Discussion:
Object range_transition issue when type_transition is involved
Arnold, Paul C CTR USARMY PEO STRI (US)
2017-12-18 17:36:22 UTC
Permalink
P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px }


All,



I am experiencing some issues using range_transition on objects when type_transition is also involved on the object. Specifically, a range_transition rule on a target object with a "final" type (e.g. a type which went through a type_transition) does not seem to perform the range transition.





For example, using a private var log type (uses a type_transition from var_log_t) does not perform the range transition:



range_transition mydomain_t mypriv_var_log_t:file mySystemHigh;





I am confident my source domain is correct, I believe the issue is with the target object. Policy version is 24.





Regards,




--
Paul Arnold, CISSP
Cole Engineering Services, Inc.
Stephen Smalley
2017-12-18 19:52:52 UTC
Permalink
On Mon, 2017-12-18 at 17:36 +0000, Arnold, Paul C CTR USARMY PEO STRI
All,
 
I am experiencing some issues using range_transition on objects when
type_transition is also involved on the object.  Specifically, a
range_transition rule on a target object with a "final" type (e.g. a
type which went through a type_transition) does not seem to perform
the range transition.
 
 
For example, using a private var log type (uses a type_transition
 
range_transition mydomain_t mypriv_var_log_t:file mySystemHigh;
 
 
I am confident my source domain is correct, I believe the issue is
with the target object.  Policy version is 24.
Sorry, are you saying that mydomain_t is creating a file in /var/log,
and that you both want the file type to be set to mypriv_var_log_t and
the level set to mySystemHigh?

If so, then I believe the correct incantation would be:
type_transition mydomain_t var_log_t:file mypriv_var_log_t;
range_transition mydomain_t var_log_t:file mySystemHigh;
(obviously you might instead be using refpolicy macros/interfaces to
achieve the same end)

In both cases, the source type corresponds to the creating process, the
target type corresponds to the parent directory type, and the new type
or level is applied to new files.
Arnold, Paul C CTR USARMY PEO STRI (US)
2017-12-19 14:36:38 UTC
Permalink
Post by Stephen Smalley
Sorry, are you saying that mydomain_t is creating a file in /var/log,
and that you both want the file type to be set to mypriv_var_log_t and
the level set to mySystemHigh?
That is correct.
Post by Stephen Smalley
type_transition mydomain_t var_log_t:file mypriv_var_log_t;
range_transition mydomain_t var_log_t:file mySystemHigh;
(obviously you might instead be using refpolicy macros/interfaces to
achieve the same end)
In both cases, the source type corresponds to the creating process, the
target type corresponds to the parent directory type, and the new type
or level is applied to new files.
Ah, using the parent type for the range_transition was not obvious to
me.  It is working properly for me now, thanks for your assistance.


Regards,
--
Paul Arnold, CISSP
Cole Engineering Services, Inc.
Loading...