* what's up with mac_admin
@ 2019-03-10 22:31 Russell Coker
2019-03-11 6:53 ` Dominick Grift
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-03-10 22:31 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1552226284.038:2422): avc: denied { mac_admin } for
pid=8289 comm="rsync" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
permissive=0
The above is from running rsync with the -X option.
$ grep -R mac_admin .
./policy/flask/access_vectors: mac_admin # unused by SELinux
./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;
Grepping the git policy shows that there's a comment saying it's unused as
well as a dontaudit rule indicating that it has been used for some time.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: what's up with mac_admin
2019-03-10 22:31 what's up with mac_admin Russell Coker
@ 2019-03-11 6:53 ` Dominick Grift
2019-03-12 0:50 ` Chris PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2019-03-11 6:53 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> type=AVC msg=audit(1552226284.038:2422): avc: denied { mac_admin } for
> pid=8289 comm="rsync" capability=33
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
> permissive=0
Its for setting invalid labels. Something you generally want to avoid.
>
> The above is from running rsync with the -X option.
>
> $ grep -R mac_admin .
> ./policy/flask/access_vectors: mac_admin # unused by SELinux
> ./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;
>
> Grepping the git policy shows that there's a comment saying it's unused as
> well as a dontaudit rule indicating that it has been used for some time.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: what's up with mac_admin
2019-03-11 6:53 ` Dominick Grift
@ 2019-03-12 0:50 ` Chris PeBenito
0 siblings, 0 replies; 3+ messages in thread
From: Chris PeBenito @ 2019-03-12 0:50 UTC (permalink / raw)
To: Dominick Grift, Russell Coker; +Cc: selinux-refpolicy
On 3/11/19 2:53 AM, Dominick Grift wrote:
> Russell Coker <russell@coker.com.au> writes:
>
>> type=AVC msg=audit(1552226284.038:2422): avc: denied { mac_admin } for
>> pid=8289 comm="rsync" capability=33
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
>> permissive=0
>
> Its for setting invalid labels. Something you generally want to avoid.
Correct. There used to be a neverallow, but when that was removed, we
forgot to remove the comment in access_vectors. It's gone now.
>>
>> The above is from running rsync with the -X option.
>>
>> $ grep -R mac_admin .
>> ./policy/flask/access_vectors: mac_admin # unused by SELinux
>> ./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin;
>>
>> Grepping the git policy shows that there's a comment saying it's unused as
>> well as a dontaudit rule indicating that it has been used for some time.
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-12 0:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-10 22:31 what's up with mac_admin Russell Coker
2019-03-11 6:53 ` Dominick Grift
2019-03-12 0:50 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).