On Feb 6, 2009, at 12:15 PM, Christopher J. PeBenito wrote:
On Fri, 2009-02-06 at 12:42 -0500, Stephen Smalley wrote:
On Fri, 2009-02-06 at 10:21 -0600, Joe Nall wrote:
I confused by the behavior of security_compute_av_raw in fedora
rawhide
...
rc = security_compute_av_raw(ctx, raw, SECCLASS_CONTEXT,
CONTEXT__CONTAINS, &avd);
log_debug("ctx=%s raw=%s avd.allowed=%d rc=%d\n", ctx, raw,
avd.allowed, rc);
...
with ctx and raw identical user contexts, it works as expected:
ctx=user_u:user_r:user_t:s15:c0.c1023
raw=user_u:user_r:user_t:s15:c0.c1023 avd.allowed=2 rc=0
with ctx and raw identical system contexts, it behaves differently:
ctx=system_u:system_r:setrans_t:s15:c0.c1023
raw=system_u:system_r:setrans_t:s15:c0.c1023 avd.allowed=1 rc=0
both in mls/permissive. No obvious avcs.
The refpolicy only allows context contains permission for the user
domains since that was the only usage of it originally, when checking
whether a user-supplied context was contained by the seusers-defined
range. It is allowed by the interfaces in userdomain.if. If you
want
it applied to all domains, you'll need to make it part of
domain_type().
If it makes sense, I have no trouble doing that upstream. Joe, what
do
you think?
Works for me. At a minimum we need:
gen_require(`
type setrans_t;
class context contains;
')
allow setrans_t self:context contains;
for Eamon's color mcstrans patch to work. See Ted's earlier email:
http://engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=0015.html&month=2009-01
I got to rediscover the issue and have Stephen explain it again :)
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
