HELP: transition denied regardless of policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I'm having a problem with FC3 strict policy. Basically, I've customised the policy to cover all that I need on that system, but there's one last denial that I'm unable to remedy:

May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc: denied { transition } for pid=11773 exe=/bin/bash path=/home/twiki/bin/mailnotify dev=hda1 ino=51463 scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t tclass=process

(where /home/twiki/bin/mailnotify has a context of system_u:object_r:twiki_exec_t.)

This is directly related to my twiki.te policy:

#BEGIN
daemon_domain(twiki)
var_lib_domain(twiki)
domain_auto_trans(httpd_t, twiki_exec_t, twiki_t)

# daemon_domain(twiki) gets this done anyway:
#role_transition sysadm_r twiki_exec_t system_r;

domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
# domain_auto_tras should do it, but duplicating it doesn't hurt:
role sysadm_r types twiki_t;
allow sysadm_crond_t twiki_t:process transition;

# exe=/usr/bin/perl path=/etc/ld.so.cache :
allow twiki_t etc_t:file { getattr read };


allow httpd_t twiki_exec_t:dir { getattr search };
allow httpd_t twiki_exec_t:file ioctl;
allow httpd_t twiki_var_lib_t:dir { getattr read search };
allow httpd_t twiki_var_lib_t:file { append getattr ioctl read };
allow twiki_t bin_t:dir { search };
allow twiki_t bin_t:file { getattr };
allow twiki_t crond_t:fifo_file { ioctl read write };
allow twiki_t home_root_t:dir { search };
allow twiki_t twiki_exec_t:dir { search };
allow twiki_t urandom_device_t:chr_file { read };

allow twiki_t unlabeled_t:dir { getattr read search };

allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_t:tcp_socket ioctl;
allow httpd_sys_script_t twiki_var_lib_t:dir { add_name remove_name search write };
allow httpd_sys_script_t twiki_var_lib_t:file { create getattr read unlink };
allow httpd_t twiki_var_lib_t:dir { add_name remove_name write };
allow httpd_t twiki_var_lib_t:file { create rename setattr unlink write };
#END

The problem is, although the
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
...allows for:
allow sysadm_crond_t twiki_t:process transition;

And I've even allowed that process transition (allow sysadm_crond_t twiki_t:process transition;) explicitly a few rows later (actually audit2allow has given me this).

But the transition to root:system_r:twiki_t is still denied.

Am I missing something?

--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575 http://olo.ab.altkom.pl

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux