MLS levels and the initial SID for kernel_t

Paul Moore paul.moore at hp.com
Fri Aug 5 20:29:28 UTC 2005 

Paul Moore wrote:
> Jonathan Kim wrote:
> 
>> Paul,
>>
>> I recall that the problems you were having were resolved after you 
>> followed
>> the steps I sent.
>> Did you follow the exact procedure I sent you?  If not, could you let 
>> me know the exact procedure you followed?
> 
> 
> Yes, the steps you sent me a few weeks ago did work but later versions 
> of the policy RPM caused it to fail.  Fresh install or upgrades both 
> resulted in failure.  The reason appears to be here in 
> security/selinux/ss/mls.c line 521:
> 
>  if (rangetr->dom == scontext->type &&
>      rangetr->type == tcontext->type) {
>       /* Set the range from the rule */
>       return mls_range_set(newcontext,
>                        &rangetr->range);
>  }
> 
> For some reason the 'dom'/'type' values for the only rule in 'rangetr' 
> do not match with the values of 'kernel_t' and 'init_exec_t' in 
> 'scontext->type' and 'tcontext->type' respectively.  Looking at the 
> range_transition types in the binary policy file, policy.19, the types 
> in the file appear to match the types stored in 'rangetr' which appear 
> to match the 'kernel_t' and 'init_exec_t' type values inside of 
> checkpolicy-1.25.3/policy_parse.y as returned by the following lines of 
> debug code I inserted:
> 
>  {
>    type_datum_t *kt, *it;
> 
>    kt = hashtab_search(policydbp->p_types.table, "kernel_t");
>    it = hashtab_search(policydbp->p_types.table, "init_exec_t");
> 
>    printf("PMD(#4): kernel_t=%u init_exec_t=%u\n",
>           kt->value,
>       it->value);
>  }
> 
> This is where I am currently at, trying to figure out why 
> 'scontext->type' and 'tcontext->type' appear to change values in the 
> kernel ... or why I am barking up the wrong tree :)  If anyone has any 
> suggestions I am all ears ...
> 

I found the problem, it was in libsepol.  I just posted a patch over on 
the SELinux Developers list.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

More information about the fedora-selinux-list mailing list