On Sun, Jan 26, 2014 at 06:01:51AM +0800, Frank C wrote:
> So does this mean that we have sockets that are left open for discussion
> that are not being used? They all have to come out if they are not being
> used. Unused sockets shouldn't pass a static analysis.
Thank you for your input. Unfortunately I cannot quite follow.
Could you please elaborate what your question is?
My problem is that a socket created by the accept system call
(see my follow-up posting) has not only a wrong context that
prevents access to it, but also a context that following the
policy it should not be able to acquire.
>
>
> On Sun, Jan 26, 2014 at 4:59 AM, Ole Kliemann <ole@xxxxxxxxxxxxxxx> wrote:
>
> > I'm having an odd problem:
> >
> > I am running my own MCS constrainted policy on Ubuntu 12.04. At
> > some point I have a process with context
> >
> > sub_t:s0:c20-s0:c20.c29
> >
> > From this process I try to access a jack daemon with mplayer. For
> > this purpose unix stream sockets are being used. I then get an
> > avc denial saying that
> >
> > process sub_t:s0:c20-s0:c20.c29
> >
> > tried to access
> >
> > unix_stream_socket sub_t:s0
> >
> > which is prohibited by mcs constrain. The socket is on sockfs and
> > has no file associated with it.
> >
> > The problem is that under no circumstances the policy allows the
> > creation of anything with 'sub_t:s0'.
> >
> > Using an auditallow rule like
> >
> > auditallow any_type sub_t:unix_stream_socket { create relabelto
> > relabelfrom };
> >
> > clearly shows that indeed no socket with a context like that is
> > created nor relabel to. And yet it exists.
> >
> >
> > I'd highly appreciate any hint on this matter. Including how to
> > debug further. How can I display the security context of a socket
> > on sockfs?
> >
> > Best regards
> > Ole
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@xxxxxxxxxxxxx
> > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > To get help, send an email containing "help" to
> > Selinux-request@xxxxxxxxxxxxx.
> >
> >
>
>
> --
>
> *Francis X. Cunnane III*
> frankc@xxxxxxxxxxxxxxxx
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
