On Sun, 22 Aug 2004 02:53, Tom London <selinux@xxxxxxxxxxx> wrote:
> Aug 21 09:43:36 fedora kernel: audit(1093106616.786:0): avc: denied {
> dac_read_search } for pid=4292 exe=/bin/bash capability=2
> scontext=root:sysadm_r:bootloader_t tcontext=root:sysadm_r:bootloader_t
> tclass=capability
No harm in adding this as capability chown is already granted.
> Aug 21 09:43:37 fedora kernel: audit(1093106617.979:0): avc: denied {
> transition } for pid=4331 exe=/bin/bash path=/sbin/dmsetup dev=hda2
> ino=2310451 scontext=root:sysadm_r:bootloader_t
> tcontext=root:system_r:lvm_t tclass=process
The constraints file has the following (I've cut bits about crond and
userhelper for clarity):
constrain process transition
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
or (t1 == priv_system_role and r2 == system_r )
);
We have the following policy from global_macros.te:
role_transition sysadm_r lvm_exec_t system_r;
This causes the tcontext to have role system_r, and by the constraint we have
to have the attribute priv_system_role on the source domain (bootloader_t).
I've attached a patch to bootloader.te that fixes these things and a couple of
other minor issues.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- /usr/src/se/policy/domains/program/unused/bootloader.te 2004-08-21 13:19:07.000000000 +1000
+++ domains/program/unused/bootloader.te 2004-08-22 19:40:48.000000000 +1000
@@ -10,7 +10,7 @@
#
# bootloader_exec_t is the type of the bootloader executable.
#
-type bootloader_t, domain, privlog, privmem, fs_domain;
+type bootloader_t, domain, privlog, privmem, fs_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
typealias bootloader_etc_t alias etc_bootloader_t;
@@ -45,6 +45,7 @@
uses_shlib(bootloader_t)
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+allow bootloader_t device_t:lnk_file { getattr read };
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
@@ -101,7 +101,7 @@
allow bootloader_t self:capability ipc_lock;
')
-allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
# allow bootloader to get attributes of any device node
allow bootloader_t { device_type ttyfile }:chr_file getattr;
allow bootloader_t device_type:blk_file getattr;
@@ -133,7 +133,7 @@
ifdef(`chroot.te', `
can_exec(bootloader_t, chroot_exec_t)
')dnl end chroot.te
-')dnl end debian
+')dnl end distro_debian
# for reading BIOS data
allow bootloader_t memory_device_t:chr_file r_file_perms;
