SE Linux policy

Russell Coker russell at coker.com.au
Mon Apr 26 22:26:08 UTC 2004 

On Mon, 26 Apr 2004 20:05, Krzysztof Mazurczyk <kmazurczyk at wskiz.poznan.pl> 
wrote:
> > > I have started playing with new SE Linux. I have it already running.
> > > BTW minor question: There are messages in log that /sbin/unix_verify
> > > is denied to do something. System is seemed to work well. Because
> > > /sbin/unix_verify is from libpam-modules I'm not sure what to do -
> > > ignore or add some rules to policy for /sbin/unix_verify.
> >
> > What access is denied?
>
> avc:  denied  { getattr } for  pid=1768 exe=/sbin/unix_verify
> path=/proc/1768/mounts dev= ino=115867664 scontext=system_u:system_r:
> system_chkpwd_t tcontext=system_u:system_r:system_chkpwd_t tclass=file

Allow this.  The main policy will be changed to allow this.

> avc:  denied  { use } for  pid=3608 exe=/sbin/unix_verify path=/dev/null
> dev=sda2 ino=2021 scontext=system_u:system_r:system_chkpwd_t tcontext=
> system_u:system_r:system_crond_t tclass=fd

This looks like a bug in the policy, it should have been allowed.  Please file 
a bug on bugzilla.

> avc:  denied  { read write } for  pid=1795 exe=/sbin/unix_verify
> path=/dev/tty1 dev=sda2 ino=2845 scontext=system_u:system_r:
> system_chkpwd_t tcontext=root:object_r:sysadm_tty_device_t tclass=
> chr_file

This looks like a bug in pam, that file handle should have been closed before 
the execution of unix_verify.

> avc:  denied  { search } for  pid=1795 exe=/sbin/unix_verify name=run
> dev=sda5 ino=31172 scontext=system_u:system_r:system_chkpwd_t
> tcontext=system_u:object_r:var_run_t tclass=dir

We should have a dontaudit for that.

> > The following is the start of what is needed for a first cut at it.  Try
> > it and let me know how it goes.
> > domain_auto_trans(initrc_t, uml_exec_t, sysadm_uml_t)
>
> Yes, I have found it. But then I've got 'security-compute-sid: invalid
> context system_u:system_r:sysadm_uml_t for scontext=system_u:system_r:
> initrc_t tcontext=system_u:object_r:uml_exec_t tclass=process'. Googling
> hasn't told me what to do.

In this case:
role system_r types sysadm_uml_t;

But long-term I think that the right thing to do is to make some changes to 
the UML policy to cover this and related issues.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list