Does mcs work on rawhide correctly?

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 26 17:28:43 UTC 2009 

On Tue, 2009-01-27 at 01:01 +0900, KaiGai Kohei wrote:
> Stephen Smalley wrote:
> > On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
> >> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
> >>
> >> [root at masu ~]# sestatus
> >> SELinux status:                 enabled
> >> SELinuxfs mount:                /selinux
> >> Current mode:                   enforcing
> >> Mode from config file:          enforcing
> >> Policy version:                 24
> >> Policy from config file:        targeted
> >> [root at masu ~]# touch aaa
> >> [root at masu ~]# ls -Z aaa
> >> -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
> >> [root at masu ~]# id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> >> [root at masu ~]# chcon -l s0:c0 aaa
> >> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> >>
> >> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
> >>
> >> I could reproduce the matter after "semodule -B".
> >>
> >> Is there anyone who can reproduce the matter?
> > 
> > What avc denial did you get?
> > 
> > It is interesting that you got Operation not permitted (EPERM) rather
> > than Permission denied (EACCES) - that usually reflects a capability
> > denial.
> 
> The following operation:
>   [root at masu ~]# ls -Z bbb
>   -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 bbb
>   [root at masu ~]# id -Z
>   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>   [root at masu ~]# chcon -l s0:c0 bbb
>   chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> 
> got the following audit message:
>  type=SELINUX_ERR msg=audit(1232984840.945:48):
>    security_validate_transition:  denied for
>    oldcontext=unconfined_u:object_r:admin_home_t:s0
>    newcontext=unconfined_u:object_r:admin_home_t:s0:c0
>    taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>    tclass=file
>  type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
>    success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
>    ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
>    egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
>    subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
> 
> strace chcon -l s0:c0 bbb also says -EPERM.
>      :
>   setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
>      :
> 
> Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?

Sounds like it is the MLS policy instead, as only the mls configuration
defines mlsvalidatetrans constraints.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list