I want to remove DEFAULTUSER handling from get_context_list

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Tue, 27 Jul 2010 15:00:02 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem we are seeing, is people running sshd as unconfined_t, is
failing to log users in as unconfined_t.  The reason is the
get_context_list function is looking for all transitions from
unconfined_t.  Since unconfined_t can execute all domains, the kernel
returns ERANGE error.  Then get_context_list fails over to DEFAULTUSER
(user_u), which is some ancient code used in RHEL4.  Since we introduced
seusers, this code does not make much sense.  unconfined_u is not
allowed to transition to user_u so the code fails.  If we remove this
code it will fail over to FAILSAFE_CONTEXT which I set up as
unconfined_r:unconfined_t

And everything works.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxPLLIACgkQrlYvE4MpobPyEwCff4shFQiYpROAfwtlKbg3I0EP
RH0An3QIg1lQUXcEhjcTjp1WvMRFmFUi
=+s4z
-----END PGP SIGNATURE-----

diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index a50fca8..37d80f2 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -286,7 +286,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
 	if (buf[plen - 1] == '\n')
 		buf[plen - 1] = 0;
 
-      retry:
 	nlen = strlen(user) + 1 + plen + 1;
 	*newcon = malloc(nlen);
 	if (!(*newcon))
@@ -306,10 +305,6 @@ static int get_failsafe_context(const char *user, security_context_t * newcon)
 	if (security_check_context(*newcon) && errno != ENOENT) {
 		free(*newcon);
 		*newcon = 0;
-		if (strcmp(user, SELINUX_DEFAULTUSER)) {
-			user = SELINUX_DEFAULTUSER;
-			goto retry;
-		}
 		return -1;
 	}
 
@@ -418,13 +413,8 @@ int get_ordered_context_list(const char *user,
 
 	/* Determine the set of reachable contexts for the user. */
 	rc = security_compute_user(fromcon, user, &reachable);
-	if (rc < 0) {
-		/* Retry with the default SELinux user identity. */
-		user = SELINUX_DEFAULTUSER;
-		rc = security_compute_user(fromcon, user, &reachable);
-		if (rc < 0)
-			goto failsafe;
-	}
+	if (rc < 0)
+		goto failsafe;
 	nreach = 0;
 	for (ptr = reachable; *ptr; ptr++)
 		nreach++;
Attachment:
libselinux-DEFAULTUSER.patch.sig

Description: PGP signature




