RE: Problem with upgrading a file sensitivity level with mls policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Found my problem. I was concentrating on the domain - type access controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states
 
constrain dir_file_class_set { create relabelto relabelfrom }
      ( u1 == u2 or t1 == can_change_object_identity );
 
audit2allow doesn't help very much with that.
 
 

________________________________

From: fedora-selinux-list-bounces@xxxxxxxxxx on behalf of Suchoski, Andrew
Sent: Wed 10/4/2006 7:36 PM
To: fedora-selinux-list@xxxxxxxxxx
Subject: Problem with upgrading a file sensitivity level with mls policy



Hello,

I've been trying to get a simple piece of code to work to upgrade a
file's sensitivity level. I wrote a simple policy to have the process
run in a new domain and assigned mlsfileupgrade to the domain. I thought
I did everything needed to make it work but apparently not. The program
does work in permissive mode so this isn't a DAC problem. (The target
file is owned by andy, modebits 644 and the process runs as EUID=andy.)
The kernel is 2.6.17.2178_FC5 and I'm using the
selinux-policy-mls-2.3.7-2.fc5 policy.
Thanks.

Following is the AVC, code, policy, and example output.
------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1160002208.475:477): avc:  denied  { relabelfrom }
for  pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610
scontext=andy_u:user_r:andy_t:s0-s15:c0.c255
tcontext=user_u:object_r:user_t:s0 tclass=file
-----------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
main()
{
  int retval;
  security_context_t secconstr,con;
  context_t seconstrct;
  char * newlabel;

/* Get file context */
  retval=getfilecon("/app/foobar", &secconstr);
/* Print the context */
  printf("Security context is %s\n", secconstr);
/* Convert the security_context_t to a context_t */
  seconstrct=context_new(secconstr);
/* Assign new Sensitivity label  */
  retval=context_range_set(seconstrct,"s0:c5");
  if (retval < 0) perror ("context_range_set");
  secconstr=context_str(seconstrct);
  printf("NEW Security context is %s\n",secconstr);
  retval=setfilecon("/app/foobar",secconstr);
  if (retval < 0) perror ("setfilecon");
  retval=getfilecon("/app/foobar", &con);
  if (retval < 0) perror ("getfilecon");
  printf("Read NEW security context %s\n", con);
}
-------------------------------------------------------------------------------------------------------------------------
The policy:
policy_module(localmisc, 0.1.12)
require {
        type user_t;
        type user_tty_device_t;
};
type andy_t;
type andy_exec_t;
domain_type(andy_t)
mls_file_upgrade(andy_t)
domain_entry_file(andy_t, andy_exec_t)
domain_use_interactive_fds(andy_t)
allow andy_t user_tty_device_t:chr_file { read write };
domain_auto_trans(user_t, andy_exec_t, andy_t)
libs_use_ld_so(andy_t)
libs_use_shared_libs(andy_t)
role user_r types andy_t;
allow andy_t user_t: file { read getattr relabelfrom relabelto };
allow andy_t user_t:process sigchld;
---------------------------------------------------------------------------------------------------------------------
Output of the program:
[andy@localhost examples]$ ./setfsc1
Security context is user_u:object_r:user_t:s0
NEW Security context is user_u:object_r:user_t:s0:c5
setfilecon: Permission denied
Read NEW security context user_u:object_r:user_t:s0
[andy@localhost examples]$
----------------------------------------------------------------------------------------------------------------------



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux