Hi Dominick,
thanks for the quick reply. Here is what I'm getting when I run the
command you suggested:
[proxyuser@lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
Found 10 semantic av rules:
allow files_unconfined_type file_type : filesystem { mount remount
unmount getattr relabelfrom relabelto transition associate quotamod
quotaget } ;
allow files_unconfined_type file_type : file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton execute_no_trans entrypoint open
audit_access } ;
allow files_unconfined_type file_type : dir { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton add_name remove_name reparent
search rmdir open audit_access execmod } ;
allow files_unconfined_type file_type : lnk_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : chr_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton execute_no_trans entrypoint open
audit_access } ;
allow files_unconfined_type file_type : blk_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : sock_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : fifo_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow unconfined_usertype application_exec_type : file { ioctl read
getattr lock execute execute_no_trans open } ;
ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]
I have a hard time telling whether the output qualifies as speciying a
domain type transition or not - do you know whether it does? If not,
what should I do with the policy you suggested (in terms of commands to
get it installed) ?
Thanks for the help
Michael
On 7/23/2011 8:43 PM, Dominick Grift wrote:
> You are probably missing a domain type transition.
>
> running the following command you can see if unconfined_t has a domain
> type transition defined when it runs executable files with type
> CZtp_exec_t:
>
> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
>
> if none is specified then you must specify that your calling domain
> unconfined_t, domain type transitions to CZtp_t when a file with type
> CZtp_exec_t is executed.
>
> You will also need to allow the unconfined_r role the CZtp_t domain.
>
> After that you may want to allow unconfined_t to interact with CZtp_t in
> other ways as well but at least by then the type transition should
> happen.
>
> The policy:
>
> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> ')
> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> role unconfined_r types CZtp_t;
>
>
> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
>> Hi,
>>
>> I'm trying to create a new policy for a constrained process (started by
>> an unconstrainted user) and am stuck trying to get the process started
>> in the right context.
>>
>> Here are the steps I followed:
>>
>> 0. confirm SELinux status
>> [proxyuser@lime ~]$ sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 24
>> Policy from config file: targeted
>>
>> [proxyuser@lime ~]$ cat /etc/redhat-release
>> Fedora release 14 (Laughlin)
>>
>> [proxyuser@lime cz]$ id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0
>>
>> 1. create policy via
>>
>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> Note that CZtp is a shell script which in turn calls the JVM.
>>
>> [proxyuser@lime cz]$ sudo ./CZtp.sh
>> Building and Loading Policy
>> + make -f /usr/share/selinux/devel/Makefile
>> make: Nothing to be done for `all'.
>> + /usr/sbin/semodule -i CZtp.pp
>> + /sbin/restorecon -F -R -v
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> /sbin/restorecon reset
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
>> system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
>>
>> 2. Verify that the the CZtp file is labeled properly:
>> [proxyuser@lime cz]$ ls -lZ
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> 3. start process
>> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
>> [proxyuser@lime target]$ ./CZtp
>>
>> 4. Verify process context
>> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
>> 00:00:00 /bin/sh ./CZtp
>>
>>
>> Note that the process shows up as unconfined_t, although it was labeled
>> with CZtp_exec_t.
>>
>> What am I missing?
>>
>>
>>
>> 4. check process context
>>
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@xxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
