Re: What did I do wrong?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/21/2015 09:18 AM, Minear, Spencer wrote:
> The write to /sys/fs/selinux/user was successful.  The read was successful too, but returned only "0\0".  The read return value was 2, which matches what I see coming back.  This makes me think that I am missing some information in the policy that leads to what appears to be an unexpected result rather than one or more new context's that I believe that the interface is supposed to return.

The response buffer (i.e. what you read from /sys/fs/selinux/user)
begins with a count of the number of contexts, followed by a NUL,
followed by the list of contexts, NUL-separated.  So in this case, the
response is saying that it couldn't find any reachable contexts for that
user from the calling context (whatever sshd is running in) under the
loaded policy.  So, yes, check your user-role authorizations, your
role-type authorizations, and transition permission from sshd's context.

> 
> Spence
> 
> -----Original Message-----
> From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] 
> Sent: Wednesday, January 21, 2015 7:42 AM
> To: Minear, Spencer; SELinux (selinux@xxxxxxxxxxxxx)
> Subject: Re: What did I do wrong?
> 
> On 01/20/2015 11:28 PM, Minear, Spencer wrote:
>> Wonder if someone could give me a pointer to what my policy file is missing that would result in the /sys/fs/selinux/user API not providing a context when the sshd process context is written to that API?  I can see the behavior in a strace capture.  I believe that the action is  a call from sshd to the security_compute_user entry in libselinux.
>>
>> On a clean working system with the available default policy sshd writes in the sshd process's context and reads back the context that is ultimately applied to the shell process started by sshd.
>>
>> Obviously I'm missing something or not including some critical information into the policy but I haven't been able to find any documentation that describes what goes on behind the scenes of this API.
> 
> Did the write() to /sys/fs/selinux/user return an error code (if so, what errno), or a string specifying that there are 0 contexts?
> 
> The underlying function first computes the maximal set of possible contexts based on the user's role authorizations and the role's type authorizations in the policy.  Then it filters that set to only include contexts for which process transition permission is allowed in policy from the caller's context (i.e. sshd in this case).
> 
> There is some further complication for the MLS field; it prefers the user's default level from the policy if that falls within the range of the caller's MLS range.  But if the user's default level is not within that range, it tries to find a level that is both consistent with the caller's MLS range limitations and the user's authorized range.  If it cannot do so, it will ultimately fail with an error.
> 
> This has long been on our todo as something to take to userspace and simplify.
> 
> 
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux