On Tue, 2009-01-27 at 01:01 +0900, KaiGai Kohei wrote:
> Stephen Smalley wrote:
> > On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
> >> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
> >>
> >> [root@masu ~]# sestatus
> >> SELinux status: enabled
> >> SELinuxfs mount: /selinux
> >> Current mode: enforcing
> >> Mode from config file: enforcing
> >> Policy version: 24
> >> Policy from config file: targeted
> >> [root@masu ~]# touch aaa
> >> [root@masu ~]# ls -Z aaa
> >> -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa
> >> [root@masu ~]# id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> >> [root@masu ~]# chcon -l s0:c0 aaa
> >> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> >>
> >> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
> >>
> >> I could reproduce the matter after "semodule -B".
> >>
> >> Is there anyone who can reproduce the matter?
> >
> > What avc denial did you get?
> >
> > It is interesting that you got Operation not permitted (EPERM) rather
> > than Permission denied (EACCES) - that usually reflects a capability
> > denial.
>
> The following operation:
> [root@masu ~]# ls -Z bbb
> -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 bbb
> [root@masu ~]# id -Z
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> [root@masu ~]# chcon -l s0:c0 bbb
> chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
>
> got the following audit message:
> type=SELINUX_ERR msg=audit(1232984840.945:48):
> security_validate_transition: denied for
> oldcontext=unconfined_u:object_r:admin_home_t:s0
> newcontext=unconfined_u:object_r:admin_home_t:s0:c0
> taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> tclass=file
> type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
> success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
> ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
>
> strace chcon -l s0:c0 bbb also says -EPERM.
> :
> setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
> :
>
> Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?
Sounds like it is the MLS policy instead, as only the mls configuration
defines mlsvalidatetrans constraints.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
