Bug 490228
| Summary: | can relabelto types that arent usable files types | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sebastian Pfaff <Sebastian.Pfaff> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | dwalsh, jkubin, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-13 22:58:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
sorry, change this: in this example it's possible to label a file via restorecon, which is usable. to this: in this example it's possible to label a file via restorecon, which is _still_not_ usable. night seba sorry for wasting time.
this is NOT a bug. files_type is implicitly called in corecommands.if
interface(`corecmd_executable_file',`
gen_require(`
attribute exec_type;
')
typeattribute $1 exec_type;
files_type($1)
')
which in turn will be called through domain_entry_file(...).
sorry for this stupid entry. tnx to dgrift for pointing this out.
bye
seba
|
Description of problem: in this example it's possible to label a file via restorecon, which is usable. look, there is no files_type(test_prog_exec_t) call in *.te file! Version-Release number of selected component (if applicable): i don't know. How reproducible && Steps to Reproduce: te file: policy_module(test_prog, 0.0.1) require { type devpts_t; type unconfined_devpts_t; type test_prog_exec_t; type usr_t; type proc_t; type admin_home_t; type test_prog_t; type unconfined_t; } type test_prog_t; type test_prog_exec_t; role unconfined_r types test_prog_t; domain_type(test_prog_t) domain_entry_file(unconfined_t, test_prog_exec_t) domain_auto_trans(unconfined_t, test_prog_exec_t, test_prog_t) # generated by audit2allow # neccessary to allow everything for test.sh #============= test_prog_t ============== allow test_prog_t admin_home_t:dir getattr; allow test_prog_t devpts_t:dir search; allow test_prog_t proc_t:file read; allow test_prog_t test_prog_exec_t:file read; allow test_prog_t unconfined_devpts_t:chr_file ioctl; allow test_prog_t usr_t:dir search; fc file: /root/test_prog/test.sh -- gen_context(unconfined_u:object_r:test_prog_exec_t, s0) here the script: [root@SecLab test_prog]# cat test.sh #!/bin/sh echo "foo" #EOF Actual results: ... compiling && loading module ... [root@SecLab test_prog]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@SecLab test_prog]# ls -Z test.sh -rwx------ root root unconfined_u:object_r:admin_home_t:s0 test.sh [root@SecLab test_prog]# semodule -l | grep test test_prog 0.0.1 [root@SecLab test_prog]# restorecon /root/test_prog/test.sh [root@SecLab test_prog]# semodule -l | grep test test_prog 0.0.1 [root@SecLab test_prog]# ls -Z test.sh -rwx------ root root unconfined_u:object_r:test_prog_exec_t:s0 test.sh [root@SecLab test_prog]# Expected results: something like this (produced on the same machine, but other policy module): audit.log: type=AVC msg=audit(1236879143.296:193): avc: denied { relabelto } for pid=26871 comm="restorecon" name="writable2" dev=sda1 ino=209596 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:my_type_t:s0 tclass=dir type=SYSCALL msg=audit(1236879143.296:193): arch=40000003 syscall=227 success=no exit=-13 a0=bf9c8cc0 a1=14777d a2=b8b20aa0 a3=1f items=0 ppid=20022 pid=26871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=10 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) for comleteness code of te file: policy_module(fake_httpd, 0.1.1) require{ type httpd_t; type httpd_exec_t; type unconfined_t; type admin_home_t; # type sleep_exec_t; } type my_type_t; role unconfined_r types httpd_t; #domain_type(httpd_t) #files_type(my_type_t); domain_entry_file(httpd_t, httpd_exec_t) domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t) allow httpd_t admin_home_t:dir { getattr search }; #allow httpd_t sleep_exec_t:file { read getattr }; fe file: /root/fake_httpd.sh -- gen_context(system_u:object_r:httpd_exec_t, s0) /var/www/writable2 -d gen_context(system_u:object_r:my_type_t, s0) the above module is a testing example. the modul has no further purpose. so don't wonder, when it seems confusing. good night Sebastian