Re: xen, selinux, FC5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Smalley wrote:
> On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
>> allow xm_t fixed_disk_device_t:blk_file read;
> 
>>From the above, you are still directly allowing read access to a fixed
> disk device rather than using the storage_raw_read_fixed_disk()
> interface.  IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
> read;' statement with:
> 	storage_raw_read_fixed_disk(xm_t)

Ah, right. That was what I was missing.

I removed that line and ran the make and got these errors:

]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule:  loading policy configuration from tmp/xen.tmp
xen.te:40:ERROR 'permission read is not defined for class dir' at token
';' on line 59080:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59080:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission lock is not defined for class dir' at token
';' on line 59080:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59080:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59082:
        allow xm_t device_t:lnk_file { getattr read };
#line 40
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1

So, I removed all the lines I put in relating to the raw read. My xen.te
now looks like this:

module local 1.0;

require {
        class chr_file { read write };
        class dir { add_name create search setattr write };
        class fd use;
        class file { append create read write };
        class unix_stream_socket { read write };
        type home_root_t;
        type ifconfig_t;
        type local_login_t;
        type netutils_t;
        type proc_xen_t;
        type tmp_t;
        type tty_device_t;
        type user_home_dir_t;
        type user_home_t;
        type var_log_t;
        type var_run_t;
        type xend_t;
        type xend_var_log_t;
        role system_r;
};

allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)


Running the make produces this error:

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule:  loading policy configuration from tmp/xen.tmp
xen.te:37:ERROR 'unknown type xm_t' at token ';' on line 59091:
#line 37
        typeattribute xm_t fixed_disk_raw_read;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1


I tried putting back "type xm_t" but get these errors:

# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule:  loading policy configuration from tmp/xen.tmp
xen.te:38:ERROR 'permission read is not defined for class dir' at token
';' on line 59078:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59078:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission lock is not defined for class dir' at token
';' on line 59078:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59078:
        allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59080:
        allow xm_t device_t:lnk_file { getattr read };
#line 38
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1

I found I had to add all the missing classes and permissions.

This version of xen.te builds and installs cleanly:

module local 1.0;

require {
        class blk_file { read getattr lock ioctl };
        class chr_file { read write };
        class dir { add_name create search setattr write read getattr
lock ioctl };
        class fd use;
        class file { append create read write };
        class lnk_file { getattr read };
        class unix_stream_socket { read write };
        type home_root_t;
        type ifconfig_t;
        type local_login_t;
        type netutils_t;
        type proc_xen_t;
        type tmp_t;
        type tty_device_t;
        type user_home_dir_t;
        type user_home_t;
        type var_log_t;
        type var_run_t;
        type xend_t;
        type xend_var_log_t;
        type xm_t;
        role system_r;
};

allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)


> That was the point of switching to using the devel Makefile, so that you
> could use the above interface.  Which already expands to the necessary
> declarations and rules to allow the access without violating the
> assertion/neverallow rule.
> 
> There isn't anything magic here; it is just that
> storage_raw_read_fixed_disk() as defined
> in /usr/share/selinux/devel/include/kernel/storage.if already expands to
> the right set of rules, and by using it, you insulate yourself from the
> policy details that might change over time or between systems.  Same
> thing applies to all of your rules; if there is already an interface for
> that purpose, you are better off using it.  

So, how do I find out more about this? How would I know that interfaces
like storage_raw_read_fixed_disk(xm_t) exist, and what they mean?

Thanks for all your help,

R.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux