Step-by-Step Guide To Creating SELinux Policy for Google Earth

Daniel J Walsh dwalsh at redhat.com
Mon Jun 26 12:08:04 UTC 2006 

Benjy Grogan wrote:
> On 6/20/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>> On Tue, 2006-06-20 at 15:46 -0400, Benjy Grogan wrote:
>> > How do you verify that you're using enableaudit.pp and not base.pp?  I
>> > get these avcs after building and loading enableaudit but my Google
>> > Earth policy still gives off zero avcs after 20 minutes of use.  Which
>> > would be great if it actually ran in enforcing mode.
>> >
>> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3836): avc:
>> > denied  { siginh } for
>> > pid=7029 comm="setfiles" scontext=user_u:system_r:semanage_t:s0
>> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
>> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3837): avc:
>> > denied  { rlimitinh } for  pid=7029 comm="setfiles"
>> > scontext=user_u:system_r:semanage_t:s0
>> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
>> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3838): avc:
>> > denied  { noatsecure } for  pid=7029 comm="setfiles"
>> > scontext=user_u:system_r:semanage_t:s0
>> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
>>
>> Those avcs suggest that you are using enableaudit.pp, as they would
>> normally be silenced by dontaudit rules.  Try running the program under
>> strace and checking the output to see precisely where it is failing.
>> One case where we get no auditing at all is the net_admin capability
>> check upon netlink recv; that will be fixed by a pending patch in the
>> audit tree.  Hopefully googleearth doesn't need that though ;)
>
> Thanks.  strace showed me that the problem was my own fault.  I was
> incorrectly using auditdeny.
>
> I'm currently trying to get my Google Earth selinux policy to allow
> CUPS.  It's allowed but I find the cupsd_t domain's need to access the
> SElinux config and security file contexts strange.  You can see below.
> Is this normal?
>
> # Google Earth printing to CUPS
> is is
> gen_require(`
>     type cupsd_etc_t;
>     type cupsd_rw_etc_t;
>     type cupsd_var_run_t;
>     type ipp_port_t;
> ')
> # how come cupsd_t has been denied these privileges and why would it 
> need them?
> allow cupsd_t security_t:dir search;
> allow cupsd_t security_t:file read;
> allow cupsd_t selinux_config_t:dir search;
> allow cupsd_t selinux_config_t:file { getattr read };
>
It does not need it.  This is only because you are running in permissive 
mode.  The first access would have been dontaudited and all of the other 
avc's would not
been created.
> # use CUPS service...
> cups_read_config(googleearth_t)
> allow googleearth_t cupsd_var_run_t:dir search;
> allow googleearth_t self:netlink_route_socket { r_netlink_socket_perms };
> corenet_tcp_sendrecv_ipp_port(googleearth_t)
> corenet_tcp_connect_ipp_port(googleearth_t)
>
> Benjy
>
>
>
>>
>> -- 
>> Stephen Smalley
>> National Security Agency
>>
>>
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list