Several policy questions

Brian Ginn BGinn at symark.com
Wed Mar 11 01:26:51 UTC 2009 

I have an application that consists of four different programs that all talk to each other via TCP sockets... Similar to the diagram:

                +---------+

        +-------| ServerA |------+

        |       +---------+      |

        |            |           |

+----------------+   |     +---------+

| UserApp Client |---|-----| ServerB |

+----------------+   |     +---------+

        |            |          |

        |            |          |

        |       +--------+      |

        +-------| Logger |------+

                +--------+

The ServerA, ServerB, and Logger all run from xinetd.
The  "UserApp Client" is the only program directly executed via the user.
All programs read from a common settings file in /etc.

With Fedora Core 9, I've used the polgengui to create initial policies for the four programs.
Then since they share the settings file, I edited the definitions so that configuration file is not specific to any one of the programs.
They all need to share port information, so I added require { myservera_port_t; myserverb_port_t; mylogger_port_t } statements to each .te file.
That seems to work on FC9, but on RedHat EL 5.2, when attempting to load myservera, it complains:

/usr/sbin/semodule -i myservera.pp

libsepol.print_missing_requirements: myservera's global requirements were not met: type/attribute myserverb_port_t

libsemanage.semanage_link_sandbox: Link packages failed

/usr/sbin/semodule:  Failed!

Attempting to load myserverB first ends up with the same complaint about the serverA's port_t being undefined.

I had kept the .te files for the four programs separate... but this message makes me think that maybe I need to combine them.  Is that necessary? Or is there a  way to pre-define the ports before the "require from somewhere else" statement?

For my four programs, should I have four distinct policy_module statements?
Is it possible to have multiple policy_module statements in the same .te file?

Also, I seem to be having domain transfer problems.
I added this following code to each .te file:

domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t )

allow unconfined_t myapp_t:fd use;

allow myapp_t unconfined_t:fifo_file rw_file_perms;

allow myapp_t unconfined_t:process sigchld;
however, each process still runs as follows:

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4 00:00:00 myapp

unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00 myserverb

unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00 mylogger

For the inetd daemons, is this something I should try to fix, or is unconfined_u:system_r:inetd_child_t "secure enough"?
Any suggestions for getting the myapp domain transferred?



Thanks,
Brian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090310/e1a2d323/attachment.htm>

More information about the fedora-selinux-list mailing list