Selfmade policy not getting enforced on Fedora9

Stefan Schleifer stefan.schleifer at
Wed May 28 18:18:47 UTC 2008

Hey guys,

As you might guess, I've a problem with my SELinux-policy under Fedora  

I created a little test application 'demo' which reads some text from  
stdin and writes it in a config file /etc/hackbar/config.txt.

Afterwarts, I developed a policy with types demo_t, demo_exec_t und  
demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.  
Everything's fine.

For testing purposes I changed /etc/hackbar/config.txt to type etc_t  
which demo_exec_t shouldn't be able to access as there doesn't exist  
an allow demo_exec_t r/w etc_t.

[stefan at localhost policy]$ ls -Z /usr/local/bin/demo
-rwsr-sr-x   root   root   system_u:object_r:demo_exec_t:s0 /usr/local/ 
[stefan at localhost policy]$ ls -Z /etc/hackbar/config.txt
-rwxr-xr-x   root   root   system_u:object_r:etc_t:s0 /etc/hackbar/ 

Again I ran the application but it is still allowed to change that  

[stefan at localhost policy]$ /usr/local/bin/demo
Enter text: foobar
Read from file: foobar

Regarding to standard UNIX permissions access should be granted as the  
demo-app has suid set, but shouldn't SELinux permitt access anyway in  
this case?

SELinux is in enforcing mode.

[stefan at localhost policy]$ /usr/sbin/sestatus
SELinux status:			enabled
SELinuxfs mount:			/selinux
Current mode:			enforcing
Mode from config file:		enforcing
Policy version:			22
Policy from config file:		targeted

I'm rather confused...

best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-selinux-list mailing list