Paul Moore wrote:
Jonathan Kim wrote:
Paul,
I recall that the problems you were having were resolved after you
followed
the steps I sent.
Did you follow the exact procedure I sent you? If not, could you let
me know the exact procedure you followed?
Yes, the steps you sent me a few weeks ago did work but later versions
of the policy RPM caused it to fail. Fresh install or upgrades both
resulted in failure. The reason appears to be here in
security/selinux/ss/mls.c line 521:
if (rangetr->dom == scontext->type &&
rangetr->type == tcontext->type) {
/* Set the range from the rule */
return mls_range_set(newcontext,
&rangetr->range);
}
For some reason the 'dom'/'type' values for the only rule in 'rangetr'
do not match with the values of 'kernel_t' and 'init_exec_t' in
'scontext->type' and 'tcontext->type' respectively. Looking at the
range_transition types in the binary policy file, policy.19, the types
in the file appear to match the types stored in 'rangetr' which appear
to match the 'kernel_t' and 'init_exec_t' type values inside of
checkpolicy-1.25.3/policy_parse.y as returned by the following lines of
debug code I inserted:
{
type_datum_t *kt, *it;
kt = hashtab_search(policydbp->p_types.table, "kernel_t");
it = hashtab_search(policydbp->p_types.table, "init_exec_t");
printf("PMD(#4): kernel_t=%u init_exec_t=%u\n",
kt->value,
it->value);
}
This is where I am currently at, trying to figure out why
'scontext->type' and 'tcontext->type' appear to change values in the
kernel ... or why I am barking up the wrong tree :) If anyone has any
suggestions I am all ears ...
I found the problem, it was in libsepol. I just posted a patch over on
the SELinux Developers list.
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@xxxxxx hewlett packard
. (603) 884-5056 linux security
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
