Selfmade policy not getting enforced on Fedora9
Stefan Schleifer
stefan.schleifer at gmail.com
Wed May 28 19:23:53 UTC 2008
On May 28, 2008, at 8:44 PM, Daniel J Walsh wrote:
> You need to define a transition rule from the domain that is executing
> the demo application.
>
> So if you are running as unconfined_t you will need a rule like
>
> domtrans_pattern(unconfined_t, demo_exec_t, demo_t)
> role unconfined_r types demo_t;
Hey,
You folks rock, thx a bunch. I forget the transition rule. As
suggested, I added:
domain_auto_trans(unconfined_t, demo_exec_t, demo_t);
and now the app runs as demo_t:
[stefan at localhost policy]$ ps -efZ | grep demo
unconfined_u:unconfined_r:demo_t:s0-s0:c0.c1023 root 2856 2510 0 20:56
pts/2 00:00:00 /usr/local/bin/demo
However, when I set SELinux to enforcing mode again, the app produces
a seg fault, doesn't even coming to the point, where it writes to the
file. Furthermore, the SELinux Troubleshooter doesn't alert me about
having blocked something..
May I dare to ask, what's still missing?
The policy as a whole:
policy_module(demo,1.0.0)
########################################
#
# Declarations
#
type demo_t;
type demo_exec_t;
application_domain(demo_t, demo_exec_t);
domain_auto_trans(unconfined_t, demo_exec_t, demo_t);
role unconfined_r types demo_t;
role system_r types demo_t;
require {
type unconfined_t;
role unconfined_r;
}
type demo_tmp_t;
files_tmp_file(demo_tmp_t)
type demo_etc_rw_t;
files_type(demo_etc_rw_t)
########################################
#
# demo local policy
#
## internal communication is often done using fifo and unix sockets.
allow demo_t self:fifo_file rw_file_perms;
allow demo_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(demo_t)
libs_use_ld_so(demo_t)
libs_use_shared_libs(demo_t)
miscfiles_read_localization(demo_t)
allow demo_t demo_tmp_t:file manage_file_perms;
allow demo_t demo_tmp_t:dir create_dir_perms;
files_tmp_filetrans(demo_t,demo_tmp_t, { file dir })
allow demo_t demo_etc_rw_t:file manage_file_perms;
allow demo_t demo_etc_rw_t:dir manage_dir_perms;
files_etc_filetrans(demo_t,demo_etc_rw_t, { file dir })
optional_policy(`
gen_require(`
type user_t;
type user_devpts_t;
type user_tty_device_t;
role user_r;
')
demo_run(user_t, user_r, { user_tty_device_t user_devpts_t })
')
Many thanks,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080528/97f93c1b/attachment.sig>
More information about the fedora-selinux-list
mailing list