Re: Debian testing +selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote:
> I'm not sure if there is a regular selinux mailing list or not, I
> mainly use Fedora but thought someone here might be able to help.

http://www.nsa.gov/selinux/info/list.cfm

> I'm playing with selinux on Debian Testing and decided to try and
> write a policy from following the fc5 faq 
> 
> http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
> 
> 
> Here is what I have done:
> 
> comatose:~# sestatus
> SELinux status:                 enabled 
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 21
> Policy from config file:        refpolicy-targeted 
> 
> comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log >
> local.te
> comatose:~# checkmodule -M -m -o local.mod local.te
> checkmodule:  loading policy configuration from local.te
> checkmodule:  policy configuration loaded 
> checkmodule:  writing binary representation (version 6) to local.mod
> comatose:~# semodule_package -o local.pp -m local.mod
> comatose:~# semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> hald_t memory_device_t:chr_file { read }; 
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> 
> 
> comatose:~# cat local.te
> 
> module local 1.0;
> 
> require { 
>         type unconfined_t;
>         type lib_t;
>         type xserver_log_t;
>         type mount_t;
>         type var_run_t;
>         type syslogd_t;
>         type etc_runtime_t;
>         type initrc_t;
>         type xdm_t;
>         type udev_t;
>         type device_t;
>         type hald_t;
>         type xdm_xserver_t;
>         type memory_device_t;
>         type insmod_t;
>         type dhcpc_t;
>         type var_t; 
>         type etc_t;
>         type security_t;
>         class fifo_file write;
>         class process { execstack execmem signal };
>         class unix_stream_socket { read write };
>         class chr_file read; 
>         class fd use;
>         class file { write rename getattr append read create unlink
> execute_no_trans };
>         class filesystem getattr;
>         class dir { write remove_name create add_name rmdir };
> }
> 
> #============= dhcpc_t ==============
> allow dhcpc_t etc_runtime_t:file unlink;
> 
> #============= hald_t ==============
> allow hald_t memory_device_t:chr_file read;

The above rule violates a neverallow statement in your base policy to
catch dangerous rules (like access to /dev/mem or /dev/kmem, as in this
case).  Options:
- remove the rule entirely,
- replace "allow" with "dontaudit" to silence the audit message without
allowing it,
- use the appropriate refpolicy interface to allow it in a way that
marks hald_t with a typeattribute authorized for such access.

> allow hald_t var_t:file { read getattr }; 
> 
> #============= insmod_t ==============
> allow insmod_t xdm_t:fd use;
> allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
> allow insmod_t xserver_log_t:file write;
> 
> #============= mount_t ============== 
> allow mount_t security_t:filesystem getattr;
> 
> #============= syslogd_t ==============
> allow syslogd_t device_t:fifo_file write;
> 
> #============= udev_t ==============
> allow udev_t etc_t:dir { write remove_name add_name }; 
> allow udev_t etc_t:file { write rename create unlink append };
> allow udev_t initrc_t:process signal;
> allow udev_t lib_t:file execute_no_trans;
> allow udev_t var_run_t:dir { create rmdir };
> 
> #============= unconfined_t ============== 
> allow unconfined_t self:process { execstack execmem };
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux