Re: strange pam selinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Mar 05, 2020 at 06:33:55PM +0100, Petr Lautrbach wrote:
> 
> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
> 
> > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift
> > <dominick.grift@xxxxxxxxxxx> wrote:
> >>
> >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote:
> >> > Are you using libselinux with or without the commit to stop using
> >> > security_compute_user()?
> >> > If still using security_compute_user(), what does compute_user
> >> > sys.id:sys.role:sys.isid:s0 wheel.id display?
> >> > If you don't have compute_user (it is in libselinux/utils but not sure
> >> > Fedora packages it), you can also just
> >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
> >> > and see what it read back from /sys/fs/selinux/user.
> >>
> >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id...
> >> I am not if my libselinux has or has not security_compute_user():
> >>
> >> # rpm -qa libselinux
> >> libselinux-3.0-3.fc32.x86_64
> >>
> >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3
> >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range)
> >
> > This shows that your libselinux is still calling
> > security_compute_user() from get_ordered_context_list().
> > In this case, because the source context is allowed to transition to
> > many other contexts, the result returned via
> > /sys/fs/selinux/user would exceed the maximum size supported by the
> > kernel interface (one page of contexts),
> > and therefore it fails.  Then get_ordered_context_list() falls back to
> > the failsafe_context.
> >
> > If you update to libselinux git, you will stop using
> > security_compute_user() and hence /sys/fs/selinux/user entirely.
> 
> FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33
> [2] with the security_compute_user() patch applied.
> 
> [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378
> [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377

Thanks, trying it out
> 
> -- 
> ()  ascii ribbon campaign - against html e-mail 
> /\  www.asciiribbon.org   - against proprietary attachments
> 

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux