* nnp_transition
@ 2019-01-21 22:47 Russell Coker
2019-01-22 8:11 ` nnp_transition Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2019-01-21 22:47 UTC (permalink / raw)
To: selinux-refpolicy
Getting close to a Debian release so I have to sort out the nnp_transition
rules. How do I work out what's going on here? Do I just assume that as
dpkg_t has generally less access than unconfined_t it's ok? Is it worth
investigating why something in apt is setting NNP?
type=PROCTITLE msg=audit(22/01/19 07:08:31.692:1104) : proctitle=/usr/bin/dpkg
--print-foreign-architectures
type=SYSCALL msg=audit(22/01/19 07:08:31.692:1104) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x5611b27bd0e0 a1=0x5611b27c1590
a2=0x7fff0e8f51f0 a3=0x1 items=0 ppid=18604 pid=18605 auid=root uid=_apt
gid=nogroup euid=_apt suid=_apt fsuid=_apt egid=nogroup sgid=nogroup
fsgid=nogroup tty=pts2 ses=9 comm=dpkg exe=/usr/bin/dpkg
subj=unconfined_u:unconfined_r:dpkg_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22/01/19 07:08:31.692:1104) : avc: granted {
nnp_transition } for pid=18605 comm=apt-config
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:dpkg_t:s0-s0:c0.c1023 tclass=process2
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: nnp_transition
2019-01-21 22:47 nnp_transition Russell Coker
@ 2019-01-22 8:11 ` Dominick Grift
2019-01-22 8:33 ` nnp_transition Russell Coker
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2019-01-22 8:11 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Getting close to a Debian release so I have to sort out the nnp_transition
> rules. How do I work out what's going on here? Do I just assume that as
> dpkg_t has generally less access than unconfined_t it's ok? Is it worth
> investigating why something in apt is setting NNP?
Not worth looking into if you ask me (this is just the tip of the mountain). You no longer have to worry about
type bounds if you enable the polcap (which i think is the default)
>
> type=PROCTITLE msg=audit(22/01/19 07:08:31.692:1104) : proctitle=/usr/bin/dpkg
> --print-foreign-architectures
> type=SYSCALL msg=audit(22/01/19 07:08:31.692:1104) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x5611b27bd0e0 a1=0x5611b27c1590
> a2=0x7fff0e8f51f0 a3=0x1 items=0 ppid=18604 pid=18605 auid=root uid=_apt
> gid=nogroup euid=_apt suid=_apt fsuid=_apt egid=nogroup sgid=nogroup
> fsgid=nogroup tty=pts2 ses=9 comm=dpkg exe=/usr/bin/dpkg
> subj=unconfined_u:unconfined_r:dpkg_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(22/01/19 07:08:31.692:1104) : avc: granted {
> nnp_transition } for pid=18605 comm=apt-config
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:dpkg_t:s0-s0:c0.c1023 tclass=process2
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: nnp_transition
2019-01-22 8:11 ` nnp_transition Dominick Grift
@ 2019-01-22 8:33 ` Russell Coker
2019-01-22 8:35 ` nnp_transition Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2019-01-22 8:33 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux-refpolicy
On Tuesday, 22 January 2019 7:11:40 PM AEDT Dominick Grift wrote:
> > Getting close to a Debian release so I have to sort out the nnp_transition
> > rules. How do I work out what's going on here? Do I just assume that as
> > dpkg_t has generally less access than unconfined_t it's ok? Is it worth
> > investigating why something in apt is setting NNP?
>
> Not worth looking into if you ask me (this is just the tip of the mountain).
> You no longer have to worry about type bounds if you enable the polcap
> (which i think is the default)
What do you mean by "enable the polcap"?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nnp_transition
2019-01-22 8:33 ` nnp_transition Russell Coker
@ 2019-01-22 8:35 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2019-01-22 8:35 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> On Tuesday, 22 January 2019 7:11:40 PM AEDT Dominick Grift wrote:
>> > Getting close to a Debian release so I have to sort out the nnp_transition
>> > rules. How do I work out what's going on here? Do I just assume that as
>> > dpkg_t has generally less access than unconfined_t it's ok? Is it worth
>> > investigating why something in apt is setting NNP?
>>
>> Not worth looking into if you ask me (this is just the tip of the mountain).
>> You no longer have to worry about type bounds if you enable the polcap
>> (which i think is the default)
>
> What do you mean by "enable the polcap"?
[root@brutus ~]# seinfo --polcap | grep nnp
nnp_nosuid_transition
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-22 8:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-21 22:47 nnp_transition Russell Coker
2019-01-22 8:11 ` nnp_transition Dominick Grift
2019-01-22 8:33 ` nnp_transition Russell Coker
2019-01-22 8:35 ` nnp_transition Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.