Policy Constraints

Dominick Grift <dac.override@xxxxxxxxx> · Mon, 30 Mar 2015 14:37:06 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I vaguely recall me touching on the following before. I forgot what, if any, outcome there was. Consider the following:

I have a constraint like this:

        (constrain (process (sigchld sigkill sigstop signull signal ptrace
            getsched setsched getsession getpgid setpgid getcap setcap
            share getattr setrlimit))
            (or (or (or (or (or (eq u1 u2)
                (eq u1 system_u))
                (eq u1 staff_u))
                (eq u1 sysadm_u))
                (eq u2 system_u))
                (neq t1 ubac_constrained_subject_type)))

The sysadm_u and staff_u identities are supposed to be optional and so I change the above to this:

        (constrain (process (sigchld sigkill sigstop signull signal ptrace
            getsched setsched getsession getpgid setpgid getcap setcap
            share getattr setrlimit))
            (or (or (or (eq u1 u2)
                (eq u1 system_u))
                (eq u2 system_u))
                (neq t1 ubac_constrained_subject_type)))

        (optional staff
            (constrain (process (sigchld sigkill sigstop signull signal ptrace
                getsched setsched getsession getpgid setpgid getcap setcap
                share getattr setrlimit))
                    (eq u1 staff_u)))

        (optional sysadm
            (constrain (process (sigchld sigkill sigstop signull signal ptrace
                getsched setsched getsession getpgid setpgid getcap setcap
                share getattr setrlimit))
                    (eq u1 sysadm_u)))

The above builds and seinfo shows the three blocks, but for some reason it is not honored. Eg. The First example works but the latter does not.

Is this a known issue , or known limitation? Should this work?

We have roleattributes, typeattributes but not identityattributes. Identityattributes would help with this requirement.

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJVGUNuAAoJENAR6kfG5xmcfxEL/3mgmy0hi8adTQWy2UCe7X56
zSSXevDMeLD0uFPYH8hi0K74eKEKsp8MlzwT/zHq7w/h47vzLKmc5Ywt8FEttsLu
9Huc8/78ByiK4k2TA9iC6k6F7lYUYUBzoEdE3+qjXKTmQCrN5PelriOVyMXJycKA
Hy3iR1ytoVPFIYz+gxBGEojjr2FXvCyWypU+byoyeZ6qiJatYtSSl0IpGC4MRSOQ
xx3gIUxf7kpS+yHCdvhPX5GgCnl1orosdV0RfAJMyb7XtlEufO4g/PCUqY2wv7Ei
hRA4mJeG698mmkqtDo+O7+mfDDwWyxlYIa5m2S1NjtnHOXk8KLmb6iL9V9hcRFDB
Iz4oN32EJu0WVNgbQUze41uR5bKpVLu8KqVAF0DKLnzmQGdq5O0RYbDAjkDaqV02
twarkO4v+JH0AOvjE1mWluDyjkOwWHxn1aLPUVS3BkPwgNof9e8zrA5BBwZWbVRV
LKJQ2ZjFGQfk6fMH4fjVQ0iixwvxKDWNeLeyQ4AoXg==
=Dfox
-----END PGP SIGNATURE-----
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.