Help with SELinux Policy for Usability Study
Dominick Grift
domg472 at gmail.com
Thu Jul 30 08:44:04 UTC 2009
On Thu, 2009-07-30 at 12:04 +0800, Cliffe wrote:
> Dear SELinux Gurus,
>
> I am a PhD candidate conducting research into the usability of
> security mechanisms. I would really appreciate some help regarding the
> use of SELinux. Let me know if this is not the right place to be
> asking these types of questions.
>
> I generated a policy for opera using polgengui. I then ran the
> generated ./opera.sh.
>
> Although SELinux was still set to enforcing mode opera seemed to run
> unconfined. The executable and process was labelled as expected
> (unconfined_u:unconfined_r:opera_t). AVCs were generated, but not
> enforced.
>
> I added to opera.te using
> grep opera /var/log/audit/audit.log | audit2allow >> opera.te
> and reran ./opera.sh
> until no AVCs were generated.
>
> Looking at opera.te I noticed the line “permissive opera_t”, and not
> knowing exactly what this line does, I thought it may be placing this
> domain into permissive mode (although the gui tools suggest
> otherwise). Removing the line causes “/bin/sh: /usr/bin/opera:
> Permission denied”. No AVCs are generated.
Yes permissive opera_t makes opera_t a permissive domain indeed.
To expose any possible hidden denials run: semodule -DB
To hide them again: semodule -B
> So I am not sure why opera seams to be unconfined, or if removing the
> permissive line was on the right track. Any advice?
>
> Also I tried creating a policy for kwrite. This time the created
> policy seemed to be in effect as soon as I ran the kwrite.sh script. I
> set setenforce 0 and added to kwrite.te (as above for opera) until no
> error msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists
> with “kwrite(2533): Couldn’t register name
> ‘”org.kate-editor.kwrite-2533’” with DBUS – another process owns it
> already!”. When setenforce 0 it runs without AVCs.
This is probably a DBUS issue. DBUS is a SELinux object manager. This
means that DBUS itself provides classes and permission for some of its
objects. Dbus also enforces policy for these objects.
DBUS logs some user avc denials in audit.log (ausearch -m user_avc -ts
today | grep dbus)
DBUS also logs some denials in /var/log/messages.
> Again I am sure I am missing something simple and your advice will
> help a lot.
>
> I need to resolve this asap and will really appreciate any advice.
>
> Soon I will be running a comparative study comparing a number of
> security mechanisms and I need to sort this out.
Good luck.
On a unrelated note:
I recently created a extensive series of screencasts showing how to
confine a GUI app with SELinux (google-gadgets)
http://www.youtube.com/results?search_query=SELinux+confine+a+GUI+app
> Thank you,
>
> Cliffe.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090730/ee9434df/attachment.sig>
More information about the fedora-selinux-list
mailing list