On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
typebounds unconfined_t docker_t; # docker_t is an unconfined domain
typebounds docker_t spc_t; #spc_t is an unconfined domain
typeboulds docker_t docker_lxc_net_t;
docker, rkt, systemd-nspawn, runc are all executing setexeccon(svirt_lxc_net_t)
For container domains.
Everything works fine until I turn on expand_check in semanage.conf, which we
have been asked to do in Rawhide.
Attached is the current Rawhide docker policy. And here is the output from
semodule -i before it crashes, with a segfault.
The segfault has been fixed in upstream if you are able to pull in fixes at this
point.
Had to add this rule to make it a little quieter, which is caused by a rule in
policy that says we allow all daemons to connecto spc_t;
gen_require(`
type unconfined_t;
attribute daemon;
')
allow daemon unconfined_t:unix_stream_socket connectto;
Why does typebounds care about when a domain is the target of an access, I think
it should only remove options when it is the source.
This has always been the behavior. Whether that is the desirable behavior is a
different question. To fix this would require changes in both the kernel and
userspace.
Otherwise we end up having to loosen the policy to make this work.
As long as docker_t does not have any more "allow docker_t" rules then "allow
unconfined_t", shouldn't this be ok?
For your case, this seems to make sense.
It seems that some or the optional code blocks are causing problems also.
What problem are you having with optional blocks? Maybe the bounds error
reporting is just confusing.
The following is showing a trace from the root of the policy down to the actual
rule. I find it helpful, but maybe it is confusing to others.
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6205 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
Jim
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
