Help with SELinux Policy for Usability Study

Cliffe cliffe at ii.net
Thu Jul 30 04:04:40 UTC 2009 

Dear SELinux Gurus,

I am a PhD candidate conducting research into the usability of security 
mechanisms. I would really appreciate some help regarding the use of 
SELinux. Let me know if this is not the right place to be asking these 
types of questions.

I generated a policy for opera using polgengui. I then ran the generated 
./opera.sh.

Although SELinux was still set to enforcing mode opera seemed to run 
unconfined. The executable and process was labelled as expected 
(unconfined_u:unconfined_r:opera_t). AVCs were generated, but not enforced.

I added to opera.te using
grep opera /var/log/audit/audit.log | audit2allow >> opera.te
and reran ./opera.sh
until no AVCs were generated.

Looking at opera.te I noticed the line "permissive opera_t", and not 
knowing exactly what this line does, I thought it may be placing this 
domain into permissive mode (although the gui tools suggest otherwise). 
Removing the line causes "/bin/sh: /usr/bin/opera: Permission denied". 
No AVCs are generated.

So I am not sure why opera seams to be unconfined, or if removing the 
permissive line was on the right track. Any advice?

Also I tried creating a policy for kwrite. This time the created policy 
seemed to be in effect as soon as I ran the kwrite.sh script. I set 
setenforce 0 and added to kwrite.te (as above for opera) until no error 
msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists with 
"kwrite(2533): Couldn't register name '"org.kate-editor.kwrite-2533'" 
with DBUS -- another process owns it already!". When setenforce 0 it 
runs without AVCs.

Again I am sure I am missing something simple and your advice will help 
a lot.

I need to resolve this asap and will really appreciate any advice.

Soon I will be running a comparative study comparing a number of 
security mechanisms and I need to sort this out.

Thank you,

Cliffe.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090730/a21fdc7a/attachment.htm>

More information about the fedora-selinux-list mailing list