Selfmade policy not getting enforced on Fedora9
eparis at redhat.com
Wed May 28 18:28:32 UTC 2008
On Wed, 2008-05-28 at 20:18 +0200, Stefan Schleifer wrote:
> Hey guys,
> As you might guess, I've a problem with my SELinux-policy under Fedora
> I created a little test application 'demo' which reads some text from
> stdin and writes it in a config file /etc/hackbar/config.txt.
> Afterwarts, I developed a policy with types demo_t, demo_exec_t und
> demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.
> Everything's fine.
> For testing purposes I changed /etc/hackbar/config.txt to type etc_t
> which demo_exec_t shouldn't be able to access as there doesn't exist
> an allow demo_exec_t r/w etc_t.
> [stefan at localhost policy]$ ls -Z /usr/local/bin/demo
> -rwsr-sr-x root root system_u:object_r:demo_exec_t:s0 /usr/local/
> [stefan at localhost policy]$ ls -Z /etc/hackbar/config.txt
> -rwxr-xr-x root root system_u:object_r:etc_t:s0 /etc/hackbar/
> Again I ran the application but it is still allowed to change that
> [stefan at localhost policy]$ /usr/local/bin/demo
> Enter text: foobar
> Read from file: foobar
> Regarding to standard UNIX permissions access should be granted as the
> demo-app has suid set, but shouldn't SELinux permitt access anyway in
> this case?
> SELinux is in enforcing mode.
> [stefan at localhost policy]$ /usr/sbin/sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
> I'm rather confused...
Are you sure you have the right transition rule from whatever you shell
runs as ?unconfined_t? to demo_t if you run a demo_exec_t binary? What
to you see from ps -efZ | grep demo while your program is running??
More information about the fedora-selinux-list