On 07/05/2014 12:41 PM, dE wrote: > On 07/03/14 15:09, Daniel J Walsh wrote: >> On 07/02/2014 01:07 AM, dE wrote: >>> There seem to exist additional non-transition restrictions on roles >>> which define when will a process be able to execute as a certain role. >>> >>> For e.g. a process which runs from a login shell cannot have system_r >>> role. How do I list such rules? >>> >>> Looking at role transition rules, a transition to system_r should be >>> allowed -- >>> >>> sesearch --role_allow | grep system_r\; >>> ... >>> allow unconfined_r system_r; >>> ... >>> >>> And the sudo process runs as unconfined_r -- >>> >>> ps auxZ | grep sudo >>> system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356 >>> pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano >>> >>> But sudo -r system_r nano fails. >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@xxxxxxxxxxxxx >>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>> To get help, send an email containing "help" to >>> Selinux-request@xxxxxxxxxxxxx. >> The type has to be available to the role. In the case of sudo -r >> system_r nano, if the type to be run is unconfined_t, then SELinux would >> end up with a label like >> >> sytem_u:system_r:unconfined_t:s0 >> >> But I don't believe unconfined_t can run in the system_r role. >> >> seinfo -rsystem_r -x | grep unconfined_t >> >> To make your sudo command run, you would also need to select the type. >> >> sudo -r sysadm_r -t nano_t nano ... >> >> Or something like that where nano_t is available to the system_r role. > > Actually it is allowed > > seinfo -rsystem_r -x | grep unconfined_t > virt_qemu_ga_unconfined_t > certmonger_unconfined_t > pegasus_openlmi_unconfined_t > xdm_unconfined_t > unconfined_t > > I'm running Fedora 19. > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. Ok, I have the unoconfined.pp module disabled. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
