Bug 490228 - can relabelto types that arent usable files types
can relabelto types that arent usable files types
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-03-13 18:23 EDT by Sebastian Pfaff
Modified: 2009-03-13 18:58 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-13 18:58:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sebastian Pfaff 2009-03-13 18:23:47 EDT
Description of problem:

in this example it's possible to label a file via restorecon, which is usable. look, there is no files_type(test_prog_exec_t) call in *.te file!

Version-Release number of selected component (if applicable):

i don't know.

How reproducible && Steps to Reproduce:

te file: 

policy_module(test_prog, 0.0.1)

require {
        type devpts_t;
        type unconfined_devpts_t;
        type test_prog_exec_t;
        type usr_t;
        type proc_t;
        type admin_home_t;
        type test_prog_t;
        type unconfined_t;

type test_prog_t;
type test_prog_exec_t;

role unconfined_r types test_prog_t;

domain_entry_file(unconfined_t, test_prog_exec_t)
domain_auto_trans(unconfined_t, test_prog_exec_t, test_prog_t)

# generated by audit2allow
# neccessary to allow everything for test.sh
#============= test_prog_t ==============
allow test_prog_t admin_home_t:dir getattr;
allow test_prog_t devpts_t:dir search;
allow test_prog_t proc_t:file read;
allow test_prog_t test_prog_exec_t:file read;
allow test_prog_t unconfined_devpts_t:chr_file ioctl;
allow test_prog_t usr_t:dir search;

fc file:

/root/test_prog/test.sh -- gen_context(unconfined_u:object_r:test_prog_exec_t, s0)

here the script:

[root@SecLab test_prog]# cat test.sh
echo "foo"

Actual results:

compiling && loading module

[root@SecLab test_prog]# id -Z
[root@SecLab test_prog]# ls -Z test.sh 
-rwx------  root root unconfined_u:object_r:admin_home_t:s0 test.sh
[root@SecLab test_prog]# semodule -l | grep test
test_prog	0.0.1
[root@SecLab test_prog]# restorecon /root/test_prog/test.sh 
[root@SecLab test_prog]# semodule -l | grep test
test_prog	0.0.1
[root@SecLab test_prog]# ls -Z test.sh 
-rwx------  root root unconfined_u:object_r:test_prog_exec_t:s0 test.sh
[root@SecLab test_prog]# 

Expected results: 

something like this (produced on the same machine, but other policy module):


type=AVC msg=audit(1236879143.296:193): avc:  denied  { relabelto } for  pid=26871 comm="restorecon" name="writable2" dev=sda1 ino=209596 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:my_type_t:s0 tclass=dir
type=SYSCALL msg=audit(1236879143.296:193): arch=40000003 syscall=227 success=no exit=-13 a0=bf9c8cc0 a1=14777d a2=b8b20aa0 a3=1f items=0 ppid=20022 pid=26871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=10 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

for comleteness code of te file:

policy_module(fake_httpd, 0.1.1)

        type httpd_t;
        type httpd_exec_t;
        type unconfined_t;
        type admin_home_t;

#       type sleep_exec_t;

type my_type_t;
role unconfined_r types httpd_t;

domain_entry_file(httpd_t, httpd_exec_t)
domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)

allow httpd_t admin_home_t:dir { getattr search };
#allow httpd_t sleep_exec_t:file { read getattr };

fe file:

/root/fake_httpd.sh -- gen_context(system_u:object_r:httpd_exec_t, s0)
/var/www/writable2 -d gen_context(system_u:object_r:my_type_t, s0)

the above module is a testing example. the modul has no further purpose. so don't wonder, when it seems confusing. 

good night

Comment 1 Sebastian Pfaff 2009-03-13 18:40:27 EDT
sorry, change this:

in this example it's possible to label a file via restorecon, which is usable.

to this:

in this example it's possible to label a file via restorecon, which is _still_not_ usable.


Comment 2 Sebastian Pfaff 2009-03-13 18:58:49 EDT
sorry for wasting time.

this is NOT a bug. files_type is implicitly called in corecommands.if

                attribute exec_type;

        typeattribute $1 exec_type;


which in turn will be called through domain_entry_file(...).

sorry for this stupid entry. tnx to dgrift for pointing this out.



Note You need to log in before you can comment on or make changes to this bug.