I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
[root@masu ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@masu ~]# touch aaa [root@masu ~]# ls -Z aaa -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 aaa chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
I could reproduce the matter after "semodule -B".
Is there anyone who can reproduce the matter?
On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
[root@masu ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@masu ~]# touch aaa [root@masu ~]# ls -Z aaa -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 aaa chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
I could reproduce the matter after "semodule -B".
Is there anyone who can reproduce the matter?
What avc denial did you get?
It is interesting that you got Operation not permitted (EPERM) rather than Permission denied (EACCES) - that usually reflects a capability denial.
Stephen Smalley wrote:
On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
[root@masu ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@masu ~]# touch aaa [root@masu ~]# ls -Z aaa -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 aaa chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
I could reproduce the matter after "semodule -B".
Is there anyone who can reproduce the matter?
What avc denial did you get?
It is interesting that you got Operation not permitted (EPERM) rather than Permission denied (EACCES) - that usually reflects a capability denial.
The following operation: [root@masu ~]# ls -Z bbb -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 bbb [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 bbb chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
got the following audit message: type=SELINUX_ERR msg=audit(1232984840.945:48): security_validate_transition: denied for oldcontext=unconfined_u:object_r:admin_home_t:s0 newcontext=unconfined_u:object_r:admin_home_t:s0:c0 taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 tclass=file type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226 success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0 ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
strace chcon -l s0:c0 bbb also says -EPERM. : setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted) :
Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?
Thanks,
On Tue, 2009-01-27 at 01:01 +0900, KaiGai Kohei wrote:
Stephen Smalley wrote:
On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
[root@masu ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@masu ~]# touch aaa [root@masu ~]# ls -Z aaa -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 aaa chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
I could reproduce the matter after "semodule -B".
Is there anyone who can reproduce the matter?
What avc denial did you get?
It is interesting that you got Operation not permitted (EPERM) rather than Permission denied (EACCES) - that usually reflects a capability denial.
The following operation: [root@masu ~]# ls -Z bbb -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 bbb [root@masu ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 [root@masu ~]# chcon -l s0:c0 bbb chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
got the following audit message: type=SELINUX_ERR msg=audit(1232984840.945:48): security_validate_transition: denied for oldcontext=unconfined_u:object_r:admin_home_t:s0 newcontext=unconfined_u:object_r:admin_home_t:s0:c0 taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 tclass=file type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226 success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0 ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
strace chcon -l s0:c0 bbb also says -EPERM. : setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted) :
Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?
Sounds like it is the MLS policy instead, as only the mls configuration defines mlsvalidatetrans constraints.
selinux@lists.fedoraproject.org