Re: weird dyntransition issue

[Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx>]

> What OS?
>
> $ rpm -q selinux-policy
selinux-policy-3.9.16-48.fc15.noarch, but as I already mentioned, this 
is (heavily) modified policy. See Dominick's suggestions at the top of 
this thread on what has been modified.

If I implement Dominick's suggestions as a separate module, which is 
*not* part of the policy I don't get these syntax errors and I have my 
mypol.pp file. If I try to do that as part of the policy-building 
process, then it fails with the syntax error I already mentioned. I 
can't include this separate module (mypol.pp), because I am building 
LiveCD image and the root system (/) is read-only, so as soon as I 
insert/install mypol.pp with semodule -i, this will be gone the next 
time I reboot, so I have to incorporate these changes (provided that is 
what I have to do!) as part of the policy (selinux-targeted), not as a 
separate module.

All this is beside the point though. SSHD (5.8 is the version I tried 
before I backtracked to the previous one I used - 5.5p1) has now some 
new privilege-separation code and it seems to be causing me all these 
errors. I did a little investigation yesterday before I gave up and if I 
include "UsePrivilegeSeparation no" in sshd_config, then I do not get 
the dyntransition avc, but I do get all the other ones (like { read }, { 
unlink } on file/directory etc) which are associated with a domain 
(sshd_t), which has no permission to access those files/directories - 
that, to me, indicates that this "privilege separation" issue is not 
completely gone even if I set "UsePrivilegeSeparation no".

When I revert back to 5.5p1 everything is hunky-dory and I have no such 
issues, provided I switch sftpd_full_access to "on", otherwise I get the 
same avc as above.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux