Debian testing +selinux
Stephen Smalley
sds at tycho.nsa.gov
Mon Jul 23 14:14:22 UTC 2007
On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote:
> I'm not sure if there is a regular selinux mailing list or not, I
> mainly use Fedora but thought someone here might be able to help.
http://www.nsa.gov/selinux/info/list.cfm
> I'm playing with selinux on Debian Testing and decided to try and
> write a policy from following the fc5 faq
>
> http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
>
>
> Here is what I have done:
>
> comatose:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 21
> Policy from config file: refpolicy-targeted
>
> comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log >
> local.te
> comatose:~# checkmodule -M -m -o local.mod local.te
> checkmodule: loading policy configuration from local.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 6) to local.mod
> comatose:~# semodule_package -o local.pp -m local.mod
> comatose:~# semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> hald_t memory_device_t:chr_file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
>
>
> comatose:~# cat local.te
>
> module local 1.0;
>
> require {
> type unconfined_t;
> type lib_t;
> type xserver_log_t;
> type mount_t;
> type var_run_t;
> type syslogd_t;
> type etc_runtime_t;
> type initrc_t;
> type xdm_t;
> type udev_t;
> type device_t;
> type hald_t;
> type xdm_xserver_t;
> type memory_device_t;
> type insmod_t;
> type dhcpc_t;
> type var_t;
> type etc_t;
> type security_t;
> class fifo_file write;
> class process { execstack execmem signal };
> class unix_stream_socket { read write };
> class chr_file read;
> class fd use;
> class file { write rename getattr append read create unlink
> execute_no_trans };
> class filesystem getattr;
> class dir { write remove_name create add_name rmdir };
> }
>
> #============= dhcpc_t ==============
> allow dhcpc_t etc_runtime_t:file unlink;
>
> #============= hald_t ==============
> allow hald_t memory_device_t:chr_file read;
The above rule violates a neverallow statement in your base policy to
catch dangerous rules (like access to /dev/mem or /dev/kmem, as in this
case). Options:
- remove the rule entirely,
- replace "allow" with "dontaudit" to silence the audit message without
allowing it,
- use the appropriate refpolicy interface to allow it in a way that
marks hald_t with a typeattribute authorized for such access.
> allow hald_t var_t:file { read getattr };
>
> #============= insmod_t ==============
> allow insmod_t xdm_t:fd use;
> allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
> allow insmod_t xserver_log_t:file write;
>
> #============= mount_t ==============
> allow mount_t security_t:filesystem getattr;
>
> #============= syslogd_t ==============
> allow syslogd_t device_t:fifo_file write;
>
> #============= udev_t ==============
> allow udev_t etc_t:dir { write remove_name add_name };
> allow udev_t etc_t:file { write rename create unlink append };
> allow udev_t initrc_t:process signal;
> allow udev_t lib_t:file execute_no_trans;
> allow udev_t var_run_t:dir { create rmdir };
>
> #============= unconfined_t ==============
> allow unconfined_t self:process { execstack execmem };
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list