SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* what's up with mac_admin
@ 2019-03-10 22:31 Russell Coker
  2019-03-11  6:53 ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-03-10 22:31 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1552226284.038:2422): avc:  denied  { mac_admin } for  
pid=8289 comm="rsync" capability=33  
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 
permissive=0

The above is from running rsync with the -X option.

$ grep -R mac_admin .
./policy/flask/access_vectors:  mac_admin       # unused by SELinux
./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;

Grepping the git policy shows that there's a comment saying it's unused as 
well as a dontaudit rule indicating that it has been used for some time.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: what's up with mac_admin
  2019-03-10 22:31 what's up with mac_admin Russell Coker
@ 2019-03-11  6:53 ` Dominick Grift
  2019-03-12  0:50   ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2019-03-11  6:53 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy\

Russell Coker <russell@coker.com.au> writes:

> type=AVC msg=audit(1552226284.038:2422): avc:  denied  { mac_admin } for  
> pid=8289 comm="rsync" capability=33  
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 
> permissive=0

Its for setting invalid labels. Something you generally want to avoid.

>
> The above is from running rsync with the -X option.
>
> $ grep -R mac_admin .
> ./policy/flask/access_vectors:  mac_admin       # unused by SELinux
> ./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;
>
> Grepping the git policy shows that there's a comment saying it's unused as 
> well as a dontaudit rule indicating that it has been used for some time.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: what's up with mac_admin
  2019-03-11  6:53 ` Dominick Grift
@ 2019-03-12  0:50   ` Chris PeBenito
  0 siblings, 0 replies; 3+ messages in thread
From: Chris PeBenito @ 2019-03-12  0:50 UTC (permalink / raw)
  To: Dominick Grift, Russell Coker; +Cc: selinux-refpolicy

On 3/11/19 2:53 AM, Dominick Grift wrote:
> Russell Coker <russell@coker.com.au> writes:
> 
>> type=AVC msg=audit(1552226284.038:2422): avc:  denied  { mac_admin } for
>> pid=8289 comm="rsync" capability=33
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
>> permissive=0
> 
> Its for setting invalid labels. Something you generally want to avoid.

Correct.  There used to be a neverallow, but when that was removed, we 
forgot to remove the comment in access_vectors.  It's gone now.


>>
>> The above is from running rsync with the -X option.
>>
>> $ grep -R mac_admin .
>> ./policy/flask/access_vectors:  mac_admin       # unused by SELinux
>> ./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;
>>
>> Grepping the git policy shows that there's a comment saying it's unused as
>> well as a dontaudit rule indicating that it has been used for some time.
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-10 22:31 what's up with mac_admin Russell Coker
2019-03-11  6:53 ` Dominick Grift
2019-03-12  0:50   ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox