Hi Dominick,
responses inline below.
On 7/26/2011 11:25 AM, Dominick Grift wrote:
On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
file system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would need to
see your policy to be able to determine that.
Here is the policy:
policy_module(CZwd,1.0.0)
########################################
#
# Declarations
#
type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;
permissive CZwd_t;
########################################
#
# CZwd local policy
#
allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(CZwd_t)
files_read_etc_files(CZwd_t)
miscfiles_read_localization(CZwd_t)
gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)
Types have properties, For example some types are domain types others
file type, executable file type, port types etc. etc.
Type attributes are used to tell selinux what type it is dealing with.
It is kind of like grouping/classifying/tagging types. Rules are in
place that are specific to various groups of types.
For you to be able to for example relabel a type of a file object, the
type with need to be classified a file type. Because there is a rule
that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the type.
So if you have not classfied your CZwd_exec_t to be a file type then it
may or may not be the cause of this issue.
How do I add the type to the policy? Any idea what other mistakes can
cause this behavior.
For what it is worth, I generated the CZwd.* files by copying the files
from a previous invocation of sepolgen and
replacing all references from the previous file to the new file. It is
only for this process that I have the labeling problems.
For other processes, I explicitly called sepolgen from scratch.
I've attached the current set of files for CZwd.
Michael
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@xxxxxxx
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh -- gen_context(system_u:object_r:CZwd_exec_t,s0)
## <summary>policy for CZwd</summary>
########################################
## <summary>
## Execute a domain transition to run CZwd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`CZwd_domtrans',`
gen_require(`
type CZwd_t, CZwd_exec_t;
')
domtrans_pattern($1, CZwd_exec_t, CZwd_t)
')
########################################
## <summary>
## Execute CZwd in the CZwd domain, and
## allow the specified role the CZwd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the CZwd domain.
## </summary>
## </param>
#
interface(`CZwd_run',`
gen_require(`
type CZwd_t;
')
CZwd_domtrans($1)
role $2 types CZwd_t;
')
########################################
## <summary>
## Role access for CZwd
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`CZwd_role',`
gen_require(`
type CZwd_t;
')
role $1 types CZwd_t;
CZwd_domtrans($2)
ps_process_pattern($2, CZwd_t)
allow $2 CZwd_t:process signal;
')
#!/bin/sh -e
moduleName=CZwd
tgtFile=/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" ${moduleName}.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se ${moduleName}`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> ${moduleName}.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile || exit
/usr/sbin/semodule -i ${moduleName}.pp
# Fixing the file context
/sbin/restorecon -F -R -v ${tgtFile}
policy_module(CZwd,1.0.0)
########################################
#
# Declarations
#
type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;
permissive CZwd_t;
########################################
#
# CZwd local policy
#
allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(CZwd_t)
files_read_etc_files(CZwd_t)
miscfiles_read_localization(CZwd_t)
gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)
gen_require(` type CZtp_exec_t; role unconfined_r; ')
CZwd_role(unconfined_r, CZtp_exec_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
