[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Selfmade policy not getting enforced on Fedora9

Hey guys,

As you might guess, I've a problem with my SELinux-policy under Fedora 9.

I created a little test application 'demo' which reads some text from stdin and writes it in a config file /etc/hackbar/config.txt.

Afterwarts, I developed a policy with types demo_t, demo_exec_t und demo_etc_t and allowed demo_exec_to to read/write demo_etc_t. Everything's fine.

For testing purposes I changed /etc/hackbar/config.txt to type etc_t which demo_exec_t shouldn't be able to access as there doesn't exist an allow demo_exec_t r/w etc_t.

[stefan localhost policy]$ ls -Z /usr/local/bin/demo
-rwsr-sr-x root root system_u:object_r:demo_exec_t:s0 /usr/local/ bin/demo
[stefan localhost policy]$ ls -Z /etc/hackbar/config.txt
-rwxr-xr-x root root system_u:object_r:etc_t:s0 /etc/hackbar/ config.txt

Again I ran the application but it is still allowed to change that file?!

[stefan localhost policy]$ /usr/local/bin/demo
Enter text: foobar
Read from file: foobar

Regarding to standard UNIX permissions access should be granted as the demo-app has suid set, but shouldn't SELinux permitt access anyway in this case?

SELinux is in enforcing mode.

[stefan localhost policy]$ /usr/sbin/sestatus
SELinux status:			enabled
SELinuxfs mount:			/selinux
Current mode:			enforcing
Mode from config file:		enforcing
Policy version:			22
Policy from config file:		targeted

I'm rather confused...

best regards,

Attachment: PGP.sig
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]