All of lore.kernel.org
 help / color / mirror / Atom feed
* Listing restrictions on roles.
@ 2014-07-02  5:07 dE
  2014-07-03  9:39 ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: dE @ 2014-07-02  5:07 UTC (permalink / raw)
  To: selinux

There seem to exist additional non-transition restrictions on roles 
which define when will a process be able to execute as a certain role.

For e.g. a process which runs from a login shell cannot have system_r 
role. How do I list such rules?

Looking at role transition rules, a transition to system_r should be 
allowed --

sesearch --role_allow | grep system_r\;
...
allow unconfined_r system_r;
...

And the sudo process runs as unconfined_r --

ps auxZ | grep sudo
system_u:unconfined_r:unconfined_t:s0 root 669  0.0  0.4 206860 3356 
pts/1    S+   10:28   0:00 sudo -r unconfined_r nano

But sudo -r system_r nano fails.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
  2014-07-02  5:07 Listing restrictions on roles dE
@ 2014-07-03  9:39 ` Daniel J Walsh
  2014-07-05 16:41   ` dE
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2014-07-03  9:39 UTC (permalink / raw)
  To: dE, selinux


On 07/02/2014 01:07 AM, dE wrote:
> There seem to exist additional non-transition restrictions on roles
> which define when will a process be able to execute as a certain role.
>
> For e.g. a process which runs from a login shell cannot have system_r
> role. How do I list such rules?
>
> Looking at role transition rules, a transition to system_r should be
> allowed --
>
> sesearch --role_allow | grep system_r\;
> ...
> allow unconfined_r system_r;
> ...
>
> And the sudo process runs as unconfined_r --
>
> ps auxZ | grep sudo
> system_u:unconfined_r:unconfined_t:s0 root 669  0.0  0.4 206860 3356
> pts/1    S+   10:28   0:00 sudo -r unconfined_r nano
>
> But sudo -r system_r nano fails.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
The type has to be available to the role.  In the case of sudo -r
system_r nano, if the type to be run is unconfined_t, then SELinux would
end up with a label like

sytem_u:system_r:unconfined_t:s0

But I don't believe unconfined_t can run in the system_r role.

seinfo -rsystem_r -x | grep unconfined_t

To make your sudo command run, you would also need to select the type.

sudo -r sysadm_r -t nano_t nano ...

Or something like that where nano_t is available to the system_r role.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
  2014-07-03  9:39 ` Daniel J Walsh
@ 2014-07-05 16:41   ` dE
  2014-07-07 15:23     ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: dE @ 2014-07-05 16:41 UTC (permalink / raw)
  To: selinux

On 07/03/14 15:09, Daniel J Walsh wrote:
> On 07/02/2014 01:07 AM, dE wrote:
>> There seem to exist additional non-transition restrictions on roles
>> which define when will a process be able to execute as a certain role.
>>
>> For e.g. a process which runs from a login shell cannot have system_r
>> role. How do I list such rules?
>>
>> Looking at role transition rules, a transition to system_r should be
>> allowed --
>>
>> sesearch --role_allow | grep system_r\;
>> ...
>> allow unconfined_r system_r;
>> ...
>>
>> And the sudo process runs as unconfined_r --
>>
>> ps auxZ | grep sudo
>> system_u:unconfined_r:unconfined_t:s0 root 669  0.0  0.4 206860 3356
>> pts/1    S+   10:28   0:00 sudo -r unconfined_r nano
>>
>> But sudo -r system_r nano fails.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
> The type has to be available to the role.  In the case of sudo -r
> system_r nano, if the type to be run is unconfined_t, then SELinux would
> end up with a label like
>
> sytem_u:system_r:unconfined_t:s0
>
> But I don't believe unconfined_t can run in the system_r role.
>
> seinfo -rsystem_r -x | grep unconfined_t
>
> To make your sudo command run, you would also need to select the type.
>
> sudo -r sysadm_r -t nano_t nano ...
>
> Or something like that where nano_t is available to the system_r role.

Actually it is allowed

seinfo -rsystem_r -x | grep unconfined_t
          virt_qemu_ga_unconfined_t
          certmonger_unconfined_t
          pegasus_openlmi_unconfined_t
          xdm_unconfined_t
          unconfined_t

I'm running Fedora 19.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Listing restrictions on roles.
  2014-07-05 16:41   ` dE
@ 2014-07-07 15:23     ` Daniel J Walsh
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2014-07-07 15:23 UTC (permalink / raw)
  To: dE, selinux


On 07/05/2014 12:41 PM, dE wrote:
> On 07/03/14 15:09, Daniel J Walsh wrote:
>> On 07/02/2014 01:07 AM, dE wrote:
>>> There seem to exist additional non-transition restrictions on roles
>>> which define when will a process be able to execute as a certain role.
>>>
>>> For e.g. a process which runs from a login shell cannot have system_r
>>> role. How do I list such rules?
>>>
>>> Looking at role transition rules, a transition to system_r should be
>>> allowed --
>>>
>>> sesearch --role_allow | grep system_r\;
>>> ...
>>> allow unconfined_r system_r;
>>> ...
>>>
>>> And the sudo process runs as unconfined_r --
>>>
>>> ps auxZ | grep sudo
>>> system_u:unconfined_r:unconfined_t:s0 root 669  0.0  0.4 206860 3356
>>> pts/1    S+   10:28   0:00 sudo -r unconfined_r nano
>>>
>>> But sudo -r system_r nano fails.
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>> The type has to be available to the role.  In the case of sudo -r
>> system_r nano, if the type to be run is unconfined_t, then SELinux would
>> end up with a label like
>>
>> sytem_u:system_r:unconfined_t:s0
>>
>> But I don't believe unconfined_t can run in the system_r role.
>>
>> seinfo -rsystem_r -x | grep unconfined_t
>>
>> To make your sudo command run, you would also need to select the type.
>>
>> sudo -r sysadm_r -t nano_t nano ...
>>
>> Or something like that where nano_t is available to the system_r role.
>
> Actually it is allowed
>
> seinfo -rsystem_r -x | grep unconfined_t
>          virt_qemu_ga_unconfined_t
>          certmonger_unconfined_t
>          pegasus_openlmi_unconfined_t
>          xdm_unconfined_t
>          unconfined_t
>
> I'm running Fedora 19.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
Ok, I have the unoconfined.pp module disabled.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-07-07 15:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-02  5:07 Listing restrictions on roles dE
2014-07-03  9:39 ` Daniel J Walsh
2014-07-05 16:41   ` dE
2014-07-07 15:23     ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.