Re: MLS dominance check behavior on el7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/10/2018 01:13 PM, Ted Toth wrote:
We currently have code running on el6 that does a MLS dominance check by calling security_compute_av_raw with the security object class SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as you can see in the python code below. When I run this code on el6 s1 dominates s0 however when I run the same code on el7 s1 does not dominate s0. On both systems the file read dominance check works as expected. Can anyone help me understand why the context contains check does not work the same on both systems?

That would depend entirely on how the constraint is written in the policy. I assume this is with the -mls policy on both? seinfo --constrain | grep -C1 context would show you the constraint in the kernel policy.

Looks like refpolicy defines it as:
mlsconstrain context contains
        (( h1 dom h2 ) and ( l1 domby l2));

The 2nd part of the constraint was introduced by:
commit 4c365f4a6a6f933dd13b0127e03f832c6a6cf8fc
Author: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date:   Tue Feb 15 10:16:32 2011 +0800

    l1 domby l2 for contains MLS constraint

    As identified by Stephan Smalley, the current MLS constraint for the
    contains permission of the context class should consider the current
    level of a user along with the clearance level so that mls_systemlow
    is no longer considered contained in mls_systemhigh.

    Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>

This was to prevent a user from logging in at a level below their authorized range, in the unusual scenario where the user's low level was not s0/systemlow.


Ted

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

import selinux

SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
SECCLASS_FILE = selinux.string_to_security_class("file")
FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, "read")

raw_con1 = "user_u:user_r:user_t:s1"
raw_con2 = "user_u:user_r:user_t:s0"

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
     if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))
     if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
         print("%s dominates %s" % (raw_con1, raw_con2))
     else:
         print("%s does not dominate %s" % (raw_con1, raw_con2))
except OSError, ex:
     print "exception calling selinux.security_compute_av_raw", ex

avd = selinux.av_decision()
selinux.avc_reset()
try:
    rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_FILE, FILE__READ, avd)
     if rc < 0:
        print("selinux.security_compute_av_raw failed for %s %s" % (raw_con1, raw_con2))
     if (avd.allowed & FILE__READ) == FILE__READ:
         print("%s dominates %s" % (raw_con1, raw_con2))
     else:
         print("%s does not dominate %s" % (raw_con1, raw_con2))

except OSError:
     print "exception calling selinux.security_compute_av_raw", ex



_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.


_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux