* runcon cant really run(constraint issue?)
@ 2009-04-22 16:38 ` Justin Mattock
0 siblings, 0 replies; 8+ messages in thread
From: Justin Mattock @ 2009-04-22 16:38 UTC (permalink / raw)
To: tresys, SE-Linux
looking into using runcon
it seems I'm confronted with an
avc, that just keeps showing up:
allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
(even after adding this to the policy).
What I'm doing is this:
runcon name:user_r:user_t:s0-s0:c0.c255 firefox
the initial role I'm in is staff_r(transitioning to user_r for
firefox to run in)
Does this seem like the right thing to do,
or do I need to use newrole -r *
for something like firefox?
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] runcon cant really run(constraint issue?)
@ 2009-04-22 16:38 ` Justin Mattock
0 siblings, 0 replies; 8+ messages in thread
From: Justin Mattock @ 2009-04-22 16:38 UTC (permalink / raw)
To: refpolicy
looking into using runcon
it seems I'm confronted with an
avc, that just keeps showing up:
allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
(even after adding this to the policy).
What I'm doing is this:
runcon name:user_r:user_t:s0-s0:c0.c255 firefox
the initial role I'm in is staff_r(transitioning to user_r for
firefox to run in)
Does this seem like the right thing to do,
or do I need to use newrole -r *
for something like firefox?
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: runcon cant really run(constraint issue?)
2009-04-22 16:38 ` [refpolicy] " Justin Mattock
@ 2009-04-23 12:39 ` Daniel J Walsh
-1 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2009-04-23 12:39 UTC (permalink / raw)
To: Justin Mattock; +Cc: tresys, SE-Linux
On 04/22/2009 12:38 PM, Justin Mattock wrote:
> looking into using runcon
> it seems I'm confronted with an
> avc, that just keeps showing up:
> allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
> (even after adding this to the policy).
>
> What I'm doing is this:
> runcon name:user_r:user_t:s0-s0:c0.c255 firefox
> the initial role I'm in is staff_r(transitioning to user_r for
> firefox to run in)
>
> Does this seem like the right thing to do,
> or do I need to use newrole -r *
> for something like firefox?
>
I guess the correct question is what is your security goal.
You are not currently allowed to transition from a staff_u user to a
user_r role. In order to make this happen you would need to use semange
to make sure your SELinux user "name" had both staff_r and user_r, and
then you would need to add a rule to policy that says staff_r can become
user_r. But transitioning to the new role is probably not what you want.
If your goal is to confine firefox. you would be better off using the
mozilla policy to say when a staff_t type executes mozilla_exec_t it
runs as staff_mozilla_t.
name:staff_r:staff_t -> system_u:object_r:mozilla_exec_t ->
name:staff_r:staff_mozilla_t
Confining mozilla/firefox has a whole bunch of other problems...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] runcon cant really run(constraint issue?)
@ 2009-04-23 12:39 ` Daniel J Walsh
0 siblings, 0 replies; 8+ messages in thread
From: Daniel J Walsh @ 2009-04-23 12:39 UTC (permalink / raw)
To: refpolicy
On 04/22/2009 12:38 PM, Justin Mattock wrote:
> looking into using runcon
> it seems I'm confronted with an
> avc, that just keeps showing up:
> allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
> (even after adding this to the policy).
>
> What I'm doing is this:
> runcon name:user_r:user_t:s0-s0:c0.c255 firefox
> the initial role I'm in is staff_r(transitioning to user_r for
> firefox to run in)
>
> Does this seem like the right thing to do,
> or do I need to use newrole -r *
> for something like firefox?
>
I guess the correct question is what is your security goal.
You are not currently allowed to transition from a staff_u user to a
user_r role. In order to make this happen you would need to use semange
to make sure your SELinux user "name" had both staff_r and user_r, and
then you would need to add a rule to policy that says staff_r can become
user_r. But transitioning to the new role is probably not what you want.
If your goal is to confine firefox. you would be better off using the
mozilla policy to say when a staff_t type executes mozilla_exec_t it
runs as staff_mozilla_t.
name:staff_r:staff_t -> system_u:object_r:mozilla_exec_t ->
name:staff_r:staff_mozilla_t
Confining mozilla/firefox has a whole bunch of other problems...
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [refpolicy] runcon cant really run(constraint issue?)
2009-04-23 12:39 ` [refpolicy] " Daniel J Walsh
@ 2009-04-23 12:54 ` Christopher J. PeBenito
-1 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-04-23 12:54 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Justin Mattock, tresys, SE-Linux
On Thu, 2009-04-23 at 08:39 -0400, Daniel J Walsh wrote:
> On 04/22/2009 12:38 PM, Justin Mattock wrote:
> > looking into using runcon
> > it seems I'm confronted with an
> > avc, that just keeps showing up:
> > allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
> > (even after adding this to the policy).
> >
> > What I'm doing is this:
> > runcon name:user_r:user_t:s0-s0:c0.c255 firefox
> > the initial role I'm in is staff_r(transitioning to user_r for
> > firefox to run in)
> >
> > Does this seem like the right thing to do,
> > or do I need to use newrole -r *
> > for something like firefox?
> >
> I guess the correct question is what is your security goal.
>
> You are not currently allowed to transition from a staff_u user to a
> user_r role. In order to make this happen you would need to use semange
> to make sure your SELinux user "name" had both staff_r and user_r, and
> then you would need to add a rule to policy that says staff_r can become
> user_r.
There is also a transition constraint when the role is changing. You
have to be coming from a domain that is allowed to do role changing,
such as newrole_t. User domains (except unconfined_t) are not allowed.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] runcon cant really run(constraint issue?)
@ 2009-04-23 12:54 ` Christopher J. PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Christopher J. PeBenito @ 2009-04-23 12:54 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-04-23 at 08:39 -0400, Daniel J Walsh wrote:
> On 04/22/2009 12:38 PM, Justin Mattock wrote:
> > looking into using runcon
> > it seems I'm confronted with an
> > avc, that just keeps showing up:
> > allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
> > (even after adding this to the policy).
> >
> > What I'm doing is this:
> > runcon name:user_r:user_t:s0-s0:c0.c255 firefox
> > the initial role I'm in is staff_r(transitioning to user_r for
> > firefox to run in)
> >
> > Does this seem like the right thing to do,
> > or do I need to use newrole -r *
> > for something like firefox?
> >
> I guess the correct question is what is your security goal.
>
> You are not currently allowed to transition from a staff_u user to a
> user_r role. In order to make this happen you would need to use semange
> to make sure your SELinux user "name" had both staff_r and user_r, and
> then you would need to add a rule to policy that says staff_r can become
> user_r.
There is also a transition constraint when the role is changing. You
have to be coming from a domain that is allowed to do role changing,
such as newrole_t. User domains (except unconfined_t) are not allowed.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [refpolicy] runcon cant really run(constraint issue?)
2009-04-23 12:54 ` Christopher J. PeBenito
@ 2009-04-23 14:57 ` Justin Mattock
-1 siblings, 0 replies; 8+ messages in thread
From: Justin Mattock @ 2009-04-23 14:57 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Daniel J Walsh, tresys, SE-Linux
On Thu, Apr 23, 2009 at 5:54 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Thu, 2009-04-23 at 08:39 -0400, Daniel J Walsh wrote:
>> On 04/22/2009 12:38 PM, Justin Mattock wrote:
>> > looking into using runcon
>> > it seems I'm confronted with an
>> > avc, that just keeps showing up:
>> > allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
>> > (even after adding this to the policy).
>> >
>> > What I'm doing is this:
>> > runcon name:user_r:user_t:s0-s0:c0.c255 firefox
>> > the initial role I'm in is staff_r(transitioning to user_r for
>> > firefox to run in)
>> >
>> > Does this seem like the right thing to do,
>> > or do I need to use newrole -r *
>> > for something like firefox?
>> >
>> I guess the correct question is what is your security goal.
>>
>> You are not currently allowed to transition from a staff_u user to a
>> user_r role. In order to make this happen you would need to use semange
>> to make sure your SELinux user "name" had both staff_r and user_r, and
>> then you would need to add a rule to policy that says staff_r can become
>> user_r.
>
> There is also a transition constraint when the role is changing. You
> have to be coming from a domain that is allowed to do role changing,
> such as newrole_t. User domains (except unconfined_t) are not allowed.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
my goal was to simple run a program(while changing roles) without having
to open a terminal and type(yes I admit I am a lazy a**)
runcon does work(after changing its context to newrole_exec_t)
as for security, probably not as safe(but finally I can turn my
computer on and not have people laugh at me with all of these
squares on the desktop)
As for the policy itself It seems I can't run gnome-vfs
etc...the dbus avc's as root are allowed system_dbus_t, but
any other is rejected by checkpolicy, meaning ausers_dbus_t.
I do have another system without all of the gnome-vfs etc..
which runs fine.
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] runcon cant really run(constraint issue?)
@ 2009-04-23 14:57 ` Justin Mattock
0 siblings, 0 replies; 8+ messages in thread
From: Justin Mattock @ 2009-04-23 14:57 UTC (permalink / raw)
To: refpolicy
On Thu, Apr 23, 2009 at 5:54 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Thu, 2009-04-23 at 08:39 -0400, Daniel J Walsh wrote:
>> On 04/22/2009 12:38 PM, Justin Mattock wrote:
>> > looking into using runcon
>> > it seems I'm confronted with an
>> > avc, that just keeps showing up:
>> > allow staff_t user_t:process { siginh rlimitinh transition noatsecure };
>> > (even after adding this to the policy).
>> >
>> > What I'm doing is this:
>> > runcon name:user_r:user_t:s0-s0:c0.c255 firefox
>> > the initial role I'm in is staff_r(transitioning to user_r for
>> > firefox to run in)
>> >
>> > Does this seem like the right thing to do,
>> > or do I need to use newrole -r *
>> > for something like firefox?
>> >
>> I guess the correct question is what is your security goal.
>>
>> You are not currently allowed to transition from a staff_u user to a
>> user_r role. ?In order to make this happen you would need to use semange
>> to make sure your SELinux user "name" had both staff_r and user_r, and
>> then you would need to add a rule to policy that says staff_r can become
>> user_r.
>
> There is also a transition constraint when the role is changing. ?You
> have to be coming from a domain that is allowed to do role changing,
> such as newrole_t. ?User domains (except unconfined_t) are not allowed.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
my goal was to simple run a program(while changing roles) without having
to open a terminal and type(yes I admit I am a lazy a**)
runcon does work(after changing its context to newrole_exec_t)
as for security, probably not as safe(but finally I can turn my
computer on and not have people laugh at me with all of these
squares on the desktop)
As for the policy itself It seems I can't run gnome-vfs
etc...the dbus avc's as root are allowed system_dbus_t, but
any other is rejected by checkpolicy, meaning ausers_dbus_t.
I do have another system without all of the gnome-vfs etc..
which runs fine.
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2009-04-23 14:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-04-22 16:38 runcon cant really run(constraint issue?) Justin Mattock
2009-04-22 16:38 ` [refpolicy] " Justin Mattock
2009-04-23 12:39 ` Daniel J Walsh
2009-04-23 12:39 ` [refpolicy] " Daniel J Walsh
2009-04-23 12:54 ` Christopher J. PeBenito
2009-04-23 12:54 ` Christopher J. PeBenito
2009-04-23 14:57 ` Justin Mattock
2009-04-23 14:57 ` Justin Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.