On Mon, Jun 22, 2015 at 02:17:32PM -0400, Stephen Smalley wrote: > On 06/22/2015 02:08 PM, Dominick Grift wrote: > > On Mon, Jun 22, 2015 at 06:07:20PM +0200, Miroslav Grepl wrote: > > > >> > >> In Fedora, we have unconfined_service_t domain for unconfined services > >> started by init. So there is init_t @bin_t -> unconfined_service_t and > >> we get op=security_bounded_transition for init_t against > >> unconfined_service_t. But of course it is not going to work with > >> > >> typebounds init_t unconfined_service_t; > >> > >> because there is > >> > >> # <audit-1401> op=security_compute_av reason=bounds > >> scontext=system_u:system_r:unconfined_service_t:s0 > >> tcontext=system_u:object_r:bin_t:s0 tclass=file perms=entrypoint > >> > >> So this logic breaks our concept with unconfined_service_t. > >> > > > > What is running in the unconfined_service_t domain in that event? > > Nothing at the point of that message. The message indicates a bounds > failure, which will then cause the kernel to fall back to the old > context if it was an automatic transition, or fail the exec with -EPERM > if it was explicitly requested via setexeccon(). > Sounds reasonable to me (it just seems I can't get easily used to that message but that is probably just because it does not happen often) But yes at that point, suppose you know you have something to target. I still would like to know what triggered this. Only thing i can think of is systemd-importd -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpY8RycOR989.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
