On Thu, 2009-07-30 at 12:04 +0800, Cliffe wrote: > Dear SELinux Gurus, > > I am a PhD candidate conducting research into the usability of > security mechanisms. I would really appreciate some help regarding the > use of SELinux. Let me know if this is not the right place to be > asking these types of questions. > > I generated a policy for opera using polgengui. I then ran the > generated ./opera.sh. > > Although SELinux was still set to enforcing mode opera seemed to run > unconfined. The executable and process was labelled as expected > (unconfined_u:unconfined_r:opera_t). AVCs were generated, but not > enforced. > > I added to opera.te using > grep opera /var/log/audit/audit.log | audit2allow >> opera.te > and reran ./opera.sh > until no AVCs were generated. > > Looking at opera.te I noticed the line “permissive opera_t”, and not > knowing exactly what this line does, I thought it may be placing this > domain into permissive mode (although the gui tools suggest > otherwise). Removing the line causes “/bin/sh: /usr/bin/opera: > Permission denied”. No AVCs are generated. Yes permissive opera_t makes opera_t a permissive domain indeed. To expose any possible hidden denials run: semodule -DB To hide them again: semodule -B > So I am not sure why opera seams to be unconfined, or if removing the > permissive line was on the right track. Any advice? > > Also I tried creating a policy for kwrite. This time the created > policy seemed to be in effect as soon as I ran the kwrite.sh script. I > set setenforce 0 and added to kwrite.te (as above for opera) until no > error msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists > with “kwrite(2533): Couldn’t register name > ‘”org.kate-editor.kwrite-2533’” with DBUS – another process owns it > already!”. When setenforce 0 it runs without AVCs. This is probably a DBUS issue. DBUS is a SELinux object manager. This means that DBUS itself provides classes and permission for some of its objects. Dbus also enforces policy for these objects. DBUS logs some user avc denials in audit.log (ausearch -m user_avc -ts today | grep dbus) DBUS also logs some denials in /var/log/messages. > Again I am sure I am missing something simple and your advice will > help a lot. > > I need to resolve this asap and will really appreciate any advice. > > Soon I will be running a comparative study comparing a number of > security mechanisms and I need to sort this out. Good luck. On a unrelated note: I recently created a extensive series of screencasts showing how to confine a GUI app with SELinux (google-gadgets) http://www.youtube.com/results?search_query=SELinux+confine+a+GUI+app > Thank you, > > Cliffe. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
