headers
Manoj Srivastava | 1 Jun 2008 11:34
X-Face
Face

Re: Recent problems recompiling libsemanage with new libustr (1.0.4)

Hi,

        I should know better to send out such mails at 4am. Mea culpa. I
 had forgotten to remove th -z defs from the loader command line; since
 failing to do so on Debian result sin th failure you saw before.

        Sorry for all the noise.

        manoj
--

-- 
You know you are getting old when you think you should drive the speed
limit. E.A. Gilliam
Manoj Srivastava <manoj.srivastava@...>
<srivasta@...>        
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Permalink | Reply | 0 comments |
headers
KaiGai Kohei | 2 Jun 2008 12:27
Picon

Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts

Christopher J. PeBenito wrote:
> On Thu, 2008-05-29 at 20:22 -0400, Eamon Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Thu, 2008-05-29 at 14:05 -0400, Eamon Walsh wrote:
>>>   
>>>> Christopher J. PeBenito wrote:
>>>>     
>>>>> On Tue, 2008-05-27 at 16:15 -0400, Eamon Walsh wrote:
>>>>>   
>>>>>       
>>>>>> Christopher J. PeBenito wrote:
>>>>>>     
>>>>>>         
>>>>>>> On Tue, 2008-05-27 at 14:34 -0400, Stephen Smalley wrote:
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>> On Tue, 2008-05-27 at 13:55 -0400, Christopher J. PeBenito wrote:
>>>>>>>>         
>>>>>>>>             
>>>>>>>>> I mainly had an issue with statements like:
>>>>>>>>>
>>>>>>>>> type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
>>>>>>>>> type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
>>>>>>>>> type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
>>>>>>>>> type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
>>>>>>>>> type_transition sepgsql_client_type postgresql_t:db_database sepgsql_db_t;
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>
(Continue reading)

Permalink | Reply | 24 comments |
headers
Christopher J. PeBenito | 2 Jun 2008 14:09
Favicon

Re: changing role to user_r

On Sat, 2008-05-31 at 06:11 +0000, Justin Mattock wrote:
> Hello, I'm running an experiment with SELinux and seem to be at a crux
> with changing roles:
> newrole -r user_r
> I get a permission denied, the allow rule is this: allow newrole_t
> user_t:process transition;
> I don't have a problem changing to sysadm_r any thoughts on what I'm missing?

Sounds like your user is staff_u or root.  Neither users are allowed
user_r.

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Permalink | Reply | 2 comments |
headers
Manoj Srivastava | 1 Jun 2008 10:53
X-Face
Face

Recent problems recompiling libsemanage with new libustr (1.0.4)

Hi folks,

        I  tried recompiling libsemanage on a recent Debian unstable
 box, and the build failed (error below). The same build, with the same
 code, had worked on  18 Mar 2008 . 

        The difference seems to be libustr version 1.0.3 works, and
 1.0.4 fails. I do not see anything in the upstream ChangeLog to explain
 this, offhand, though there have been a whole slew of new files in
 /usr/include for version 1.0.4 -- though there was no so name bump.

        This is just a heads up, I'll follow up with the ustr folks.

        manoj

--8<---------------cut here---------------start------------->8---
__> rgrep -n ustr_dup_buf /usr/include/
/usr/include/ustr-main.h:502:#define USTR_DUP_OBJ(y)     ustr_dup_buf(y, sizeof(y))
/usr/include/ustr-main.h:503:#define USTR_DUP_OSTR(y)    ustr_dup_buf(y, sizeof(y) - 1)
/usr/include/ustr-main.h:730:USTR_CONF_E_PROTO struct Ustr *ustr_dup_buf(const void *, size_t)
/usr/include/ustr-main.h:959:{ return (ustr_dup_buf(cstr, strlen(cstr))); }
--8<---------------cut here---------------end--------------->8---

cc -O2 -g -I../include -I/usr/include -D_GNU_SOURCE  -fPIC -DSHARED -c -o utilities.lo utilities.c
cc -O2 -g -I../include -I/usr/include -D_GNU_SOURCE -fPIC -DSHARED -c -o conf-scan.lo conf-scan.c
cc -O2 -g -I../include -I/usr/include -D_GNU_SOURCE -fPIC -DSHARED -c -o conf-parse.lo conf-parse.c
cc -O2 -g -I../include -I/usr/include -D_GNU_SOURCE  -s -s -shared -o libsemanage.so.1
boolean_record.lo booleans_active.lo booleans_activedb.lo booleans_file.lo booleans_local.lo
booleans_policy.lo booleans_policydb.lo context_record.lo database.lo database_activedb.lo
database_file.lo database_join.lo database_llist.lo database_policydb.lo debug.lo
(Continue reading)

Permalink | Reply | 0 comments |
headers
Justin Mattock | 2 Jun 2008 18:21
Picon

Re: changing role to user_r

On Mon, Jun 2, 2008 at 12:09 PM, Christopher J. PeBenito
<cpebenito@...> wrote:
> On Sat, 2008-05-31 at 06:11 +0000, Justin Mattock wrote:
>> Hello, I'm running an experiment with SELinux and seem to be at a crux
>> with changing roles:
>> newrole -r user_r
>> I get a permission denied, the allow rule is this: allow newrole_t
>> user_t:process transition;
>> I don't have a problem changing to sysadm_r any thoughts on what I'm missing?
>
> Sounds like your user is staff_u or root.  Neither users are allowed
> user_r.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

Yeah after reading some post's about xserver, I decided to see if I
could startx in staff_r, everything was fine except for changing to
user_r to use firefox, and so forth. Keep in mind this was just a test
to see, Overall I don't have a problem keeping what I have now.
And it also makes sense about what you had said "Neither users are allowed".
regards

--

-- 
Justin P. Mattock
(Continue reading)

Permalink | Reply | 0 comments |
headers
Justin Mattock | 2 Jun 2008 18:21
Picon

Re: changing role to user_r

On Mon, Jun 2, 2008 at 12:09 PM, Christopher J. PeBenito
<cpebenito@...> wrote:
> On Sat, 2008-05-31 at 06:11 +0000, Justin Mattock wrote:
>> Hello, I'm running an experiment with SELinux and seem to be at a crux
>> with changing roles:
>> newrole -r user_r
>> I get a permission denied, the allow rule is this: allow newrole_t
>> user_t:process transition;
>> I don't have a problem changing to sysadm_r any thoughts on what I'm missing?
>
> Sounds like your user is staff_u or root.  Neither users are allowed
> user_r.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

Yeah after reading some post's about xserver, I decided to see if I
could startx in staff_r, everything was fine except for changing to
user_r to use firefox, and so forth. Keep in mind this was just a test
to see, Overall I don't have a problem keeping what I have now.
And it also makes sense about what you had said "Neither users are allowed".
regards

--

-- 
Justin P. Mattock
(Continue reading)

Permalink | Reply | 0 comments |
headers
Clarkson, Mike R (US SSA | 2 Jun 2008 18:38

RE: changing role to user_r

Which SELinux user are you logging in as?

When you type "semanage user -l", does that user list user_r as one of
its available roles? If not, you won't be able to change to user_r

> -----Original Message-----
> From: owner-selinux@... [mailto:owner-selinux@...]
On
> Behalf Of Justin Mattock
> Sent: Friday, May 30, 2008 11:11 PM
> To: selinux@...
> Subject: changing role to user_r
> 
> Hello, I'm running an experiment with SELinux and seem to be at a crux
> with changing roles:
> newrole -r user_r
> I get a permission denied, the allow rule is this: allow newrole_t
> user_t:process transition;
> I don't have a problem changing to sysadm_r any thoughts on what I'm
> missing?
> 
> --
> Justin P. Mattock
> 
> --
> This message was distributed to subscribers of the selinux mailing
list.
> If you no longer wish to subscribe, send mail to
majordomo@...
> with
(Continue reading)

Permalink | Reply | 1 comment |
headers
Justin Mattock | 2 Jun 2008 19:14
Picon

Re: changing role to user_r

On Mon, Jun 2, 2008 at 4:38 PM, Clarkson, Mike R (US SSA)
<mike.clarkson@...> wrote:
> Which SELinux user are you logging in as?
>
> When you type "semanage user -l", does that user list user_r as one of
> its available roles? If not, you won't be able to change to user_r
>
>> -----Original Message-----
>> From: owner-selinux@... [mailto:owner-selinux@...]
> On
>> Behalf Of Justin Mattock
>> Sent: Friday, May 30, 2008 11:11 PM
>> To: selinux@...
>> Subject: changing role to user_r
>>
>> Hello, I'm running an experiment with SELinux and seem to be at a crux
>> with changing roles:
>> newrole -r user_r
>> I get a permission denied, the allow rule is this: allow newrole_t
>> user_t:process transition;
>> I don't have a problem changing to sysadm_r any thoughts on what I'm
>> missing?
>>
>> --
>> Justin P. Mattock
>>
>> --
>> This message was distributed to subscribers of the selinux mailing
> list.
>> If you no longer wish to subscribe, send mail to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eamon Walsh | 2 Jun 2008 19:31
Picon

Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts

KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
>   
>> On Thu, 2008-05-29 at 20:22 -0400, Eamon Walsh wrote:
>>     
>>> Christopher J. PeBenito wrote:
>>>       
>>>> On Thu, 2008-05-29 at 14:05 -0400, Eamon Walsh wrote:
>>>>   
>>>>         
>>>>> Christopher J. PeBenito wrote:
>>>>>     
>>>>>           
>>>>>> On Tue, 2008-05-27 at 16:15 -0400, Eamon Walsh wrote:
>>>>>>   
>>>>>>       
>>>>>>             
>>>>>>> Christopher J. PeBenito wrote:
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>>> On Tue, 2008-05-27 at 14:34 -0400, Stephen Smalley wrote:
>>>>>>>>   
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>>>> On Tue, 2008-05-27 at 13:55 -0400, Christopher J. PeBenito wrote:
>>>>>>>>>         
>>>>>>>>>             
>>>>>>>>>
(Continue reading)

Permalink | Reply | 23 comments |
headers
Christopher J. PeBenito | 2 Jun 2008 20:38
Favicon

Re: rbacsep: collapsing xserver

On Fri, 2008-05-30 at 19:10 -0400, Eamon Walsh wrote:
> Joe Nall wrote:
> > On Fri, May 30, 2008 at 8:47 AM, Christopher J. PeBenito
> > <cpebenito@...> wrote:
> >   
> >> On Fri, 2008-05-30 at 08:19 -0500, Xavier Toth wrote:
> >>     
> >>> On Wed, May 28, 2008 at 1:38 PM, Daniel J Walsh <dwalsh@...> wrote:
> >>>       
> >>>> The current XAce software is far to complex to do anything usefull in my
> >>>> opinion.  We have way too many types and transitions.  We need to
> >>>> simplify down to a lot less types.
> >>>>         
> >>> Going back to Dan's concern about the complexity of the X SELinux
> >>> extension and the number of types and transitions I'd like to see some
> >>> discussion/resolution. Eamon what's your position on this topic?
> >>>       
> >> I don't want to speak for Eamon, but I suspect that he would defend the
> >> current setup since he's the one that wrote the policy.  I just
> >> restructured it to fit nicer in refpolicy and actually removed a few
> >> types :)
> >>
> >> My position is that its fine as is.  Simplifying it unconditionally
> >> starts to make it less usable for people that actually want fine grained
> >> controls on the desktop.  Making things simpler tends to be easy, since
> >> it tends to be merging types or using attributes for blanket access,
> >> like unconfined does.  The black magic voodoo that happens in the
> >> xserver, that only a select few have previously known about, has only
> >> recently been exposed via the SELinux controls.  I feel that it may be
> >> premature to simplify the policy, since side effects probably aren't
(Continue reading)

Permalink | Reply | 0 comments |

Gmane