On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote: > I'm not sure if there is a regular selinux mailing list or not, I > mainly use Fedora but thought someone here might be able to help. http://www.nsa.gov/selinux/info/list.cfm > I'm playing with selinux on Debian Testing and decided to try and > write a policy from following the fc5 faq > > http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 > > > Here is what I have done: > > comatose:~# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 21 > Policy from config file: refpolicy-targeted > > comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log > > local.te > comatose:~# checkmodule -M -m -o local.mod local.te > checkmodule: loading policy configuration from local.te > checkmodule: policy configuration loaded > checkmodule: writing binary representation (version 6) to local.mod > comatose:~# semodule_package -o local.pp -m local.mod > comatose:~# semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > hald_t memory_device_t:chr_file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > > > comatose:~# cat local.te > > module local 1.0; > > require { > type unconfined_t; > type lib_t; > type xserver_log_t; > type mount_t; > type var_run_t; > type syslogd_t; > type etc_runtime_t; > type initrc_t; > type xdm_t; > type udev_t; > type device_t; > type hald_t; > type xdm_xserver_t; > type memory_device_t; > type insmod_t; > type dhcpc_t; > type var_t; > type etc_t; > type security_t; > class fifo_file write; > class process { execstack execmem signal }; > class unix_stream_socket { read write }; > class chr_file read; > class fd use; > class file { write rename getattr append read create unlink > execute_no_trans }; > class filesystem getattr; > class dir { write remove_name create add_name rmdir }; > } > > #============= dhcpc_t ============== > allow dhcpc_t etc_runtime_t:file unlink; > > #============= hald_t ============== > allow hald_t memory_device_t:chr_file read; The above rule violates a neverallow statement in your base policy to catch dangerous rules (like access to /dev/mem or /dev/kmem, as in this case). Options: - remove the rule entirely, - replace "allow" with "dontaudit" to silence the audit message without allowing it, - use the appropriate refpolicy interface to allow it in a way that marks hald_t with a typeattribute authorized for such access. > allow hald_t var_t:file { read getattr }; > > #============= insmod_t ============== > allow insmod_t xdm_t:fd use; > allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; > allow insmod_t xserver_log_t:file write; > > #============= mount_t ============== > allow mount_t security_t:filesystem getattr; > > #============= syslogd_t ============== > allow syslogd_t device_t:fifo_file write; > > #============= udev_t ============== > allow udev_t etc_t:dir { write remove_name add_name }; > allow udev_t etc_t:file { write rename create unlink append }; > allow udev_t initrc_t:process signal; > allow udev_t lib_t:file execute_no_trans; > allow udev_t var_run_t:dir { create rmdir }; > > #============= unconfined_t ============== > allow unconfined_t self:process { execstack execmem }; > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
