xen, selinux, FC5
Stephen Smalley
sds at tycho.nsa.gov
Fri Oct 13 19:15:30 UTC 2006
On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
> Stephen Smalley wrote:
> > You need to do something different if you want to use refpolicy
> > interfaces (which are presently m4 macros, but will eventually be first
> > class constructs in the language that will be handled at link time);
> > storage_raw_read_fixed_disk() is such an interface. The easiest thing
> > to do is to use the devel Makefile. Instead of manually running
> > checkmodule and semodule_package, you just do:
> > mkdir xen
> > cp xen.te xen/
> > cd xen
> > make -f /usr/share/selinux/devel/Makefile
> >
> > The Makefile will then handle pulling in the refpolicy interface
> > headers, applying m4, running checkmodule on the result, and running
> > semodule_package, leaving you with a xen.pp file that you can install.
> >
>
> Ok, I followed those instructions using the following .te file:
>
> module local 1.0;
>
> require {
> class blk_file read;
> class chr_file { read write };
> class dir { add_name create search setattr write };
> class fd use;
> class file { append create read write };
> class unix_stream_socket { read write };
> type fixed_disk_device_t;
> type home_root_t;
> type ifconfig_t;
> type local_login_t;
> type netutils_t;
> type proc_xen_t;
> type tmp_t;
> type tty_device_t;
> type user_home_dir_t;
> type user_home_t;
> type var_log_t;
> type var_run_t;
> type xend_t;
> type xend_var_log_t;
> type xm_t;
> role system_r;
> };
>
> allow ifconfig_t var_log_t:file append;
> allow netutils_t proc_xen_t:file { read write };
> allow netutils_t xend_t:unix_stream_socket { read write };
> allow netutils_t xend_var_log_t:file { append write };
> allow xend_t home_root_t:dir { search write };
> allow xend_t local_login_t:fd use;
> allow xend_t tmp_t:dir search;
> allow xend_t tty_device_t:chr_file { read write };
> allow xend_t user_home_dir_t:dir { search write };
> allow xend_t user_home_t:dir { add_name search write };
> allow xend_t user_home_t:file { create write };
> allow xend_t var_run_t:dir { create setattr };
> allow xm_t fixed_disk_device_t:blk_file read;
>
>
> When I tried to install the module, I got this error:
>
> # semodule -i xen.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> xm_t fixed_disk_device_t:blk_file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> What am I doing wrong?
>From the above, you are still directly allowing read access to a fixed
disk device rather than using the storage_raw_read_fixed_disk()
interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
read;' statement with:
storage_raw_read_fixed_disk(xm_t)
That was the point of switching to using the devel Makefile, so that you
could use the above interface. Which already expands to the necessary
declarations and rules to allow the access without violating the
assertion/neverallow rule.
There isn't anything magic here; it is just that
storage_raw_read_fixed_disk() as defined
in /usr/share/selinux/devel/include/kernel/storage.if already expands to
the right set of rules, and by using it, you insulate yourself from the
policy details that might change over time or between systems. Same
thing applies to all of your rules; if there is already an interface for
that purpose, you are better off using it.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list