Re: Selfmade policy not getting enforced on Fedora9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stefan Schleifer wrote:
> Hey guys,
> 
> As you might guess, I've a problem with my SELinux-policy under Fedora 9.
> 
> I created a little test application 'demo' which reads some text from
> stdin and writes it in a config file /etc/hackbar/config.txt.
> 
> Afterwarts, I developed a policy with types demo_t, demo_exec_t und
> demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.
> Everything's fine.
> 
> For testing purposes I changed /etc/hackbar/config.txt to type etc_t
> which demo_exec_t shouldn't be able to access as there doesn't exist an
> allow demo_exec_t r/w etc_t.
> 
> 
> [stefan@localhost policy]$ ls -Z /usr/local/bin/demo
> -rwsr-sr-x   root   root   system_u:object_r:demo_exec_t:s0
> /usr/local/bin/demo
> [stefan@localhost policy]$ ls -Z /etc/hackbar/config.txt
> -rwxr-xr-x   root   root   system_u:object_r:etc_t:s0
> /etc/hackbar/config.txt
> 
> 
> Again I ran the application but it is still allowed to change that file?!
> 
> 
> [stefan@localhost policy]$ /usr/local/bin/demo
> Enter text: foobar
> Read from file: foobar
> 
> 
> Regarding to standard UNIX permissions access should be granted as the
> demo-app has suid set, but shouldn't SELinux permitt access anyway in
> this case?
> 
> SELinux is in enforcing mode.
> 
> 
> [stefan@localhost policy]$ /usr/sbin/sestatus
> SELinux status:            enabled
> SELinuxfs mount:            /selinux
> Current mode:            enforcing
> Mode from config file:        enforcing
> Policy version:            22
> Policy from config file:        targeted
> 
> 
> I'm rather confused...
> 
> best regards,
> Stefan
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to define a transition rule from the domain that is executing
the demo application.

So if you are running as unconfined_t you will need a rule like

domtrans_pattern(unconfined_t, demo_exec_t, demo_t)
role unconfined_r types demo_t;


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux