On Thu, 2016-02-25 at 14:47 -0500, Stephen Smalley wrote: > On 02/25/2016 02:37 PM, Eric Paris wrote: > > > > You added a type bounds right before this broke... Does the parent > > type have entrypoint? If not, maybe that's where it got stripped... > That would match the behavior he described (although he should get > an > audit message of the form op=security_compute_av reason=bounds.. in > audit.log or dmesg in that case). The kernel automatically reduces > permissions as required by typebounds. The corresponding logic > never > made its way into the libsepol compute_av code, so audit2why > wouldn't > know about it, and sesearch merely searches for TE rules; it doesn't > do > anything about typebounds. We should probably update libsepol > compute_av (for that, and eventually for xperms). > That would make sense, and then when I blew it away everything works again. So if I do a typebounds on docker_t svirt_lxc_net_t, I have to make sure docker_t can use svirt_sandbox_file_t as an entrypoint? BTW we have a problem with type bounds, which only allows one. We would like to be able to say typebounds unconfined_t svirt_lxc_net_t; typebounds docker_t svirt_lxc_net_t; This would allow runc and docker to transition to svirt_lxc_net_t, if the user specified prctl(NO_NEW_PRIVS) Currently typebounds only allows one instance. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
