On Thu, Mar 05, 2020 at 06:39:41PM +0100, Dominick Grift wrote: > On Thu, Mar 05, 2020 at 06:33:55PM +0100, Petr Lautrbach wrote: > > > > Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > > > > > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > > > <dominick.grift@xxxxxxxxxxx> wrote: > > >> > > >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > >> > Are you using libselinux with or without the commit to stop using > > >> > security_compute_user()? > > >> > If still using security_compute_user(), what does compute_user > > >> > sys.id:sys.role:sys.isid:s0 wheel.id display? > > >> > If you don't have compute_user (it is in libselinux/utils but not sure > > >> > Fedora packages it), you can also just > > >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > >> > and see what it read back from /sys/fs/selinux/user. > > >> > > >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > > >> I am not if my libselinux has or has not security_compute_user(): > > >> > > >> # rpm -qa libselinux > > >> libselinux-3.0-3.fc32.x86_64 > > >> > > >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > > >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > > > > > This shows that your libselinux is still calling > > > security_compute_user() from get_ordered_context_list(). > > > In this case, because the source context is allowed to transition to > > > many other contexts, the result returned via > > > /sys/fs/selinux/user would exceed the maximum size supported by the > > > kernel interface (one page of contexts), > > > and therefore it fails. Then get_ordered_context_list() falls back to > > > the failsafe_context. > > > > > > If you update to libselinux git, you will stop using > > > security_compute_user() and hence /sys/fs/selinux/user entirely. > > > > FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 > > [2] with the security_compute_user() patch applied. > > > > [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 > > [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 > > Thanks, trying it out [root@myguest ~]# strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 wheel.id:wheel.role:user.systemd.subj:s0 wheel.id:sys.role:sys.isid:s0 So that result looks promising, but when I login I still get wheel.id:sys.role:sys.isid:s0 Is that some compatibility related thing, or does something else need to be rebuilt against this libselinux for it to work? > > > > -- > > () ascii ribbon campaign - against html e-mail > > /\ www.asciiribbon.org - against proprietary attachments > > > > -- > gpg --locate-keys dominick.grift@xxxxxxxxxxx > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > Dominick Grift -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
