http://bugzilla.novell.com/show_bug.cgi?id=582399 http://bugzilla.novell.com/show_bug.cgi?id=582399#c0 Summary: init is not transitioning out of system_u/sysadm_t when init_upstart=0 boolean is set Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: justinmattock@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2b1) Gecko/20091114 Firefox/3.6b1 in order to boot up SELinux in permissive mode one needs to enable the init_upstart boolean, seems o.k. if suse was using upstart, but its not. example: with init_upstart=0 ps -AZ LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:03 init system_u:system_r:kernel_t 2 ? 00:00:00 kthreadd system_u:system_r:kernel_t 3 ? 00:00:00 migration/0 system_u:system_r:kernel_t 4 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 5 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 6 ? 00:00:00 migration/1 system_u:system_r:kernel_t 7 ? 00:00:00 ksoftirqd/1 system_u:system_r:kernel_t 8 ? 00:00:00 watchdog/1 system_u:system_r:kernel_t 9 ? 00:00:00 events/0 system_u:system_r:kernel_t 10 ? 00:00:00 events/1 system_u:system_r:kernel_t 11 ? 00:00:00 khelper system_u:system_r:kernel_t 12 ? 00:00:00 netns system_u:system_r:kernel_t 13 ? 00:00:00 async/mgr system_u:system_r:kernel_t 14 ? 00:00:00 kintegrityd/0 system_u:system_r:kernel_t 15 ? 00:00:00 kintegrityd/1 system_u:system_r:kernel_t 16 ? 00:00:00 kblockd/0 system_u:system_r:kernel_t 17 ? 00:00:00 kblockd/1 system_u:system_r:kernel_t 18 ? 00:00:00 kacpid system_u:system_r:kernel_t 19 ? 00:00:00 kacpi_notify system_u:system_r:kernel_t 20 ? 00:00:00 kacpi_hotplug system_u:system_r:kernel_t 21 ? 00:00:00 ata/0 system_u:system_r:kernel_t 22 ? 00:00:00 ata/1 system_u:system_r:kernel_t 23 ? 00:00:00 ata_aux system_u:system_r:kernel_t 24 ? 00:00:00 ksuspend_usbd system_u:system_r:kernel_t 25 ? 00:00:00 khubd system_u:system_r:kernel_t 26 ? 00:00:00 kseriod system_u:system_r:kernel_t 27 ? 00:00:00 kondemand/0 system_u:system_r:kernel_t 28 ? 00:00:00 kondemand/1 system_u:system_r:kernel_t 29 ? 00:00:00 khungtaskd system_u:system_r:kernel_t 30 ? 00:00:00 pdflush system_u:system_r:kernel_t 31 ? 00:00:00 pdflush system_u:system_r:kernel_t 32 ? 00:00:00 kswapd0 system_u:system_r:kernel_t 33 ? 00:00:00 aio/0 system_u:system_r:kernel_t 34 ? 00:00:00 aio/1 system_u:system_r:kernel_t 40 ? 00:00:00 scsi_eh_0 system_u:system_r:kernel_t 41 ? 00:00:00 scsi_eh_1 system_u:system_r:kernel_t 45 ? 00:00:00 scsi_eh_2 system_u:system_r:kernel_t 46 ? 00:00:00 scsi_eh_3 system_u:system_r:kernel_t 54 ? 00:00:00 kpsmoused system_u:system_r:kernel_t 55 ? 00:00:00 usbhid_resumer system_u:system_r:kernel_t 250 ? 00:00:00 kjournald2 system_u:system_r:sysadm_t 316 ? 00:00:00 stapio system_u:system_r:kernel_t 321 ? 00:00:00 systemtap/0 system_u:system_r:kernel_t 322 ? 00:00:00 systemtap/1 system_u:system_r:sysadm_t 332 ? 00:00:00 startpar system_u:system_r:sysadm_t 345 ? 00:00:00 udevd system_u:system_r:kernel_t 456 ? 00:00:00 khpsbpkt system_u:system_r:kernel_t 483 ? 00:00:00 applesmc-led system_u:system_r:kernel_t 512 ? 00:00:00 knodemgrd_0 system_u:system_r:kernel_t 575 ? 00:00:00 hd-audio0 system_u:system_r:kernel_t 584 ? 00:00:00 phy0 system_u:system_r:kernel_t 625 ? 00:00:00 bluetooth system_u:system_r:kernel_t 689 ? 00:00:00 kauditd system_u:system_r:kernel_t 701 ? 00:00:00 kstriped system_u:system_r:sysadm_t 1040 ? 00:00:00 acpid system_u:system_r:sysadm_dbusd_t 1059 ? 00:00:00 dbus-daemon system_u:system_r:sysadm_t 1178 ? 00:00:00 rsyslogd system_u:system_r:kernel_t 1179 ? 00:00:00 kconservative/0 system_u:system_r:kernel_t 1180 ? 00:00:00 kconservative/1 system_u:system_r:sysadm_t 1230 ? 00:00:00 auditd system_u:system_r:sysadm_t 1232 ? 00:00:00 audispd system_u:system_r:sysadm_t 1234 ? 00:00:00 rpcbind system_u:system_r:sysadm_t 1261 ? 00:00:00 udevd system_u:system_r:sysadm_t 1262 ? 00:00:00 udevd system_u:system_r:sysadm_t 1380 ? 00:00:00 cupsd system_u:system_r:sysadm_t 1388 ? 00:00:00 irqbalance system_u:system_r:sysadm_t 1399 ? 00:00:00 nscd system_u:system_r:sysadm_t 1469 ? 00:00:00 sshd system_u:system_r:sysadm_t 1478 ? 00:00:00 smartd system_u:system_r:sysadm_t 1480 ? 00:00:00 postfix system_u:system_r:sysadm_t 1504 ? 00:00:00 cron system_u:system_r:sysadm_t 1524 ? 00:00:00 stop_preload system_u:system_r:sysadm_t 1525 ? 00:00:00 waitforidle system_u:system_r:sysadm_t 1526 ? 00:00:00 startpar system_u:system_r:sysadm_t 1614 ? 00:00:00 login system_u:system_r:sysadm_t 1615 tty2 00:00:00 agetty system_u:system_r:sysadm_t 1616 tty3 00:00:00 agetty system_u:system_r:sysadm_t 1619 tty4 00:00:00 agetty system_u:system_r:sysadm_t 1622 tty5 00:00:00 agetty system_u:system_r:sysadm_t 1624 tty6 00:00:00 agetty name:sysadm_r:sysadm_t 1645 tty1 00:00:00 bash system_u:system_r:sysadm_t 1710 ? 00:00:00 sleep name:sysadm_r:sysadm_t 1711 tty1 00:00:00 ps the system drops you into init3 (no gdm/xserver etc..) and with init_upstart=1 (system boots up fine). LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:02 init system_u:system_r:kernel_t 2 ? 00:00:00 kthreadd system_u:system_r:kernel_t 3 ? 00:00:00 migration/0 system_u:system_r:kernel_t 4 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 5 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 6 ? 00:00:00 migration/1 system_u:system_r:kernel_t 7 ? 00:00:00 ksoftirqd/1 system_u:system_r:kernel_t 8 ? 00:00:00 watchdog/1 system_u:system_r:kernel_t 9 ? 00:00:00 events/0 system_u:system_r:kernel_t 10 ? 00:00:00 events/1 system_u:system_r:kernel_t 11 ? 00:00:00 khelper system_u:system_r:kernel_t 12 ? 00:00:00 netns system_u:system_r:kernel_t 13 ? 00:00:00 async/mgr system_u:system_r:kernel_t 14 ? 00:00:00 kintegrityd/0 system_u:system_r:kernel_t 15 ? 00:00:00 kintegrityd/1 system_u:system_r:kernel_t 16 ? 00:00:00 kblockd/0 system_u:system_r:kernel_t 17 ? 00:00:00 kblockd/1 system_u:system_r:kernel_t 18 ? 00:00:00 kacpid system_u:system_r:kernel_t 19 ? 00:00:00 kacpi_notify system_u:system_r:kernel_t 20 ? 00:00:00 kacpi_hotplug system_u:system_r:kernel_t 21 ? 00:00:01 ata/0 system_u:system_r:kernel_t 22 ? 00:00:00 ata/1 system_u:system_r:kernel_t 23 ? 00:00:00 ata_aux system_u:system_r:kernel_t 24 ? 00:00:00 ksuspend_usbd system_u:system_r:kernel_t 25 ? 00:00:00 khubd system_u:system_r:kernel_t 26 ? 00:00:00 kseriod system_u:system_r:kernel_t 27 ? 00:00:00 kondemand/0 system_u:system_r:kernel_t 28 ? 00:00:00 kondemand/1 system_u:system_r:kernel_t 29 ? 00:00:00 khungtaskd system_u:system_r:kernel_t 30 ? 00:00:00 pdflush system_u:system_r:kernel_t 31 ? 00:00:00 pdflush system_u:system_r:kernel_t 32 ? 00:00:00 kswapd0 system_u:system_r:kernel_t 33 ? 00:00:00 aio/0 system_u:system_r:kernel_t 34 ? 00:00:00 aio/1 system_u:system_r:kernel_t 40 ? 00:00:03 scsi_eh_0 system_u:system_r:kernel_t 41 ? 00:00:00 scsi_eh_1 system_u:system_r:kernel_t 45 ? 00:00:00 scsi_eh_2 system_u:system_r:kernel_t 46 ? 00:00:00 scsi_eh_3 system_u:system_r:kernel_t 54 ? 00:00:00 kpsmoused system_u:system_r:kernel_t 55 ? 00:00:00 usbhid_resumer system_u:system_r:kernel_t 236 ? 00:00:00 kjournald2 system_u:system_r:udev_t 333 ? 00:00:00 udevd system_u:system_r:kernel_t 474 ? 00:00:00 khpsbpkt system_u:system_r:kernel_t 486 ? 00:00:00 applesmc-led system_u:system_r:kernel_t 552 ? 00:00:00 knodemgrd_0 system_u:system_r:kernel_t 563 ? 00:00:00 hd-audio0 system_u:system_r:kernel_t 588 ? 00:00:03 phy0 system_u:system_r:kernel_t 612 ? 00:00:00 bluetooth system_u:system_r:kernel_t 682 ? 00:00:00 kauditd system_u:system_r:kernel_t 696 ? 00:00:00 kstriped system_u:system_r:initrc_t 1125 ? 00:00:00 acpid system_u:system_r:system_dbusd_t 1149 ? 00:00:04 dbus-daemon system_u:system_r:syslogd_t 1199 ? 00:00:00 rsyslogd system_u:system_r:xdm_t 1229 ? 00:00:00 gdm system_u:system_r:kernel_t 1238 ? 00:00:00 kconservative/0 system_u:system_r:kernel_t 1239 ? 00:00:00 kconservative/1 system_u:system_r:hald_t 1241 ? 00:00:01 hald system_u:system_r:system_dbusd_t 1252 ? 00:00:00 console-kit-dae system_u:system_r:hald_t 1253 ? 00:00:00 hald-runner system_u:system_r:xdm_t 1258 ? 00:00:00 gdm-simple-slav system_u:system_r:xdm_xserver_t 1339 tty7 00:00:09 Xorg system_u:system_r:initrc_t 1348 ? 00:00:00 startpar system_u:system_r:auditd_t 1367 ? 00:00:00 auditd system_u:system_r:audisp_t 1370 ? 00:00:00 audispd system_u:system_r:rpcbind_t 1375 ? 00:00:00 rpcbind system_u:system_r:hald_t 1398 ? 00:00:00 hald-addon-inpu system_u:system_r:hald_t 1407 ? 00:00:00 hald-addon-rfki system_u:system_r:hald_t 1408 ? 00:00:00 hald-addon-leds system_u:system_r:hald_t 1420 ? 00:00:00 hald-addon-macb system_u:system_r:hald_t 1423 ? 00:00:01 hald-addon-stor system_u:system_r:hald_t 1428 ? 00:00:00 hald-addon-cpuf system_u:system_r:hald_t 1429 ? 00:00:00 hald-addon-acpi system_u:system_r:udev_t 1449 ? 00:00:00 udevd system_u:system_r:xdm_t 1500 ? 00:00:00 dbus-launch system_u:system_r:system_dbusd_t 1524 ? 00:00:00 devkit-power-da system_u:system_r:udev_t 1595 ? 00:00:00 bluetoothd system_u:system_r:irqbalance_t 1630 ? 00:00:01 irqbalance system_u:system_r:cupsd_t 1636 ? 00:00:00 cupsd system_u:system_r:avahi_t 1638 ? 00:00:00 avahi-daemon system_u:system_r:nscd_t 1652 ? 00:00:00 nscd system_u:system_r:NetworkManager_t 1686 ? 00:00:02 NetworkManager system_u:system_r:system_dbusd_t 1697 ? 00:00:00 modem-manager system_u:system_r:system_dbusd_t 1701 ? 00:00:00 wpa_supplicant system_u:system_r:system_dbusd_t 1703 ? 00:00:00 nm-system-setti system_u:system_r:kernel_t 1753 ? 00:00:00 krfcommd system_u:system_r:sshd_t 1790 ? 00:00:00 sshd system_u:system_r:fsdaemon_t 1833 ? 00:00:00 smartd system_u:system_r:postfix_master_t 1870 ? 00:00:00 master system_u:system_r:postfix_qmgr_t 1892 ? 00:00:00 qmgr system_u:system_r:crond_t 1904 ? 00:00:00 cron system_u:system_r:xdm_t 1938 ? 00:00:00 gdm-session-wor system_u:system_r:system_dbusd_t 1940 ? 00:00:10 polkitd system_u:system_r:system_dbusd_t 1972 ? 00:00:00 rtkit-daemon system_u:system_r:getty_t 2071 tty1 00:00:00 agetty system_u:system_r:getty_t 2072 tty2 00:00:00 agetty system_u:system_r:getty_t 2074 tty3 00:00:00 agetty system_u:system_r:getty_t 2076 tty4 00:00:00 agetty system_u:system_r:getty_t 2077 tty5 00:00:00 agetty system_u:system_r:getty_t 2079 tty6 00:00:00 agetty system_u:system_r:xdm_t 2105 ? 00:00:00 gnome-keyring-d name:user_r:user_t 2118 ? 00:00:00 gnome-session name:user_r:user_t 2193 ? 00:00:00 seahorse-agent name:user_r:user_t 2201 ? 00:00:00 dbus-launch name:user_r:user_dbusd_t 2203 ? 00:00:00 dbus-daemon name:user_r:user_dbusd_t 2206 ? 00:00:00 gconfd-2 name:user_r:user_t 2213 ? 00:00:00 dbus-launch name:user_r:user_dbusd_t 2214 ? 00:00:00 dbus-daemon name:user_r:user_dbusd_t 2218 ? 00:00:00 gconfd-2 name:user_r:user_t 2226 ? 00:00:00 seahorse-daemon name:user_r:user_t 2227 ? 00:00:01 gnome-settings- name:user_r:user_dbusd_t 2229 ? 00:00:00 gvfsd name:user_r:user_dbusd_t 2234 ? 00:00:00 gvfs-fuse-daemo name:user_r:user_t 2256 ? 00:00:00 metacity name:user_r:user_t 2260 ? 00:00:00 pulseaudio name:user_r:user_t 2263 ? 00:00:01 gnome-panel name:user_r:user_t 2264 ? 00:00:01 nautilus name:user_r:user_t 2266 ? 00:00:00 bonobo-activati name:user_r:user_t 2270 ? 00:00:00 gpk-update-icon name:user_r:user_t 2284 ? 00:00:00 python name:user_r:user_t 2289 ? 00:00:00 polkit-gnome-au name:user_r:user_t 2290 ? 00:00:00 gnome-power-man name:user_r:user_t 2296 ? 00:00:00 bash name:user_r:user_t 2299 ? 00:00:02 main-menu name:user_r:user_t 2300 ? 00:00:00 bluetooth-apple name:user_r:user_t 2302 ? 00:00:00 nm-applet name:user_r:user_t 2305 ? 00:00:00 gnome-volume-co name:user_r:user_t 2306 ? 00:00:01 tomboy name:user_r:user_t 2307 ? 00:00:00 gnome-do name:user_r:user_t 2309 ? 00:00:00 gnome-screensav name:user_r:user_dbusd_t 2317 ? 00:00:00 gvfsd-trash name:user_r:user_t 2319 ? 00:00:12 gnome-do name:user_r:user_dbusd_t 2321 ? 00:00:00 notification-da name:user_r:user_dbusd_t 2345 ? 00:00:00 gvfs-gdu-volume system_u:system_r:system_dbusd_t 2354 ? 00:00:01 devkit-disks-da system_u:system_r:system_dbusd_t 2356 ? 00:00:03 devkit-disks-da name:user_r:user_dbusd_t 2362 ? 00:00:00 gvfs-gphoto2-vo name:user_r:user_dbusd_t 2375 ? 00:00:00 gvfsd-burn system_u:system_r:dhcpc_t 2377 ? 00:00:00 dhclient name:user_r:user_t 2383 ? 00:00:00 gconf-helper name:user_r:user_t 2386 ? 00:00:03 gnome-terminal name:user_r:user_t 2387 ? 00:00:00 gnome-pty-helpe name:user_r:user_t 2388 pts/2 00:00:00 bash system_u:system_r:kernel_t 2649 ? 00:00:00 rpciod/0 system_u:system_r:kernel_t 2650 ? 00:00:00 rpciod/1 system_u:system_r:kernel_t 2651 ? 00:00:00 kslowd system_u:system_r:kernel_t 2652 ? 00:00:00 kslowd system_u:system_r:kernel_t 2653 ? 00:00:00 nfsiod system_u:system_r:system_dbusd_t 2664 ? 00:00:00 rpc.idmapd name:user_r:user_su_t 4374 pts/2 00:00:00 su name:user_r:user_t 4379 pts/2 00:00:00 bash system_u:system_r:postfix_pickup_t 5012 ? 00:00:00 pickup system_u:system_r:udev_t 5459 ? 00:00:00 udevd name:user_r:user_t 5492 pts/2 00:00:00 ps here I am able to transistion into the role that I had choosen name:user_r:user_t there is discussion on the refpolicy lists about this. Reproducible: Always Steps to Reproduce: 1.vim /etc/selinux/refpolicy*/booleans 2. init_upstart=0/1 3.reboot Actual Results: as I write this bugzilla there is discussion on this on the refpolicy list: As I said, I think the solution here is just to disable the transition to sysadm_t, at least if DISTRO=suse. -Stepahn Smalley Expected Results: boot up suse without having tp switch on init_upstart boolean (or switch it on if you use upstart). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.