On fedora 7, lastest selinux strict policy.
I have written a selinux module which go through a domain transition
when executing a file on a nfs mount (labeled nfs_t)
However the transition never occurs. and I get a : denied
execute_no_trans on nfs_t files .
In order to find the source of the problem I have taken a file with the
exact same context outside of the nfs mount and the transition work fine.
Here is the related part of my module:
domain_auto_trans(custom_trans_t,nfs_t,i_custom_t);
allow custom_trans_t nfs_t:file rx_file_perms;
allow custom_trans_t nfs_t:dir r_dir_perms;
Here are the details on the nfs share:
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/home/usera/var/bin/testphp.app
result:
type=AVC msg=audit(1186108700.494:230294): avc: denied {
execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app"
dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
Running the same program and executing an identical file outside the nfs
share: (I labelled manually to match)
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/testphp.app
result:
transition is made to context i_custom_t , nothing is audited
Any idea what can cause this difference ? I don't believe this behavior
is normal. By the way, if I allow the execute_no_trans on nfs_t, the
file gets executed just fine but without the expected transition...
Any help would be much appreciated !
--------------------------------------
David-Alexandre Davidson
IHQ Inc.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
