Stefan Schleifer wrote: > Hey guys, > > As you might guess, I've a problem with my SELinux-policy under Fedora 9. > > I created a little test application 'demo' which reads some text from > stdin and writes it in a config file /etc/hackbar/config.txt. > > Afterwarts, I developed a policy with types demo_t, demo_exec_t und > demo_etc_t and allowed demo_exec_to to read/write demo_etc_t. > Everything's fine. > > For testing purposes I changed /etc/hackbar/config.txt to type etc_t > which demo_exec_t shouldn't be able to access as there doesn't exist an > allow demo_exec_t r/w etc_t. > > > [stefan@localhost policy]$ ls -Z /usr/local/bin/demo > -rwsr-sr-x root root system_u:object_r:demo_exec_t:s0 > /usr/local/bin/demo > [stefan@localhost policy]$ ls -Z /etc/hackbar/config.txt > -rwxr-xr-x root root system_u:object_r:etc_t:s0 > /etc/hackbar/config.txt > > > Again I ran the application but it is still allowed to change that file?! > > > [stefan@localhost policy]$ /usr/local/bin/demo > Enter text: foobar > Read from file: foobar > > > Regarding to standard UNIX permissions access should be granted as the > demo-app has suid set, but shouldn't SELinux permitt access anyway in > this case? > > SELinux is in enforcing mode. > > > [stefan@localhost policy]$ /usr/sbin/sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 22 > Policy from config file: targeted > > > I'm rather confused... > > best regards, > Stefan > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You need to define a transition rule from the domain that is executing the demo application. So if you are running as unconfined_t you will need a rule like domtrans_pattern(unconfined_t, demo_exec_t, demo_t) role unconfined_r types demo_t; -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
