On Fri, Nov 12, 2010 at 09:16:40AM -0800, David Highley wrote:
> "Daniel J Walsh wrote:"
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 11/12/2010 06:45 AM, Dominick Grift wrote:
> > > On Thu, Nov 11, 2010 at 06:55:44PM -0800, David Highley wrote:
> > >> When I install the following policy I see these warnings, what is
> > >> missing?
> > >>
> > >> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
> > >> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
> > >>
> > >> sshdfilter.fc:
> > >> /etc/rc\.d/init\.d/sshdfilter --
> > >> gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
> > >> /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0)
> > >> /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0)
> > >> #/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0)
> > >
> > > try removing the commented line from the .fc file. Also what text editor are you using? Ive seen issues with some editors appending hidden symbols on end of line which caused problems (emacs)
>
> Removing the comment did not fix the warning. I use vim and I checked
> for unwanted characters as well. At the bottom it was recommended to use
> audit2allow -R to find the interfaces instead of using require in the te
> file. Can it be run against the policy files or do you have to remove
> the policy changes and create new avc's?
>
> > >
> > >>
> > >> sshdfilter.if:
> > >> ## <summary></summary>
> > >>
> > >> sshdfilter.te:
> > >> policy_module(sshdfilter, 1.0.7)
> > >>
> > >> type sshdfilter_t;
> > >> type sshdfilter_exec_t;
> > >> init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
> > >>
> > >> type sshdfilter_initrc_exec_t;
> > >> init_script_file(sshdfilter_initrc_exec_t)
> > >>
> > >> type sshdfilter_etc_t;
> > >> files_config_file(sshdfilter_etc_t)
It think this mau also have some content in /var/run/'somewhere'
type sshdfilter_var_run_t;
files_pid_file(sshdfilter_var_run_t)
(see rpm -ql sshdfilter and add a file context spec for the stuff in /var/run: for example:
/var/run/sshdfilter(/.*)? gen_context(system_u:object_r:sshdfilter_var_run_t, s0)
> > >>
> > >> dev_read_urand(sshdfilter_t)
> > >> corecmd_search_bin(sshdfilter_t)
remove this it is facilitated below.
> > >> miscfiles_read_localization(sshdfilter_t)
> > >>
> > >> require {
> > >> type var_run_t;
> > >> type usr_t;
> > >> type syslogd_t;
> > >> type etc_t;
> > >> type shell_exec_t;
> > >> type sshdfilter_t;
> > >> type bin_t;
> > >> type devlog_t;
> > >> type sshdfilter_etc_t;
> > >> type proc_t;
> > >> type net_conf_t;
> > >> class sock_file { write getattr };
> > >> class lnk_file read;
> > >> class unix_dgram_socket { write create connect ioctl sendto };
> > >> class file { execute read ioctl execute_no_trans getattr open create };
> > >> class fifo_file { write ioctl read open getattr };
> > >> class dir { write add_name remove_name };
> > >> }
> > >>
> > >> #============= sshdfilter_t ==============
> > >> allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans };
> > >> allow sshdfilter_t bin_t:lnk_file read;
corecmd_exec_bin(sshdfilter_t)
> > >> allow sshdfilter_t devlog_t:sock_file { write getattr };
logging_send_syslog_msg(sshdfilter_t)
> > >> allow sshdfilter_t etc_t:file { read getattr open };
files_read_etc_files(sshdfilter_t)
> > >> allow sshdfilter_t proc_t:file { read getattr open };
kernel_read_system_state(sshdfilter_t)
> > >> allow sshdfilter_t self:fifo_file { read write ioctl getattr };
> > >> allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect };
> > >> allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans };
corecmd_exec_shell(sshdfilter_t)
> > >> allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr };
> > >> allow sshdfilter_t syslogd_t:unix_dgram_socket sendto;
no longer needed is allowed with logging_send_syslog_msg() above
> > >> allow sshdfilter_t usr_t:file { read getattr open ioctl };
files_read_usr_files(sshdfilter_t)
> > >> allow sshdfilter_t var_run_t:dir { write add_name remove_name };
> > >> allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl };
> > >> allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr };
looks like it own a file and a pipe somewhere in /var/run/(sshdfilter?)
manage_files_pattern(sshdfilter_t, sshdfilter_var_run_t, sshdfilter_var_run_t)
manage_fifo_files_pattern(sshdfilter_t, sshdfilter_var_run_t, sshdfilter_var_run_t)
files_pid_filetrans(sshdfilter_t, sshdfilter_var_run_t, { file fifo_file })
note: above may be wrong or not suffice depending on what sshdfilter creates/own in /var/run.
> > >> allow sshdfilter_t net_conf_t:file { read getattr open };
sysnet_read_config(sshdfilter_t)
> > >>
> > >> optional_policy(`
> > >> iptables_domtrans(sshdfilter_t)
> > >> ')
> > >> --
> > >> selinux mailing list
> > >> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>
> > >>
> > >> --
> > >> selinux mailing list
> > >> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > Also if you te file includes gen_require, you probably are not doing
> > something correctly.
> >
> > You should use interfaces.
> >
> > audit2allow -R
> >
> > Will search for matching interfaces.
> >
> > corecmd_exec_bin(sshdfilter_t)
> > corecmd_exec_shell(sshdfilter_t)
> >
> > files_read_etc_files(sshdfilter_t)
> > files_read_usr_files(sshdfilter_t)
> > ...
> >
> >
> > If you are writing a file or directory into a type that you do not own,
> > that is a time for you to define a type and then do a transition.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAkzdSJcACgkQrlYvE4MpobPS4gCguFctLjApzOPZeOM9D55NhaY1
> > +noAoK/V1GajelqZiEX/ityu07iyGylP
> > =bhNk
> > -----END PGP SIGNATURE-----
> >
>
>
> --
>
> Regards,
>
> David Highley
> Highley Recommended, Inc. Phone: (206) 669-0081
> 2927 SW 339th Street WEB: http://www.highley-recommended.com
> Federal Way, WA 98023-7732
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp4gwRlPveOY.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
