Re: Transitioning out of a confined user domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 13/10/16 04:16, Mark Montague wrote:
> I'm using Fedora 23 with confined users:
>
> [root@earth ~]# semanage user -l | egrep '^(SELinux|staff_u)'
> SELinux User    Prefix     MCS Level  MCS Range SELinux Roles
> staff_u         user       s0         s0-s0:c0.c1023 staff_r system_r
> unconfined_r
>
> I'd like to allow this user to start a process running as themselves
> under a targeted policy, nodejswebserver_t, but when I try to run the
> executable, I get "Permission denied":
>
> [markmont@earth ~]$ id -Z
> staff_u:staff_r:staff_t:s0
> [markmont@earth ~]$ ls -lZ /sw/sbin/node
> -rwxr-xr-x. 1 markmont markmont
> system_u:object_r:nodejswebserver_exec_t:s0 29949360 Oct  4 16:39
> /sw/sbin/node
> [markmont@earth ~]$ /sw/sbin/node
> -bash: /sw/sbin/node: Permission denied
> [markmont@earth ~]$
>
> The following denials appear in the audit log:
>
> 2016-10-12 18:05:29 type=AVC msg=audit(1476295529.526:48313): avc:
> denied  { transition } for  pid=1034 comm="bash" path="/sw/sbin/node"
> dev="dm-0" ino=294783 scontext=staff_u:staff_r:staff_t:s0
> tcontext=staff_u:system_r:nodejswebserver_t:s0 tclass=process
> permissive=0
> 2016-10-12 18:05:29 type=PATH msg=audit(1476295529.526:48313): item=0
> name="/sw/sbin/node" inode=294783 dev=fc:00 mode=0100755 ouid=1000
> ogid=1000 rdev=00:00 obj=system_u:object_r:nodejswebserver_exec_t:s0
> nametype=NORMAL
>
> audit2allow suggests the following:
>
> allow staff_t nodejswebserver_t:process transition;
>
> ...but this is already in my local policy:
>
> domain_system_change_exemption(staff_t);
> domtrans_pattern(staff_t, nodejswebserver_exec_t, nodejswebserver_t);
> type_transition staff_t nodejswebserver_exec_t:process nodejswebserver_t;
> role_transition staff_r nodejswebserver_exec_t system_r;
> allow staff_t nodejswebserver_t:process transition;
> allow staff_t nodejswebserver_t:process { noatsecure rlimitinh siginh };
>
> I feel like I'm overlooking something fundamental regarding
> transitioning out of a confined user domain to another domain.  Any
> ideas?

I think your policy is missing this:

role staff_t types nodejswebserver_t

Cheers,
Doug
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux