Stuck in init_t
Stephen Smalley
sds at tycho.nsa.gov
Wed May 14 17:22:58 UTC 2008
On Wed, 2008-05-14 at 11:12 -0400, Sciola, Dario wrote:
> Classification: UNCLASSIFIED
>
> Hi,
>
> I've got a small application that I'm trying to get running as a
> service on and FC8 SELinux box. I've got an entry in my inittab file
> to kick start the app, but all my attempts at writing an appropriate
> policy leaves that app running in the init_t domain.
This kind of question likely belongs on selinux at tycho.nsa.gov, not here
- it isn't really Fedora-specific.
> The inittab file entry is:
>
> cds:2345:respawn:/usr/bin/CDSserver -l -p 2732
>
> ps -efZ (observing this as a 'root' user) gives:
>
> system_u:system_r:init_t:s0 root 2663 1 0 10:01 ?
> 00:00:00 /usr/bin/CDSserver -l -p 2732
>
> My .te file contains:
>
> policy_module(cdsserver,1.0.3)
>
> ########################################
> #
> # Declarations
> #
> ########################################
>
> # Type declarations
> ###################
>
> # the target domain:
> type cds_t;
>
> # Entrypoint for exec
> type cds_exec_t;
>
>
> # domain type
> #domain_type(cds_t)
>
> # Mark cds_t as a domain and cds_exec_t as an entrypoint
> init_daemon_domain(cds_t, cds_exec_t)
init_daemon_domain is for a normal daemon started by an /etc/rc.d
script, not for something directly started by /sbin/init.
You want init_domain() instead I think.
> domain_entry_file(cds_t, cds_exec_t)
This should be covered by the above.
> allow cds_t self:process execmem;
Better if you can avoid that.
> ...
>
> My .fc file contains:
>
> /usr/bin/CDSserver --
> gen_context(system_u:object_r:cds_exec_t,s0)
>
>
> My .if file contains:
>
> interface(`cds_domtrans',`
> gen_require(`
> type cds_t, cds_exec_t;
> ')
>
> domain_auto_trans($1,cds_exec_t,cds_t)
>
> allow $1 cds_t:fd use;
> allow cds_t $1:fd use;
> allow cds_t $1:fifo_file rw_file_perms;
> allow cds_t $1:process sigchld;
> ')
>
> I've also tried putting init_t as $1 in the domain_auto_trans()
An .if file serves no purpose unless you have something that calls the
interfaces it defines. It just defines a set of interfaces for
other .te files to use.
> Why isn't the process transitioning to cds_t? I've looked at a lot of
> sites and examples and can't seem to figure out my problem. The policy
> is the targeted FC8 policy. Module compiles and loads (semodule) fine.
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 21
> Policy from config file: targeted
>
> Any ideas?
>
>
> Dario Sciola
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list