Re: Selfmade policy not getting enforced on Fedora9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On May 28, 2008, at 8:44 PM, Daniel J Walsh wrote:

You need to define a transition rule from the domain that is executing
the demo application.

So if you are running as unconfined_t you will need a rule like

domtrans_pattern(unconfined_t, demo_exec_t, demo_t)
role unconfined_r types demo_t;


Hey,
You folks rock, thx a bunch. I forget the transition rule. As suggested, I added: 


domain_auto_trans(unconfined_t, demo_exec_t, demo_t);


and now the app runs as demo_t:


[stefan@localhost policy]$ ps -efZ | grep demo
unconfined_u:unconfined_r:demo_t:s0-s0:c0.c1023 root 2856 2510 0 20:56 pts/2 00:00:00 /usr/local/bin/demo
However, when I set SELinux to enforcing mode again, the app produces a seg fault, doesn't even coming to the point, where it writes to the file. Furthermore, the SELinux Troubleshooter doesn't alert me about having blocked something.. 

May I dare to ask, what's still missing?


The policy as a whole:


policy_module(demo,1.0.0)

########################################
#
# Declarations
#

type demo_t;
type demo_exec_t;
application_domain(demo_t, demo_exec_t);
domain_auto_trans(unconfined_t, demo_exec_t, demo_t);
role unconfined_r types demo_t;
role system_r types demo_t;

require {
	type unconfined_t;
	role unconfined_r;
}

type demo_tmp_t;
files_tmp_file(demo_tmp_t)

type demo_etc_rw_t;
files_type(demo_etc_rw_t)

########################################
#
# demo local policy
#

## internal communication is often done using fifo and unix sockets.
allow demo_t self:fifo_file rw_file_perms;
allow demo_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(demo_t)

libs_use_ld_so(demo_t)
libs_use_shared_libs(demo_t)

miscfiles_read_localization(demo_t)


allow demo_t demo_tmp_t:file manage_file_perms;
allow demo_t demo_tmp_t:dir create_dir_perms;
files_tmp_filetrans(demo_t,demo_tmp_t, { file dir })

allow demo_t demo_etc_rw_t:file manage_file_perms;
allow demo_t demo_etc_rw_t:dir manage_dir_perms;
files_etc_filetrans(demo_t,demo_etc_rw_t, { file dir })

optional_policy(`
	gen_require(`
		type user_t;
		type user_devpts_t;
		type user_tty_device_t;
		role user_r;
	')

	demo_run(user_t, user_r, { user_tty_device_t user_devpts_t })
')


Many thanks,
Stefan

Attachment: PGP.sig
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux