On 30/08/16 20:19, Stephen Smalley wrote: > On 08/30/2016 01:03 PM, Paul Bolton wrote: >> >> Why is the target context for evaluation kernel_t and not devlog_t? >> Surely it should be devlog_t and therefore pass the constraint rule as a >> trusted object? > > sendto is a permission check between the two socket labels, not to be > confused with the file label. When you send on a local/Unix socket, you > need write permission to the socket file (if using the file namespace; > if using the abstract namespace, there is no equivalent check) and you > need sendto to the peer socket (which typically will be labeled the same > as the receiving process). So the receiving process is running in > kernel_t, or was at the time it created the socket. > > There are two separate kernel objects when dealing with Unix sockets - > the file and the socket itself. > > Thanks for the explanation. So, I guess in my example AVC, after a bit of digging to get the CentOS src patches, where we have the following added to sshd.te, it is the mls_process_write_all_levels() that clears that AVC. policy-rhel-7.2-base.patch: -- snip -- +mls_trusted_object(sshd_t) +mls_process_write_all_levels(sshd_t) +mls_dbus_send_all_levels(sshd_t) -- snip -- -- Paul ---- http://blog.m0noc.com/ | https://keybase.io/m0noc 4329 E4C5 71F3 58B2 2246 D04D 25DA 39C2 3876 FE3D _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
