On Mon, Dec 8, 2008 at 8:22 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Fri, 2008-12-05 at 19:46 -0500, Eamon Walsh wrote:
>> The attached C code uses the CONTEXT__CONTAINS permission check to check
>> dominance, and produces the following output on my mls box:
>>
>> staff_u:staff_r:staff_t:s15:c0.c255 dominates staff_u:staff_r:staff_t:s0
>>
>> system_u:object_r:etc_t:s15:c0.c255 does not dominate system_u:object_r:etc_t:s0
>>
>>
>> Why doesn't this check work in the second case?
>
> Likely due to a TE denial. The existing policy likely only has:
> allow domain self:context contains;
> as the original use case for this check was to apply a check between two
> subject contexts.
>
> If you want to use it for object contexts, you'll have to allow it for
> those types as well.
>
>> My color translation code has a config file that may contain lines such
>> as (paraphrasing):
>> range s0 = green
>> range s1 = yellow
>> range s1:c1 = blue
>> range s15:c0.c255 = red
>>
>> and so forth, which are matched with incoming contexts using a dominance
>> check. The observed behavior above is causing this not to work.
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
Can anyone help me understand the results I'm getting here? I wrote
this python script (compute_av.py) to test the dominance check:
import selinux
SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = 2
rc, con = selinux.getcon()
con_array = con.split(":")
avd = selinux.av_decision()
con_array[3] = "s0:c0.c255"
ctx = ':'.join(con_array)
con_array[3] = "s0"
raw = ':'.join(con_array)
rc = selinux.security_compute_av_raw(ctx, raw, SECCLASS_CONTEXT,
CONTEXT__CONTAINS, avd)
print ctx, raw, avd.allowed
[tedx@comms ~]$ runcon system_u:system_r:initrc_t:s0-s15:c0.c1023
python compute_av.py
system_u:system_r:initrc_t:s0:c0.c255 system_u:system_r:initrc_t:s0 0
[tedx@comms ~]$ python compute_av.py
user_u:user_r:user_t:s0:c0.c255 user_u:user_r:user_t:s0 2
I ran these test in permissive mode. Why doesn't
system_u:system_r:initrc_t:s0:c0.c255 dominate
system_u:system_r:initrc_t:s0?
Ted
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
