[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    Fwd: selinux process transition not taking place
From:       SZIGETVÁRI János <jszigetvari () gmail ! com>
Date:       2015-05-26 12:15:25
Message-ID: CAJK_Yh84LUh3UtZm+DVLENPfmQMC_DZpmmkVRky3q_Vrd-+yCQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


2015-05-21 15:52 GMT+02:00 Stephen Smalley <sds@tycho.nsa.gov>:

> Wait, that denial shows that it was already running in syslogd_t and
> then tried to execute the script.  execute_no_trans is when you try to
> execute something without changing contexts.
>
>
Yes, it surprises me too, and I don't seem to understand it either...

[root@centos-test aaa]# run_init /bin/bash
Authenticating root.
Password:
[root@centos-test /]# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[root@centos-test /]# ps auxfZ | grep $$
system_u:system_r:initrc_t:s0   root      6357  0.0  0.1 108300  1888
pts/0    S    16:04   0:00  |       \_ /bin/bash
system_u:system_r:initrc_t:s0   root      6369  0.0  0.0 103240   860
pts/0    S+   16:04   0:00  |           \_ grep 6357
[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_test.sh /bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
/root/aaa/syslogd_exec_t_test.sh
[root@centos-test /]# cat /root/aaa/syslogd_exec_t_test.sh
#!/bin/sh
export PATH="/bin:/usr/bin"
echo ${$}
ps auxfZ | fgrep -v grep | fgrep ${$}
[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh
/bin/sh: /root/aaa/syslogd_exec_t_test.sh: Permission denied
[root@centos-test /]# setenforce 0
[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh
6374
system_u:system_r:syslogd_t:s0  root      6374  0.0  0.0 106060  1340
pts/0    S+   16:05   0:00  |           \_ /bin/sh
/root/aaa/syslogd_exec_t_test.sh
[root@centos-test /]# setenforce 1
[root@centos-test /]# exit

[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div class="gmail_extra"><span \
class=""><div class="gmail_quote">2015-05-21 15:52 GMT+02:00 Stephen Smalley <span \
dir="ltr">&lt;<a href="mailto:sds@tycho.nsa.gov" \
target="_blank">sds@tycho.nsa.gov</a>&gt;</span>:<br><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Wait, that denial shows that it was already \
running in syslogd_t and<br> then tried to execute the script.   execute_no_trans is \
when you try to<br> execute something without changing contexts.<br>
<br>
</blockquote></div><br></span>Yes, it surprises me too, and I don&#39;t seem to \
understand it either...<br><br>[root@centos-test aaa]# run_init \
/bin/bash<br>Authenticating root.<br>Password: <br>[root@centos-test /]# \
id<br>uid=0(root) gid=0(root) groups=0(root) \
context=system_u:system_r:initrc_t:s0<br>[root@centos-test /]# ps auxfZ | grep \
$$<br>system_u:system_r:initrc_t:s0     root           6357   0.0   0.1 108300   1888 \
pts/0       S       16:04     0:00   |             \_ \
/bin/bash<br>system_u:system_r:initrc_t:s0     root           6369   0.0   0.0 103240 \
860 pts/0       S+     16:04     0:00   |                     \_ grep \
6357<br>[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_test.sh \
/bin/bash<br>-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 \
/bin/bash<br>-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 \
/root/aaa/syslogd_exec_t_test.sh<br>[root@centos-test /]# cat \
/root/aaa/syslogd_exec_t_test.sh <br>#!/bin/sh<br>export \
PATH=&quot;/bin:/usr/bin&quot;<br>echo ${$}<br>ps auxfZ | fgrep -v grep | fgrep ${$} \
<br>[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh <br>/bin/sh: \
/root/aaa/syslogd_exec_t_test.sh: Permission denied<br>[root@centos-test /]# \
setenforce 0<br>[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh \
<br>6374<br>system_u:system_r:syslogd_t:s0    root           6374   0.0   0.0 106060  \
1340 pts/0       S+     16:05     0:00    |                     \_ /bin/sh \
/root/aaa/syslogd_exec_t_test.sh<br>[root@centos-test /]# setenforce \
1<br>[root@centos-test /]# exit<br></div></div> </div><br></div>


[Attachment #6 (text/plain)]

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic