SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: system_u:system_r:system_chkpwd_t:UNCLASSIFIED, how did I get here? This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Mon, 10 Dec 2007 09:55:56 -0500 On Sat, 2007-12-08 at 11:04 -0600, Ted X Toth wrote: > I'm running F8 with MLS reference policy (in permissive right now) and > I'm trying to understand how I get into this context. I can understand > how at some point while authenticating a transition to > system_u:system_r:system_chkpwd_t would occur by virtue of running > unix_chkpwd but then why wouldn't a transition to user_u:user_r:<>_t* > happen? Also I'd like to understand how policy for pam, since it's a > bunch of shared libraries, works. Are there any good sources of > information on writing policy for shared libraries? getdefaultcon in libselinux/utils can help you with investigating what context will be returned for a given user and from-context (i.e. context of the login process). First question is why is the user being mapped to system_u? Bad seusers configuration? semanage login -l As for chkpwd, get_ordered_context_list() first asks the kernel for the full set of reachable contexts for the user via security_compute_user(), which merely checks process transition permission. Thus, the chkpwd context is included in that set since it is reachable (since the login process does in fact transition to it when executing unix_chkpwd). But it normally gets pruned from the final list based on /etc/selinux/$SELINUXTYPE/contexts/default_contexts. However, if no matches are found there, it will return the original list from the kernel, and thus you could end up there (in permissive mode). There has been some talk of overhauling get_ordered_context_list. With regard to pam, there are no domain transitions on function calls, only on execve, so there are no domain transitions when invoking pam modules, only when those modules invoke helper programs like unix_chkpwd. The pam modules themselves run within the domain of the caller. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 10 Dec 2007 - 09:55:59 EST This message: [ Message body ] Next message: Xavier Toth: "Re: system_u:system_r:system_chkpwd_t:UNCLASSIFIED, how did I get here?" Previous message: Stephen Smalley: "Re: Se-Linux Updates for LTP" In reply to: Ted X Toth: "system_u:system_r:system_chkpwd_t:UNCLASSIFIED, how did I get here?" Next in thread: Xavier Toth: "Re: system_u:system_r:system_chkpwd_t:UNCLASSIFIED, how did I get here?" Reply: Xavier Toth: "Re: system_u:system_r:system_chkpwd_t:UNCLASSIFIED, how did I get here?" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom