On Fri, 2009-02-06 at 10:21 -0600, Joe Nall wrote:
> I confused by the behavior of security_compute_av_raw in fedora rawhide
> ...
> rc = security_compute_av_raw(ctx, raw, SECCLASS_CONTEXT,
> CONTEXT__CONTAINS, &avd);
> log_debug("ctx=%s raw=%s avd.allowed=%d rc=%d\n", ctx, raw,
> avd.allowed, rc);
> ...
>
> with ctx and raw identical user contexts, it works as expected:
>
> ctx=user_u:user_r:user_t:s15:c0.c1023
> raw=user_u:user_r:user_t:s15:c0.c1023 avd.allowed=2 rc=0
>
> with ctx and raw identical system contexts, it behaves differently:
>
> ctx=system_u:system_r:setrans_t:s15:c0.c1023
> raw=system_u:system_r:setrans_t:s15:c0.c1023 avd.allowed=1 rc=0
>
> both in mls/permissive. No obvious avcs.
The refpolicy only allows context contains permission for the user
domains since that was the only usage of it originally, when checking
whether a user-supplied context was contained by the seusers-defined
range. It is allowed by the interfaces in userdomain.if. If you want
it applied to all domains, you'll need to make it part of domain_type().
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
