All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dominick Grift <dominick.grift@gmail.com>,
	Steve Lawrence <slawrence@tresys.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [RFC] Source Policy, CIL, and High Level Languages
Date: Wed, 16 Jul 2014 15:00:40 -0400	[thread overview]
Message-ID: <53C6CBD8.2050509@tycho.nsa.gov> (raw)
In-Reply-To: <1405526012.12577.9.camel@x220.localdomain>

On 07/16/2014 11:53 AM, Dominick Grift wrote:
> On Wed, 2014-07-16 at 11:11 -0400, Steve Lawrence wrote:
> <snip>
>> Hmm. I still can't get this error. The only thing I get with ausearch is
>>
>> type=USER_AVC msg=audit(1405522202.264:463): pid=1 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:init_t:s0 msg='Unknown permission
>> start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
>> addr=? terminal=?'
>>
>> Which looks correct. Fedora's latest policy does not include start in
>> the system class:
>>
>> $ seinfo -csystem -x
>>    system
>>       status
>>       module_request
>>       reboot
>>       disable
>>       enable
>>       undefined
>>       ipc_info
>>       syslog_read
>>       halt
>>       reload
>>       syslog_console
>>       syslog_mod
>>
>> Also, the policy built with CIL on my machine allows the USER_AVC you're
>> seeing:
>>
>> $ sesearch -A -s systemd_logind_t -t init_t -c service
>> Found 2 semantic av rules:
>>    allow systemd_domain init_t : service { stop status reload start } ;
>>    allow systemd_logind_t init_t : service status ;
>>
>>
>>
>> Not sure if this would help, but it looks like you can set the boot
>> parameter systemd.log_level=debug, and it should print all the selinux
>> access checks, including which ones cause the "SELinux policy denies
>> access" message. Unfortunately, I think the extra debug messages
>> prevents my VM from booting, but you might have better luck.
>>
> 
> The same symptoms as with the classorder issue except that this time it
> only happens once after the upgrade. Rebooting fixes the issue (?)
> 
> That was not the case with the classorder issue.

$ yum reinstall checkpolicy* libsepol* libsemanage* libselinux*
policycoreutils* selinux-policy-targeted
$ cp -a /sys/fs/selinux/class class.orig
$ make -C selinux LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install
install-pywrap relabel
$ ./selinux/libsemanage/utils/semanage_migrate_etc_to_var.py
$ cp -a /sys/fs/selinux/class class.new
$ diff -ru class.orig class.new

Lots of differences in permission values.

  parent reply	other threads:[~2014-07-16 19:00 UTC|newest]

Thread overview: 85+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-09 19:21 [RFC] Source Policy, CIL, and High Level Languages Steve Lawrence
2014-07-10  6:51 ` Dominick Grift
2014-07-10 12:19   ` Steve Lawrence
2014-07-10 12:35   ` Stephen Smalley
2014-07-10 12:52     ` Dominick Grift
2014-07-10 13:09       ` Dominick Grift
2014-07-10 13:12         ` Stephen Smalley
2014-07-10 13:26           ` Dominick Grift
2014-07-10 13:38             ` Stephen Smalley
2014-07-10 13:45               ` Dominick Grift
2014-07-11 15:02                 ` Steve Lawrence
2014-07-15 20:11                   ` Steve Lawrence
2014-07-10 15:02             ` Stephen Smalley
2014-07-11 17:20   ` Steve Lawrence
2014-07-14 16:48     ` Stephen Smalley
2014-07-14 16:53       ` Stephen Smalley
2014-07-14 17:08         ` Stephen Smalley
2014-07-14 17:12           ` Steve Lawrence
2014-07-14 17:49             ` Stephen Smalley
2014-07-15 19:56               ` Steve Lawrence
2014-07-16 14:16                 ` Stephen Smalley
2014-07-16 14:21                   ` Stephen Smalley
2014-07-16 14:26                     ` Stephen Smalley
2014-07-16 14:33                       ` Stephen Smalley
2014-07-16 15:11                         ` Steve Lawrence
2014-07-16 15:53                           ` Dominick Grift
2014-07-16 15:58                             ` Dominick Grift
2014-07-16 19:00                             ` Stephen Smalley [this message]
2014-07-17 13:49                               ` Steve Lawrence
2014-07-17 14:02                                 ` Stephen Smalley
2014-07-17 18:02                                 ` Stephen Smalley
2014-07-17 18:58                                   ` Steve Lawrence
2014-07-17 19:10                                     ` Stephen Smalley
2014-07-17 19:48                                       ` Stephen Smalley
2014-07-17 20:04                                         ` Steve Lawrence
2014-07-17 20:37                                           ` Stephen Smalley
2014-07-17 20:50                                             ` Daniel J Walsh
2014-07-17 20:52                                             ` Daniel J Walsh
2014-07-23 19:24                                               ` Stephen Smalley
2014-07-24 12:48                                                 ` Daniel J Walsh
2014-07-18 12:59                                             ` Steve Lawrence
2014-07-18 14:30                                               ` Stephen Smalley
2014-07-18 15:57                                                 ` Steve Lawrence
2014-07-22 15:05                                               ` James Carter
2014-07-18 14:13                                             ` Christopher J. PeBenito
2014-07-17 19:51                                       ` Steve Lawrence
2014-07-22 14:47                                     ` James Carter
2014-07-16 15:43                 ` Steve Lawrence
2014-07-14 17:33           ` Dominick Grift
2014-07-18 16:00   ` Steve Lawrence
2014-07-18 18:10     ` Stephen Smalley
2014-07-21 14:34       ` Steve Lawrence
2014-07-21 14:51         ` Stephen Smalley
2014-07-21 17:50           ` Steve Lawrence
2014-08-01 14:51             ` Steve Lawrence
2014-08-01 17:46               ` Stephen Smalley
2014-08-04 14:07                 ` Steve Lawrence
2014-08-18 22:37                 ` Steve Lawrence
2014-07-10 13:52 ` Stephen Smalley
2014-07-10 14:06   ` Dominick Grift
2014-07-10 14:09   ` Steve Lawrence
2014-07-10 14:58     ` James Carter
2014-07-10 13:59 ` Stephen Smalley
2014-07-10 14:53   ` Steve Lawrence
2014-07-10 14:11 ` Stephen Smalley
2014-07-10 14:13   ` Stephen Smalley
2014-07-10 14:17   ` Steve Lawrence
2014-07-10 14:20     ` Stephen Smalley
2014-07-10 14:23   ` Dominick Grift
2014-07-10 14:25     ` Stephen Smalley
2014-07-10 14:34       ` Stephen Smalley
2014-07-10 14:50         ` Dominick Grift
2014-07-10 14:43       ` Dominick Grift
2014-07-10 14:30 ` Stephen Smalley
2014-07-10 14:50   ` Stephen Smalley
2014-07-10 15:05     ` Steve Lawrence
2014-07-10 15:08       ` Stephen Smalley
2014-07-10 16:04   ` Steve Lawrence
  -- strict thread matches above, loose matches on Subject: below --
2014-04-29 14:59 Steve Lawrence
2014-05-01 12:38 ` Dominick Grift
2014-05-01 12:57   ` Steve Lawrence
2014-05-01 13:24     ` Dominick Grift
2014-05-01 13:27       ` Dominick Grift
2014-05-01 13:31         ` Dominick Grift
2014-05-01 14:01           ` Steve Lawrence

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53C6CBD8.2050509@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=dominick.grift@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=slawrence@tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.