MLS levels and the initial SID for kernel_t
Paul Moore
paul.moore at hp.com
Fri Aug 5 20:29:28 UTC 2005
Paul Moore wrote:
> Jonathan Kim wrote:
>
>> Paul,
>>
>> I recall that the problems you were having were resolved after you
>> followed
>> the steps I sent.
>> Did you follow the exact procedure I sent you? If not, could you let
>> me know the exact procedure you followed?
>
>
> Yes, the steps you sent me a few weeks ago did work but later versions
> of the policy RPM caused it to fail. Fresh install or upgrades both
> resulted in failure. The reason appears to be here in
> security/selinux/ss/mls.c line 521:
>
> if (rangetr->dom == scontext->type &&
> rangetr->type == tcontext->type) {
> /* Set the range from the rule */
> return mls_range_set(newcontext,
> &rangetr->range);
> }
>
> For some reason the 'dom'/'type' values for the only rule in 'rangetr'
> do not match with the values of 'kernel_t' and 'init_exec_t' in
> 'scontext->type' and 'tcontext->type' respectively. Looking at the
> range_transition types in the binary policy file, policy.19, the types
> in the file appear to match the types stored in 'rangetr' which appear
> to match the 'kernel_t' and 'init_exec_t' type values inside of
> checkpolicy-1.25.3/policy_parse.y as returned by the following lines of
> debug code I inserted:
>
> {
> type_datum_t *kt, *it;
>
> kt = hashtab_search(policydbp->p_types.table, "kernel_t");
> it = hashtab_search(policydbp->p_types.table, "init_exec_t");
>
> printf("PMD(#4): kernel_t=%u init_exec_t=%u\n",
> kt->value,
> it->value);
> }
>
> This is where I am currently at, trying to figure out why
> 'scontext->type' and 'tcontext->type' appear to change values in the
> kernel ... or why I am barking up the wrong tree :) If anyone has any
> suggestions I am all ears ...
>
I found the problem, it was in libsepol. I just posted a patch over on
the SELinux Developers list.
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com hewlett packard
. (603) 884-5056 linux security
More information about the fedora-selinux-list
mailing list