Re: Does mcs work on rawhide correctly?

KaiGai Kohei <kaigai@xxxxxxxxxxxx> · Tue, 27 Jan 2009 01:01:45 +0900

Stephen Smalley wrote:
> On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
>> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
>>
>> [root@masu ~]# sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /selinux
>> Current mode:                   enforcing
>> Mode from config file:          enforcing
>> Policy version:                 24
>> Policy from config file:        targeted
>> [root@masu ~]# touch aaa
>> [root@masu ~]# ls -Z aaa
>> -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
>> [root@masu ~]# id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>> [root@masu ~]# chcon -l s0:c0 aaa
>> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
>>
>> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
>>
>> I could reproduce the matter after "semodule -B".
>>
>> Is there anyone who can reproduce the matter?
> 
> What avc denial did you get?
> 
> It is interesting that you got Operation not permitted (EPERM) rather
> than Permission denied (EACCES) - that usually reflects a capability
> denial.

The following operation:
  [root@masu ~]# ls -Z bbb
  -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 bbb
  [root@masu ~]# id -Z
  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
  [root@masu ~]# chcon -l s0:c0 bbb
  chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted

got the following audit message:
 type=SELINUX_ERR msg=audit(1232984840.945:48):
   security_validate_transition:  denied for
   oldcontext=unconfined_u:object_r:admin_home_t:s0
   newcontext=unconfined_u:object_r:admin_home_t:s0:c0
   taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
   tclass=file
 type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
   success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
   ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
   egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
   subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)

strace chcon -l s0:c0 bbb also says -EPERM.
     :
  setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
     :

Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?

Thanks,
-- 
KaiGai Kohei <kaigai@xxxxxxxxxxxx>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list