HELP: transition denied regardless of policy?

Aleksander Adamowski aleksander.adamowski.fedora at altkom.pl
Thu May 26 01:39:52 UTC 2005 

Hi!

I'm having a problem with FC3 strict policy. Basically, I've customised 
the policy to cover all that I need on that system, but there's one last 
denial that I'm unable to remedy:

May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc:  
denied  { transition } for  pid=11773 exe=/bin/bash 
path=/home/twiki/bin/mailnotify dev=hda1 ino=51463 
scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t 
tclass=process

(where /home/twiki/bin/mailnotify has a context of 
system_u:object_r:twiki_exec_t.)

This is directly related to my twiki.te policy:

#BEGIN
daemon_domain(twiki)
var_lib_domain(twiki)
domain_auto_trans(httpd_t, twiki_exec_t, twiki_t)

# daemon_domain(twiki) gets this done anyway:
#role_transition sysadm_r twiki_exec_t system_r;

domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
# domain_auto_tras should do it, but duplicating it doesn't hurt:
role sysadm_r types twiki_t;
allow sysadm_crond_t twiki_t:process transition;

# exe=/usr/bin/perl path=/etc/ld.so.cache :
allow twiki_t etc_t:file { getattr read };


allow httpd_t twiki_exec_t:dir { getattr search };
allow httpd_t twiki_exec_t:file ioctl;
allow httpd_t twiki_var_lib_t:dir { getattr read search };
allow httpd_t twiki_var_lib_t:file { append getattr ioctl read };
allow twiki_t bin_t:dir { search };
allow twiki_t bin_t:file { getattr };
allow twiki_t crond_t:fifo_file { ioctl read write };
allow twiki_t home_root_t:dir { search };
allow twiki_t twiki_exec_t:dir { search };
allow twiki_t urandom_device_t:chr_file { read };

allow twiki_t unlabeled_t:dir { getattr read search };

allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_t:tcp_socket ioctl;
allow httpd_sys_script_t twiki_var_lib_t:dir { add_name remove_name 
search write };
allow httpd_sys_script_t twiki_var_lib_t:file { create getattr read 
unlink };
allow httpd_t twiki_var_lib_t:dir { add_name remove_name write };
allow httpd_t twiki_var_lib_t:file { create rename setattr unlink write };
#END

The problem is, although the
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
...allows for:
allow sysadm_crond_t twiki_t:process transition;

And I've even allowed that process transition (allow sysadm_crond_t 
twiki_t:process transition;) explicitly a few rows later (actually 
audit2allow has given me this).

But the transition to root:system_r:twiki_t is still denied.

Am I missing something?

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.ab.altkom.pl

More information about the fedora-selinux-list mailing list