[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Fwd: selinux process transition not taking place
From: SZIGETVÁRI János <jszigetvari () gmail ! com>
Date: 2015-05-26 12:15:25
Message-ID: CAJK_Yh84LUh3UtZm+DVLENPfmQMC_DZpmmkVRky3q_Vrd-+yCQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
2015-05-21 15:52 GMT+02:00 Stephen Smalley <sds@tycho.nsa.gov>:
> Wait, that denial shows that it was already running in syslogd_t and
> then tried to execute the script. execute_no_trans is when you try to
> execute something without changing contexts.
>
>
Yes, it surprises me too, and I don't seem to understand it either...
[root@centos-test aaa]# run_init /bin/bash
Authenticating root.
Password:
[root@centos-test /]# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[root@centos-test /]# ps auxfZ | grep $$
system_u:system_r:initrc_t:s0 root 6357 0.0 0.1 108300 1888
pts/0 S 16:04 0:00 | \_ /bin/bash
system_u:system_r:initrc_t:s0 root 6369 0.0 0.0 103240 860
pts/0 S+ 16:04 0:00 | \_ grep 6357
[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_test.sh /bin/bash
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0
/root/aaa/syslogd_exec_t_test.sh
[root@centos-test /]# cat /root/aaa/syslogd_exec_t_test.sh
#!/bin/sh
export PATH="/bin:/usr/bin"
echo ${$}
ps auxfZ | fgrep -v grep | fgrep ${$}
[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh
/bin/sh: /root/aaa/syslogd_exec_t_test.sh: Permission denied
[root@centos-test /]# setenforce 0
[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh
6374
system_u:system_r:syslogd_t:s0 root 6374 0.0 0.0 106060 1340
pts/0 S+ 16:05 0:00 | \_ /bin/sh
/root/aaa/syslogd_exec_t_test.sh
[root@centos-test /]# setenforce 1
[root@centos-test /]# exit
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div class="gmail_extra"><span \
class=""><div class="gmail_quote">2015-05-21 15:52 GMT+02:00 Stephen Smalley <span \
dir="ltr"><<a href="mailto:sds@tycho.nsa.gov" \
target="_blank">sds@tycho.nsa.gov</a>></span>:<br><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Wait, that denial shows that it was already \
running in syslogd_t and<br> then tried to execute the script. execute_no_trans is \
when you try to<br> execute something without changing contexts.<br>
<br>
</blockquote></div><br></span>Yes, it surprises me too, and I don't seem to \
understand it either...<br><br>[root@centos-test aaa]# run_init \
/bin/bash<br>Authenticating root.<br>Password: <br>[root@centos-test /]# \
id<br>uid=0(root) gid=0(root) groups=0(root) \
context=system_u:system_r:initrc_t:s0<br>[root@centos-test /]# ps auxfZ | grep \
$$<br>system_u:system_r:initrc_t:s0 root 6357 0.0 0.1 108300 1888 \
pts/0 S 16:04 0:00 | \_ \
/bin/bash<br>system_u:system_r:initrc_t:s0 root 6369 0.0 0.0 103240 \
860 pts/0 S+ 16:04 0:00 | \_ grep \
6357<br>[root@centos-test /]# ls -lZ /root/aaa/syslogd_exec_t_test.sh \
/bin/bash<br>-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 \
/bin/bash<br>-rwxr-xr-x. root root system_u:object_r:syslogd_exec_t:s0 \
/root/aaa/syslogd_exec_t_test.sh<br>[root@centos-test /]# cat \
/root/aaa/syslogd_exec_t_test.sh <br>#!/bin/sh<br>export \
PATH="/bin:/usr/bin"<br>echo ${$}<br>ps auxfZ | fgrep -v grep | fgrep ${$} \
<br>[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh <br>/bin/sh: \
/root/aaa/syslogd_exec_t_test.sh: Permission denied<br>[root@centos-test /]# \
setenforce 0<br>[root@centos-test /]# /root/aaa/syslogd_exec_t_test.sh \
<br>6374<br>system_u:system_r:syslogd_t:s0 root 6374 0.0 0.0 106060 \
1340 pts/0 S+ 16:05 0:00 | \_ /bin/sh \
/root/aaa/syslogd_exec_t_test.sh<br>[root@centos-test /]# setenforce \
1<br>[root@centos-test /]# exit<br></div></div> </div><br></div>
[Attachment #6 (text/plain)]
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic