[refpolicy] Possible regression and bug in userdom_base_user_template
Martin Orr
martin at martinorr.name
Mon Mar 1 11:48:28 CST 2010
On Mon 1 Mar 17:03:24 2010, Michal Svoboda wrote:
> Christopher J. PeBenito wrote:
>> I don't know what you are referring to; I don't see such access in
>> refpolicy. I can see that the base user template can read usr_t files,
>> but not execute them. I even added a test user that only called the
>> template and opened up the compiled policy with apol; it still did not
>> have an execute permission on usr_t.
>
> This is weird.
>
> # cat foo.te
> policy_module(foo,1.0.0)
>
> userdom_base_user_template(foo)
>
> # sesearch --allow -s foo_t -p execute_no_trans
> Found 2 semantic av rules:
> allow foo_t usr_t : file { ioctl read getattr lock execute
> execute_no_trans open } ;
> allow foo_t ld_so_t : file { read getattr execute execute_no_trans
> open } ;
>
> # aptitude show selinux-policy-default |grep -i vers
> Version: 2:0.2.20091117-1
>
> Either the policy changed since then or this is a debian only patch...
Yes, this is a Debian only patch. According to my history, it was
added somewhere between 0.0.20080702-1 and 0.0.20080702-4.
--
Martin Orr
More information about the refpolicy
mailing list