Does mcs work on rawhide correctly?
KaiGai Kohei
kaigai at kaigai.gr.jp
Mon Jan 26 16:01:45 UTC 2009
Stephen Smalley wrote:
> On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
>> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
>>
>> [root at masu ~]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy version: 24
>> Policy from config file: targeted
>> [root at masu ~]# touch aaa
>> [root at masu ~]# ls -Z aaa
>> -rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 aaa
>> [root at masu ~]# id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>> [root at masu ~]# chcon -l s0:c0 aaa
>> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
>>
>> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
>>
>> I could reproduce the matter after "semodule -B".
>>
>> Is there anyone who can reproduce the matter?
>
> What avc denial did you get?
>
> It is interesting that you got Operation not permitted (EPERM) rather
> than Permission denied (EACCES) - that usually reflects a capability
> denial.
The following operation:
[root at masu ~]# ls -Z bbb
-rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 bbb
[root at masu ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
[root at masu ~]# chcon -l s0:c0 bbb
chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
got the following audit message:
type=SELINUX_ERR msg=audit(1232984840.945:48):
security_validate_transition: denied for
oldcontext=unconfined_u:object_r:admin_home_t:s0
newcontext=unconfined_u:object_r:admin_home_t:s0:c0
taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
tclass=file
type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
strace chcon -l s0:c0 bbb also says -EPERM.
:
setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
:
Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?
Thanks,
--
KaiGai Kohei <kaigai at kaigai.gr.jp>
More information about the fedora-selinux-list
mailing list