Re: does load_policy default to loading the lowest polvers available?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/14/2015 12:41 PM, Dominick Grift wrote:

On Wed, Oct 14, 2015 at 12:05:27PM -0400, Stephen Smalley wrote:



AFAIK, systemd just calls selinux_init_load_policy() in libselinux (aka
load_policy -i).  And the approach to selecting a policy version has been
stable for quite a while, so I wouldn't expect the libselinux in the
initramfs to differ in this respect.


I just reboot that machine, and it happened again! So the dangling 29
file was not at all related.

This issue is so weird, and so hard to narrow down.

I have about 7 systems all with the same policy, same selinux userspace, different form factors,
2 laptops (one rawhide, on fedora 23), one worksstation (rawhide) and
4 qemu/kvm guests (all rawhide)

Theyre pretty much all identical from a config point of view except that
the workstation is a hypervisor and router

The workstation is the issue. I am getting avc denials for the same
access vectors (but only on the workstation):

system {status start }

(obivously the rules to allow it are present in the policy)
You say "obviously"; how have you verified? You could run sesearch on the kernel's view of the policy (/sys/fs/selinux/policy), or you could run compute_av from libselinux.
If allowed by policy but denied by systemd (since those are systemd permissions, not kernel ones, and unfortunately use a kernel class), then I've only seen that on a policy reload that alters the class definitions. That issue should be fixed by the patch I posted a while back for libselinux, which I believe should now be in rawhide. 



Is it Linux 4.3 related -> then why does it work on my rawhide laptop,
and kvm guests fine
Is it my policy -> then why does it work on all my other systems fine
Is it hardware related -> seems to be the only explanation but then why
does it not happen consistently? (it happens most of the time when boot
but not always)
Maybe it is a combination of hardware + linux 4.3?

So many questions and so hard to debug...




_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux