-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/29/2011 10:43 AM, Stephen Smalley wrote: > On Mon, 2011-08-29 at 10:36 -0400, Christopher J. PeBenito wrote: >> On 08/29/11 11:10, Miroslav Grepl wrote: >>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote: >>>> On 08/29/11 08:33, Stephen Smalley wrote: >>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote: >>>>>> Together with Dan Walsh, Jan Chadima we made some changes >>>>>> in the openssh package. >>>>>> >>>>>> But we have the following issue with the following code >>>>>> >>>>>> ... >>>>>> >>>>>> if (internal-sftp) setuid() getexecon(&scon) >>>>>> setcon(scon) freecon(scon) >>>>>> >>>>>> ... >>>>>> >>>>>> We have >>>>>> >>>>>> allow sshd_t unpriv_userdomain:process dyntransition >>>>>> >>>>>> rule but we get a constraint violation with the following >>>>>> AVC msg >>>>>> >>>>>> type=AVC msg=audit(1314348650.561:7910): avc: denied { >>>>>> dyntransition } for pid=555 comm="sshd" >>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 >>>>>> tcontext=staff_u:staff_r:staff_t:s0 >>>>>> >>>>>> because of >>>>>> >>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 >>>>>> ) >>>>>> >>>>>> My question is why dyntrans is not allowed to change USER >>>>>> or ROLE. >>>>>> >>>>>> >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648 >>>>> I think just because we haven't previously had a system >>>>> program using setcon(3) to switch its user/role. >>>> Also because the theory we would be reproducing privilege >>>> bracketed domains, so you'd be going to a different privilege >>>> in eg httpd_t -> httpd_mycgi_t, and that would not require >>>> user or role changes. >>>> >>> Ok, I understand. Thanks. >>> >>> Could we add an attribute to break this? >> >> Yes, we could add one. The question is if we want the same >> attribute as the regular transition or a new one. i.e. I'm >> thinking >> >> constran process dyntranstion ( u1 == u2 or ( t1 == >> can_change_process_identity and t2 == process_user_target ) ); >> >> constran process dyntranstion ( r1 == r2 or ( t1 == >> can_change_process_identity and t2 == process_user_target ) ); >> >> do we want can_change_process_identity attribute or a new one? > > If so, then might as well just coalesce into the existing > constraint on transition permission. > Ok I like Stephen's better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5bpmUACgkQrlYvE4MpobMUeACfU9LpITibnF4o7wZXGo+5qm/f lQsAoObV7G/yf3OAVa1MNMH65QSKQFM3 =T/Ju -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux