* Listing restrictions on roles.
@ 2014-07-02 5:07 dE
2014-07-03 9:39 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: dE @ 2014-07-02 5:07 UTC (permalink / raw)
To: selinux
There seem to exist additional non-transition restrictions on roles
which define when will a process be able to execute as a certain role.
For e.g. a process which runs from a login shell cannot have system_r
role. How do I list such rules?
Looking at role transition rules, a transition to system_r should be
allowed --
sesearch --role_allow | grep system_r\;
...
allow unconfined_r system_r;
...
And the sudo process runs as unconfined_r --
ps auxZ | grep sudo
system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356
pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano
But sudo -r system_r nano fails.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
2014-07-02 5:07 Listing restrictions on roles dE
@ 2014-07-03 9:39 ` Daniel J Walsh
2014-07-05 16:41 ` dE
0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2014-07-03 9:39 UTC (permalink / raw)
To: dE, selinux
On 07/02/2014 01:07 AM, dE wrote:
> There seem to exist additional non-transition restrictions on roles
> which define when will a process be able to execute as a certain role.
>
> For e.g. a process which runs from a login shell cannot have system_r
> role. How do I list such rules?
>
> Looking at role transition rules, a transition to system_r should be
> allowed --
>
> sesearch --role_allow | grep system_r\;
> ...
> allow unconfined_r system_r;
> ...
>
> And the sudo process runs as unconfined_r --
>
> ps auxZ | grep sudo
> system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356
> pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano
>
> But sudo -r system_r nano fails.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
The type has to be available to the role. In the case of sudo -r
system_r nano, if the type to be run is unconfined_t, then SELinux would
end up with a label like
sytem_u:system_r:unconfined_t:s0
But I don't believe unconfined_t can run in the system_r role.
seinfo -rsystem_r -x | grep unconfined_t
To make your sudo command run, you would also need to select the type.
sudo -r sysadm_r -t nano_t nano ...
Or something like that where nano_t is available to the system_r role.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
2014-07-03 9:39 ` Daniel J Walsh
@ 2014-07-05 16:41 ` dE
2014-07-07 15:23 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: dE @ 2014-07-05 16:41 UTC (permalink / raw)
To: selinux
On 07/03/14 15:09, Daniel J Walsh wrote:
> On 07/02/2014 01:07 AM, dE wrote:
>> There seem to exist additional non-transition restrictions on roles
>> which define when will a process be able to execute as a certain role.
>>
>> For e.g. a process which runs from a login shell cannot have system_r
>> role. How do I list such rules?
>>
>> Looking at role transition rules, a transition to system_r should be
>> allowed --
>>
>> sesearch --role_allow | grep system_r\;
>> ...
>> allow unconfined_r system_r;
>> ...
>>
>> And the sudo process runs as unconfined_r --
>>
>> ps auxZ | grep sudo
>> system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356
>> pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano
>>
>> But sudo -r system_r nano fails.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
> The type has to be available to the role. In the case of sudo -r
> system_r nano, if the type to be run is unconfined_t, then SELinux would
> end up with a label like
>
> sytem_u:system_r:unconfined_t:s0
>
> But I don't believe unconfined_t can run in the system_r role.
>
> seinfo -rsystem_r -x | grep unconfined_t
>
> To make your sudo command run, you would also need to select the type.
>
> sudo -r sysadm_r -t nano_t nano ...
>
> Or something like that where nano_t is available to the system_r role.
Actually it is allowed
seinfo -rsystem_r -x | grep unconfined_t
virt_qemu_ga_unconfined_t
certmonger_unconfined_t
pegasus_openlmi_unconfined_t
xdm_unconfined_t
unconfined_t
I'm running Fedora 19.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
2014-07-05 16:41 ` dE
@ 2014-07-07 15:23 ` Daniel J Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2014-07-07 15:23 UTC (permalink / raw)
To: dE, selinux
On 07/05/2014 12:41 PM, dE wrote:
> On 07/03/14 15:09, Daniel J Walsh wrote:
>> On 07/02/2014 01:07 AM, dE wrote:
>>> There seem to exist additional non-transition restrictions on roles
>>> which define when will a process be able to execute as a certain role.
>>>
>>> For e.g. a process which runs from a login shell cannot have system_r
>>> role. How do I list such rules?
>>>
>>> Looking at role transition rules, a transition to system_r should be
>>> allowed --
>>>
>>> sesearch --role_allow | grep system_r\;
>>> ...
>>> allow unconfined_r system_r;
>>> ...
>>>
>>> And the sudo process runs as unconfined_r --
>>>
>>> ps auxZ | grep sudo
>>> system_u:unconfined_r:unconfined_t:s0 root 669 0.0 0.4 206860 3356
>>> pts/1 S+ 10:28 0:00 sudo -r unconfined_r nano
>>>
>>> But sudo -r system_r nano fails.
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>> The type has to be available to the role. In the case of sudo -r
>> system_r nano, if the type to be run is unconfined_t, then SELinux would
>> end up with a label like
>>
>> sytem_u:system_r:unconfined_t:s0
>>
>> But I don't believe unconfined_t can run in the system_r role.
>>
>> seinfo -rsystem_r -x | grep unconfined_t
>>
>> To make your sudo command run, you would also need to select the type.
>>
>> sudo -r sysadm_r -t nano_t nano ...
>>
>> Or something like that where nano_t is available to the system_r role.
>
> Actually it is allowed
>
> seinfo -rsystem_r -x | grep unconfined_t
> virt_qemu_ga_unconfined_t
> certmonger_unconfined_t
> pegasus_openlmi_unconfined_t
> xdm_unconfined_t
> unconfined_t
>
> I'm running Fedora 19.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
Ok, I have the unoconfined.pp module disabled.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-07-07 15:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-02 5:07 Listing restrictions on roles dE
2014-07-03 9:39 ` Daniel J Walsh
2014-07-05 16:41 ` dE
2014-07-07 15:23 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.