Selinux > Hipl

Sat Dec 5 10:54:29 UTC 2009

On Sat, Dec 05, 2009 at 02:09:02AM -0800, Justin P. Mattock wrote:
> On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
> >On 05/12/09 09:42, Manuel Wolfshant wrote:
> >--snip--
> >
> >>And once we (that is you :) ) have a correct policy,
> >
> >Does this look ok?
> >
> >audit2allow -M myhipd01 < /var/log/audit/audit.log
> >
> >module myhipd01 1.0;
> >
> >require {
> >type unconfined_t;
> >type ifconfig_t;
> >type unconfined_java_t;
> >type chrome_sandbox_t;
> >type root_t;
> >type admin_home_t;
> >type null_device_t;
> >type iptables_t;
> >type abrt_t;
> >type initrc_t;
> >type ftp_port_t;
> >type var_lock_t;
> >type xauth_t;
> >type device_t;
> >type setroubleshootd_t;
> >type wine_t;
> >type rpm_var_cache_t;
> >type rpcd_t;
> >type system_mail_t;
> >type plymouthd_t;
> >class capability sys_ptrace;
> >class netlink_ip6fw_socket { read write };
> >class process execmem;
> >class memprotect mmap_zero;
> >class netlink_firewall_socket { read write };
> >class chr_file unlink;
> >class netlink_xfrm_socket { read write };
> >class tcp_socket name_connect;
> >class file { read write };
> >class rawip_socket { read write };
> >class netlink_route_socket { read write };
> >class udp_socket { read write };
> >class dir { write remove_name create };
> >role system_r;
> >role unconfined_r;
> >}
> >
> >#============= abrt_t ==============
> >allow abrt_t ftp_port_t:tcp_socket name_connect;
> >allow abrt_t rpm_var_cache_t:dir create;

probably bugs in abrt policy

> >
> >#============= chrome_sandbox_t ==============
> >allow chrome_sandbox_t self:capability sys_ptrace;
> >

probably bug in chrome policy

> >#============= ifconfig_t ==============
> >allow ifconfig_t initrc_t:netlink_route_socket { read write };
> >allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
> >allow ifconfig_t initrc_t:udp_socket { read write };
> >allow ifconfig_t var_lock_t:file { read write };
> >
> >#============= iptables_t ==============
> >allow iptables_t initrc_t:netlink_firewall_socket { read write };
> >allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
> >allow iptables_t initrc_t:rawip_socket { read write };
> >allow iptables_t initrc_t:udp_socket { read write };
> >allow iptables_t var_lock_t:file { read write };

whatever runs initrc_t needs policy imho: ps auxZ | grep initrc

> >
> >#============= plymouthd_t ==============
> >allow plymouthd_t device_t:dir { write remove_name };
> >allow plymouthd_t null_device_t:chr_file unlink;
> >
> >#============= setroubleshootd_t ==============
> >allow setroubleshootd_t device_t:file write;

Looks like this file is mislabeled. ausearch -m avc -ts today | grep device_t | grep file | grep avc | head -n 1
> >
> >#============= system_mail_t ==============
> >allow system_mail_t root_t:dir write;

why is it writing to /

> >
> >#============= unconfined_t ==============
> >allow unconfined_t self:process execmem;

allow_execmem boolean or label the executable of the execmem program execmem_exec_t;
> >
> >#============= wine_t ==============
> >allow wine_t self:memprotect mmap_zero;

There is a boolean you can set for this. getsebool -a | grep mmap
> >
> >#============= xauth_t ==============
> >allow xauth_t admin_home_t:file { write read };
> >#============= ROLES ==============
> >role system_r types unconfined_java_t;

Looks like this is what you get when you run user applications with system role

> >role unconfined_r types rpcd_t;

If this is a daemon as the type suggests then it should not be run with unconfined role.

> >
> 
> sure.. now install your binary!!
> 
> Justin P. Mattock
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091205/371d3471/attachment.sig>