[redhat-lspp] Re: mcstransd question

Daniel J Walsh dwalsh at redhat.com
Thu Sep 28 15:00:42 UTC 2006


Linda Knippers wrote:
> Are only users cleared to SystemHigh supposed to be able to see translated
> labels?
>
> That seems to be the way it works right now with mcstransd.  The unix
> domain socket between libselinux and mcstransd is SystemHigh so while
> commands (ls -Z) run on behalf of a regular user (default SystemLow)
> try to translate the labels and can write the request to the socket
> but the daemon can't send the response.
>
> For example, this works:
> [root at kipper ~]#  ls -lZd /bin
> drwxr-xr-x  root root system_u:object_r:bin_t:SystemLow /bin
>
> This doesn't:
> [ljk at kipper ~]$ ls -lZd /bin
> drwxr-xr-x  root root system_u:object_r:bin_t:s0       /bin
>
>   
This is broken.  I am not sure how to handle this?  I have changed it 
back to SystemLow-SystemHigh
which allows it to work properly but I think we need some constraints to 
prevent someone from getting translations at a higher level then they 
are authorized for.
> and generates these:
>
> type=AVC msg=audit(1159373436.221:602): avc:  denied  { write } for  pid=1862
> comm="mcstransd" name="[9948]" dev=sockfs ino=9948
> scontext=system_u:system_r:setrans_t:s15:c0.c1023
> tcontext=system_u:system_r:setrans_t:s0 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1159373436.221:602): arch=40000003 syscall=146 success=no
> exit=-13 a0=5 a1=bfa03dc8 a2=3 a3=3 items=0 ppid=1 pid=1862 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> comm="mcstransd" exe="/sbin/mcstransd"
> subj=system_u:system_r:setrans_t:s15:c0.c1023 key=(null)
> type=AVC_PATH msg=audit(1159373436.221:602):  path="socket:[9948]"
>
> The socket looks like this:
> bash-3.1# ls -alZ /var/run/setrans/.setrans-unix
> srwxrwxrwx  root root system_u:object_r:setrans_var_run_t:SystemHigh
> /var/run/setrans/.setrans-unix
>
>   
I
> -- ljk
>   




More information about the redhat-lspp mailing list