fedora-selinux-list-request@xxxxxxxxxx a écrit :
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list@xxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request@xxxxxxxxxx
You can reach the person managing the list at
fedora-selinux-list-owner@xxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. using runcon -l s1 (Clarkson, Mike R (US SSA))
2. Re: using runcon -l s1 (Daniel J Walsh)
3. Re: Helper program for a daemon (Al Pacifico)
----------------------------------------------------------------------
Message: 1
Date: Mon, 23 Apr 2007 10:22:11 -0700
From: "Clarkson, Mike R \(US SSA\)"
Subject: using runcon -l s1
To:
Message-ID:
Content-Type: text/plain; charset="us-ascii"
I am trying to figure out how to get "runcon -l s1" to work while having
selinux in enforcing mode. So far, I can only use the runcon command
successfully with selinux in permissive mode. Here is the error I get
when in enforcing mode:
>runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
execvp: Permission denied
--> you should know that enforcing mode makes that SELinux will be fully activated that meens policies are respected ans as a user you have a role and this role will assign to you specific permissions!!! that's why you get this message your role doesn't give you access to this permission. this the principal way for protection of SELinux.
My shell is running as root in the unconfined_t domain. Here is the
output of id -Z:
root:system_r:unconfined_t:s0-s15:c0.c255
-->this context is assigned to root as défault context. you can modify it with newrole
The executable that I'm trying to run with runcon is "SimulatedImport".
This is a very simple program which simply creates a small text file. I
have created a domain named "import_t" for this program.
I have an selinux policy that I built as an mls policy off the targeted
policy.
When I run audit2allow I get the following:
audit2allow -i /var/log/audit/audit.log -l -v -r
require {
class dir search;
class file { getattr read };
class process transition;
type auditd_log_t;
type unconfined_t;
role system_r;
};
allow unconfined_t auditd_log_t:dir search;
#TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow"
NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
NAME="audit" : search
allow unconfined_t auditd_log_t:file { getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow"
NAME="audit.log" : getattr
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
NAME="audit.log" : read
allow unconfined_t self:process transition;
#TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon"
NAME="SimulatedImport" : transition
Adding "allow unconfined_t self:process transition;" to my "import"
module seems to have no effect.
-->i think you should use allow for transition from a domain to another so i don't thik that this rule you added is right.
Any help would be appreciated.
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20070423/f6255682/attachment.html
------------------------------
Message: 2
Date: Tue, 24 Apr 2007 08:31:49 -0400
From: Daniel J Walsh
Subject: Re: using runcon -l s1
To: "Clarkson, Mike R (US SSA)"
Cc: fedora-selinux-list@xxxxxxxxxx
Message-ID: <462DF8B5.5060301@xxxxxxxxxx>
Content-Type: text/plain; charset=windows-1252; format=flowed
Clarkson, Mike R (US SSA) wrote:
>
> I am trying to figure out how to get ?runcon ?l s1? to work while
> having selinux in enforcing mode. So far, I can only use the runcon
> command successfully with selinux in permissive mode. Here is the
> error I get when in enforcing mode:
>
> >runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
>
> execvp: Permission denied
>
> My shell is running as root in the unconfined_t domain. Here is the
> output of id ?Z:
>
> root:system_r:unconfined_t:s0-s15:c0.c255
>
> The executable that I?m trying to run with runcon is
> ?SimulatedImport?. This is a very simple program which simply creates
> a small text file. I have created a domain named ?import_t? for this
> program.
>
> I have an selinux policy that I built as an mls policy off the
> targeted policy.
>
> When I run audit2allow I get the following:
>
> audit2allow -i /var/log/audit/audit.log -l -v -r
>
> require {
>
> class dir search;
>
> class file { getattr read };
>
> class process transition;
>
> type auditd_log_t;
>
> type unconfined_t;
>
> role system_r;
>
> };
>
> allow unconfined_t auditd_log_t:dir search;
>
> #TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow"
> NAME="audit" : search
>
> #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
> NAME="audit" : search
>
> allow unconfined_t auditd_log_t:file { getattr read };
>
> #TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow"
> NAME="audit.log" : getattr
>
> #TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow"
> NAME="audit.log" : read
>
> allow unconfined_t self:process transition;
>
> #TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon"
> NAME="SimulatedImport" : transition
>
> Adding ?allow unconfined_t self:process transition;? to my ?import?
> module seems to have no effect.
>
I think you are being prevented by a constraint of MLS
As a guess I would suggest trying:
mls_process_set_level(unconfined_t)
>
>
> Any help would be appreciated.
>
> Thanks,
>
> Mike
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
------------------------------
Message: 3
Date: Tue, 24 Apr 2007 08:36:01 -0700
From: "Al Pacifico"
Subject: Re: Helper program for a daemon
To: fedora-selinux-list@xxxxxxxxxx
Cc: Daniel J Walsh
Message-ID:
<5d3cd4150704240836q7d6627a0qc931aa67461f9082@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"
On 4/19/07, Daniel J Walshwrote:
>
> Al Pacifico wrote:
> > I (a greenhorn with selinux) am writing a policy for a daemon that
> > streams music files over my home network to a music player client (a
> > Slimdevices Squeezebox). My OS is FC5.
> >
> > The main daemon (/usr/sbin/slimserver) is a perl script that serves
> > the music files and is started with an init script. My questions have
> > to do with a secondary program (/usr/sbin/slimserver-scanner, also a
> > perl script) that scans the music on the server, reading mp3 tags and
> > such, and generates a database of stored music that is stored in a
> > MySQL database. /usr/sbin/slimserver-scanner is invoked by the
> > /usr/sbin/slimserver daemon and might be invoked by the user (although
> > I can't recall ever doing so in several years of owning a Squeezebox).
> >
> > I've been following the example posted by Dan Walsh in a blog at
> > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
> > extremely helpful.
> >
> > My (2) questions:
> > 1. What is the appropriate file context for the scanner program?
> > system_u:object_r:sbin_t?
> > system_u:object_r:slimserver_t?
> > system_u:object_r:slimserver_exec_t?
> >
> That depends on your security goals. If you want the slimserver-scanner
> to have the same privs as slimserver you would label it sbin_t and allow
> slimserver to corecmd_exec_sbin(). If you want to go with least privs,
> you would create a new policy for slimserver-scanner
> (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
> and then add a rule to slimserver_t to domtrans
> slimserver_scanner_domtrans(slimserver_t)
I'm a little confused about this. I want to limit privileges of slimserver
and slimserver-scanner to accessing only certain files. If I label
slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner,
won't he/she have more privileges than slimserver then?
> The generated slimserver.fc file contains:
> > # slimserver executable will have:
> > # label: system_u:object_r:slimserver_exec_t
> > # MLS sensitivity: s0
> > # MCS categories:
> >
> > /usr/sbin/slimserver --
> > gen_context(system_u:object_r:slimserver_exec_t,s0)
> > /var/run/slimserver.pid
> > gen_context(system_u:object_r:slimserver_var_run_t,s0)
> > /var/log/slimserver
> > gen_context(system_u:object_r:slimserver_var_log_t,s0)
> >
> > and the slimserver.if file contains:
> > interface(`slimserver_domtrans',`
> > gen_require(`
> > type slimserver_t, slimserver_exec_t;
> > ')
> >
> > domain_auto_trans($1,slimserver_exec_t,slimserver_t)
> >
> > allow $1 slimserver_t:fd use;
> > allow slimserver_t $1:fd use;
> > allow slimserver_t $1:fifo_file rw_file_perms;
> > allow slimserver_t $1:process sigchld;
> > ')
> >
> > 2. There is no reason to add the scanner program be added to
> > slimserver.fc that was generated by policygentool, is there?
> Only if you are creating a context for slimserver_scanner_exec_t,
> otherwise just let it be labeled sbin_t.
> > The file itself just needs to be labeled appropriately, right? Or does
> > that file play some role in policy compilation in a step that I did
> > not explicitly executed when I invoked 'make -f
> > /usr/share/selinux/devel/Makefile'?
> >
> > Thanks in advance.
> > -al
> > --
> > Al Pacifico
> > Seattle, WA
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
Al Pacifico
Seattle, WA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20070424/4e25931f/attachment.html
------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
End of fedora-selinux-list Digest, Vol 38, Issue 17
***************************************************
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list