t
  my use has context
  "staff_u:staff_r:staff_t "

i have check the domains accessibility of staff_r so it gives me
 "openshift_var_lib_t"

so it means there is not domain transition for staff_r for openshift_t but
as i have check system_r has the accessibility of  openshift_t so its mean
do i run my user in system_u context if yes then it would have
"system_u:unconfined_r:unconfined_t" so it also don't change into openshift
because unconfined_u also don't have domain transition for openshift_t if i
use newrole command to change my context it won't allow me so right now i'm
stuck
kindly help in this
thanks
Regards
Kashif Ali
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 0/5] checkpolicy: Cleanup declare and require functions

2017-02-02 Thread Nicolas Iooss

On Tue, Jan 31, 2017 at 8:41 PM, James Carter  wrote:

> Cleanup declare and require functions in module_compiler.c to improve
> maintainability and clarity. Functionality is not changed.
>
> James Carter (5):
>   checkpolicy: Create common function for type declares and requires
>   checkpolicy: Create common function for role declares and requires
>   checkpolicy: Create common function for user declares and requires
>   checkpolicy: Cleanup error messages
>   checkpolicy: Move common require and declare code into new function
>
>  checkpolicy/module_compiler.c | 892 +++---
> 
>  1 file changed, 395 insertions(+), 497 deletions(-)
>

Thanks for your patches. I have tested the 8 patches you sent and
everything seems fine: the issue I reported is fixed, there is no new
memory leak, and the code looks right when I read it. I am only wondering
why the new functions create_type(), create_role(), create_user()
and print_error_msg() are not static.

By the way I have been working on integrating this project with Travis-CI
for a few months and now I have a stable working configuration file. I used
it to build-test this patchset with several compilers/linkers. The
(successful) results are available on
https://travis-ci.org/fishilico/selinux/builds/197478803 and the commit
which introduced .travis.yml file is the last one on
https://github.com/fishilico/selinux/commits/2017-01-31_James_Carter_patches
. Would there be an interest to have the Travis-CI configuration file in
the project?

Cheers,
Nicolas
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v2] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Stephen Smalley

On Thu, 2017-02-02 at 16:22 +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously,
> running
> chcon on cgroupfs would throw an "Operation not supported". This
> patch
> specifically whitelist cgroupfs.
> 
> The patch could also allow containers to write only to the systemd
> cgroup
> for instance, while the other cgroups are kept with cgroup_t label.
> 
> Signed-off-by: Antonio Murdaca 

Acked-by: Stephen Smalley 

> ---
> Changes in v2:
>   - whitelist cgroup2 fs type
> 
>  security/selinux/hooks.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b955c6..2789f0a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct
> super_block *sb)
>   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>   /* Special handling. Genfs but also in-core setxattr
> handler */
>   !strcmp(sb->s_type->name, "sysfs") ||
> + !strcmp(sb->s_type->name, "cgroup") ||
> + !strcmp(sb->s_type->name, "cgroup2") ||
>   !strcmp(sb->s_type->name, "pstore") ||
>   !strcmp(sb->s_type->name, "debugfs") ||
>   !strcmp(sb->s_type->name, "tracefs") ||
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: possible regression in "semanage user"

2017-02-02 Thread Stephen Smalley

On Thu, 2017-02-02 at 13:34 -0500, Stephen Smalley wrote:
> On Thu, 2017-02-02 at 18:22 +0100, Vit Mojzis wrote:
> > 
> > Hi list,
> > we have a report about a possible regression in "semanage user" and
> > I'd 
> > like to hear your opinion on what the correct behaviour should be.
> > 
> > Given that local changes have been made to a SELinux user
> > definition 
> > (originally defined in policy)
> > e.g. # semanage user -m staff_u -r "s0"
> > and the SELinux user is mapped to some Linux user
> > # semanage login -a -s staff_u staff
> > both
> > # semanage user -d staff_u
> > and
> > # semanage user --deleteall
> > will fail to remove the local change with the following message:
> > "libsemanage.lookup_seuser: staff_u is being used by staff login
> > record 
> > (Invalid argument)."
> > 
> > Is this the intended behaviour?
> > 
> > I would assume that this error message was intended only for
> > locally 
> > defined SELinux users (in which case "semanage user -d
> > selinux_user" 
> > would remove the only definition of "selinux_user"). If so, is
> > there
> > any 
> > way to determine if a SELinux user has been defined only locally
> > (as 
> > opposed to being defined in policy) after some local changes have
> > been made?
> 
> This appears to work correctly for me with release 20161014 (2.6);
> the
> two delete commands you specified above succeeded and the entry was
> removed.  What version are you using?

Never mind, my mistake.  I can reproduce it.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: possible regression in "semanage user"

2017-02-02 Thread Stephen Smalley

On Thu, 2017-02-02 at 18:22 +0100, Vit Mojzis wrote:
> Hi list,
> we have a report about a possible regression in "semanage user" and
> I'd 
> like to hear your opinion on what the correct behaviour should be.
> 
> Given that local changes have been made to a SELinux user definition 
> (originally defined in policy)
> e.g. # semanage user -m staff_u -r "s0"
> and the SELinux user is mapped to some Linux user
> # semanage login -a -s staff_u staff
> both
> # semanage user -d staff_u
> and
> # semanage user --deleteall
> will fail to remove the local change with the following message:
> "libsemanage.lookup_seuser: staff_u is being used by staff login
> record 
> (Invalid argument)."
> 
> Is this the intended behaviour?
> 
> I would assume that this error message was intended only for locally 
> defined SELinux users (in which case "semanage user -d selinux_user" 
> would remove the only definition of "selinux_user"). If so, is there
> any 
> way to determine if a SELinux user has been defined only locally (as 
> opposed to being defined in policy) after some local changes have
> been made?

This appears to work correctly for me with release 20161014 (2.6); the
two delete commands you specified above succeeded and the entry was
removed.  What version are you using?
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

possible regression in "semanage user"

2017-02-02 Thread Vit Mojzis


Hi list,
we have a report about a possible regression in "semanage user" and I'd 
like to hear your opinion on what the correct behaviour should be.


Given that local changes have been made to a SELinux user definition 
(originally defined in policy)

e.g. # semanage user -m staff_u -r "s0"
and the SELinux user is mapped to some Linux user
# semanage login -a -s staff_u staff
both
# semanage user -d staff_u
and
# semanage user --deleteall
will fail to remove the local change with the following message:
"libsemanage.lookup_seuser: staff_u is being used by staff login record 
(Invalid argument)."


Is this the intended behaviour?

I would assume that this error message was intended only for locally 
defined SELinux users (in which case "semanage user -d selinux_user" 
would remove the only definition of "selinux_user"). If so, is there any 
way to determine if a SELinux user has been defined only locally (as 
opposed to being defined in policy) after some local changes have been made?



Best regards,

Vit Mojzis

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v2] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Daniel J Walsh

We need this patch set to tighten security inside of containers to only
allow certain directories in the cgroup file system to be used by the
containers.  In order to make this work, SELinux policy also needs to be
modified.


On 02/02/2017 10:22 AM, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
>
> The patch could also allow containers to write only to the systemd cgroup
> for instance, while the other cgroups are kept with cgroup_t label.
>
> Signed-off-by: Antonio Murdaca 
> ---
> Changes in v2:
>   - whitelist cgroup2 fs type
>
>  security/selinux/hooks.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b955c6..2789f0a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>   /* Special handling. Genfs but also in-core setxattr handler */
>   !strcmp(sb->s_type->name, "sysfs") ||
> + !strcmp(sb->s_type->name, "cgroup") ||
> + !strcmp(sb->s_type->name, "cgroup2") ||
>   !strcmp(sb->s_type->name, "pstore") ||
>   !strcmp(sb->s_type->name, "debugfs") ||
>   !strcmp(sb->s_type->name, "tracefs") ||

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Antonio Murdaca

On Thu, Feb 2, 2017 at 4:01 PM, Gary Tierney  wrote:
> On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
>> This patch allows changing labels for cgroup mounts. Previously, running
>> chcon on cgroupfs would throw an "Operation not supported". This patch
>> specifically whitelist cgroupfs.
>>
>> The patch could also allow containers to write only to the systemd cgroup
>> for instance, while the other cgroups are kept with cgroup_t label.
>>
>> Signed-off-by: Antonio Murdaca 
>> ---
>>  security/selinux/hooks.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 3b955c6..4e84211 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>>   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>>   /* Special handling. Genfs but also in-core setxattr handler */
>>   !strcmp(sb->s_type->name, "sysfs") ||
>> + !strcmp(sb->s_type->name, "cgroup") ||
>
> Should we also include "cgroup2" here, since they are defined as 2
> distinct filesystems? 
> https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326

likely yes

>
>>   !strcmp(sb->s_type->name, "pstore") ||
>>   !strcmp(sb->s_type->name, "debugfs") ||
>>   !strcmp(sb->s_type->name, "tracefs") ||
>> --
>> 2.9.3
>>
>> ___
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to 
>> selinux-requ...@tycho.nsa.gov.



-- 
Antonio (runcom) Murdaca, RHCE
Senior Software Engineer - Containers
09B9 8F09 3E2D C310 E250 69B5 B2BE AD15 0DE9 36B9
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Antonio Murdaca

This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca 
---
Changes in v2:
  - whitelist cgroup2 fs type

 security/selinux/hooks.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3b955c6..2789f0a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
sbsec->behavior == SECURITY_FS_USE_NATIVE ||
/* Special handling. Genfs but also in-core setxattr handler */
!strcmp(sb->s_type->name, "sysfs") ||
+   !strcmp(sb->s_type->name, "cgroup") ||
+   !strcmp(sb->s_type->name, "cgroup2") ||
!strcmp(sb->s_type->name, "pstore") ||
!strcmp(sb->s_type->name, "debugfs") ||
!strcmp(sb->s_type->name, "tracefs") ||
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Antonio Murdaca

On Thu, Feb 2, 2017 at 4:01 PM, Gary Tierney  wrote:

> On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> > This patch allows changing labels for cgroup mounts. Previously, running
> > chcon on cgroupfs would throw an "Operation not supported". This patch
> > specifically whitelist cgroupfs.
> >
> > The patch could also allow containers to write only to the systemd cgroup
> > for instance, while the other cgroups are kept with cgroup_t label.
> >
> > Signed-off-by: Antonio Murdaca 
> > ---
> >  security/selinux/hooks.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 3b955c6..4e84211 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block
> *sb)
> >   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
> >   /* Special handling. Genfs but also in-core setxattr
> handler */
> >   !strcmp(sb->s_type->name, "sysfs") ||
> > + !strcmp(sb->s_type->name, "cgroup") ||
>
> Should we also include "cgroup2" here, since they are defined as 2
> distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/
> blob/master/kernel/cgroup.c#L2314-L2326


likely yes


>
>
> >   !strcmp(sb->s_type->name, "pstore") ||
> >   !strcmp(sb->s_type->name, "debugfs") ||
> >   !strcmp(sb->s_type->name, "tracefs") ||
> > --
> > 2.9.3
> >
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>



-- 
Antonio (runcom) Murdaca, RHCE
Senior Software Engineer - Containers
09B9 8F09 3E2D C310 E250 69B5 B2BE AD15 0DE9 36B9

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Gary Tierney

On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
> 
> The patch could also allow containers to write only to the systemd cgroup
> for instance, while the other cgroups are kept with cgroup_t label.
> 
> Signed-off-by: Antonio Murdaca 
> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b955c6..4e84211 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>   /* Special handling. Genfs but also in-core setxattr handler */
>   !strcmp(sb->s_type->name, "sysfs") ||
> + !strcmp(sb->s_type->name, "cgroup") ||

Should we also include "cgroup2" here, since they are defined as 2
distinct filesystems? 
https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326

>   !strcmp(sb->s_type->name, "pstore") ||
>   !strcmp(sb->s_type->name, "debugfs") ||
>   !strcmp(sb->s_type->name, "tracefs") ||
> -- 
> 2.9.3
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Antonio Murdaca

This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca 
---
 security/selinux/hooks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3b955c6..4e84211 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
sbsec->behavior == SECURITY_FS_USE_NATIVE ||
/* Special handling. Genfs but also in-core setxattr handler */
!strcmp(sb->s_type->name, "sysfs") ||
+   !strcmp(sb->s_type->name, "cgroup") ||
!strcmp(sb->s_type->name, "pstore") ||
!strcmp(sb->s_type->name, "debugfs") ||
!strcmp(sb->s_type->name, "tracefs") ||
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

openshift label issue

Re: [PATCH 0/5] checkpolicy: Cleanup declare and require functions

Re: [PATCH v2] security: selinux: allow changing labels for cgroupfs

Re: possible regression in "semanage user"

Re: possible regression in "semanage user"

possible regression in "semanage user"

Re: [PATCH v2] security: selinux: allow changing labels for cgroupfs

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

[PATCH v2] security: selinux: allow changing labels for cgroupfs

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

[PATCH] security: selinux: allow changing labels for cgroupfs

12 matches

Site Navigation

Mail list logo

Footer information