Step-by-Step Guide To Creating SELinux Policy for Google Earth

Benjy Grogan benjy.grogan at gmail.com
Sat Jun 24 02:54:19 UTC 2006 

On 6/20/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Tue, 2006-06-20 at 15:46 -0400, Benjy Grogan wrote:
> > How do you verify that you're using enableaudit.pp and not base.pp?  I
> > get these avcs after building and loading enableaudit but my Google
> > Earth policy still gives off zero avcs after 20 minutes of use.  Which
> > would be great if it actually ran in enforcing mode.
> >
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3836): avc:
> > denied  { siginh } for
> > pid=7029 comm="setfiles" scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3837): avc:
> > denied  { rlimitinh } for  pid=7029 comm="setfiles"
> > scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3838): avc:
> > denied  { noatsecure } for  pid=7029 comm="setfiles"
> > scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
>
> Those avcs suggest that you are using enableaudit.pp, as they would
> normally be silenced by dontaudit rules.  Try running the program under
> strace and checking the output to see precisely where it is failing.
> One case where we get no auditing at all is the net_admin capability
> check upon netlink recv; that will be fixed by a pending patch in the
> audit tree.  Hopefully googleearth doesn't need that though ;)

Thanks.  strace showed me that the problem was my own fault.  I was
incorrectly using auditdeny.

I'm currently trying to get my Google Earth selinux policy to allow
CUPS.  It's allowed but I find the cupsd_t domain's need to access the
SElinux config and security file contexts strange.  You can see below.
 Is this normal?

# Google Earth printing to CUPS

gen_require(`
	type cupsd_etc_t;
	type cupsd_rw_etc_t;
	type cupsd_var_run_t;
	type ipp_port_t;
')
# how come cupsd_t has been denied these privileges and why would it need them?
allow cupsd_t security_t:dir search;
allow cupsd_t security_t:file read;
allow cupsd_t selinux_config_t:dir search;
allow cupsd_t selinux_config_t:file { getattr read };

# use CUPS service...
cups_read_config(googleearth_t)
allow googleearth_t cupsd_var_run_t:dir search;
allow googleearth_t self:netlink_route_socket { r_netlink_socket_perms };
corenet_tcp_sendrecv_ipp_port(googleearth_t)
corenet_tcp_connect_ipp_port(googleearth_t)

Benjy



>
> --
> Stephen Smalley
> National Security Agency
>
>

More information about the fedora-selinux-list mailing list