Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
I have included the resulting te file as an attachment.
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root@lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@xxxxxxx
policy_module(STAFProc,1.0.0)
########################################
#
# Declarations
#
type STAFProc_t;
type STAFProc_exec_t;
application_domain(STAFProc_t, STAFProc_exec_t)
role system_r types STAFProc_t;
permissive STAFProc_t;
########################################
#
# STAFProc local policy
#
allow STAFProc_t self:fifo_file manage_fifo_file_perms;
allow STAFProc_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(STAFProc_t)
files_read_etc_files(STAFProc_t)
miscfiles_read_localization(STAFProc_t)
gen_require(` type unconfined_t; role unconfined_r; ')
STAFProc_role(unconfined_r, unconfined_t)
require {
type krb5_host_rcache_t;
type tmp_t;
type STAFProc_t;
class sock_file unlink;
class process { siginh transition noatsecure rlimitinh };
class file lock;
}
#============= STAFProc_t ==============
allow STAFProc_t krb5_host_rcache_t:file lock;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow STAFProc_t self:process { siginh rlimitinh transition noatsecure };
allow STAFProc_t tmp_t:sock_file unlink;
sendmail_domtrans(STAFProc_t)
require {
type unconfined_t;
type CZnhc_exec_t;
type usr_t;
type STAFProc_t;
type monopd_port_t;
type user_home_t;
type CZfwa_exec_t;
type setroubleshootd_t;
type system_dbusd_t;
type tmp_t;
type avahi_t;
type CZla_exec_t;
type sudo_exec_t;
type vnc_port_t;
type slapd_t;
type kernel_t;
type krb5_host_rcache_t;
type consolekit_t;
type auditd_t;
type syslogd_t;
type sendmail_t;
type audisp_t;
type policykit_t;
type postgresql_t;
type CZwd_exec_t;
type iptables_initrc_exec_t;
type sshd_t;
type crond_t;
type getty_t;
type system_cronjob_t;
type CZtp_exec_t;
type startSplitter_exec_t;
class process { sigkill setpgid execstack setsched signal transition siginh execmem noatsecure signull rlimitinh };
class unix_stream_socket connectto;
class rawip_socket { getopt create setopt };
class netlink_socket { write getattr setopt bind read getopt create };
class capability { setuid sys_ptrace audit_write dac_override net_raw chown kill setgid net_admin };
class tcp_socket { name_bind name_connect setopt read bind create ioctl accept write getattr connect shutdown getopt listen };
class file { execute read create ioctl execute_no_trans write getattr entrypoint unlink open };
class netlink_audit_socket { write nlmsg_relay create read };
class sock_file { write create };
class netlink_route_socket { write getattr read bind create nlmsg_read };
class unix_dgram_socket { write create connect };
class udp_socket { write getattr connect read create ioctl };
class dir { search getattr };
}
#============= STAFProc_t ==============
allow STAFProc_t CZfwa_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t CZla_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t CZnhc_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t CZtp_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t CZwd_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t audisp_t:dir { search getattr };
allow STAFProc_t audisp_t:file { read getattr open };
allow STAFProc_t auditd_t:dir { search getattr };
allow STAFProc_t auditd_t:file { read getattr open };
allow STAFProc_t avahi_t:dir { search getattr };
allow STAFProc_t avahi_t:file { read getattr open };
allow STAFProc_t consolekit_t:dir { search getattr };
allow STAFProc_t consolekit_t:file { read getattr open };
allow STAFProc_t crond_t:dir { search getattr };
allow STAFProc_t crond_t:file { read getattr open };
allow STAFProc_t getty_t:dir { search getattr };
allow STAFProc_t getty_t:file { read getattr open };
allow STAFProc_t iptables_initrc_exec_t:file { execute entrypoint getattr read open ioctl };
allow STAFProc_t kernel_t:dir { search getattr };
allow STAFProc_t kernel_t:file { read getattr open };
allow STAFProc_t krb5_host_rcache_t:file { read write unlink open };
allow STAFProc_t monopd_port_t:tcp_socket { name_bind name_connect };
allow STAFProc_t policykit_t:dir { search getattr };
allow STAFProc_t policykit_t:file { read getattr open };
allow STAFProc_t postgresql_t:dir { search getattr };
allow STAFProc_t postgresql_t:file { read getattr open };
allow STAFProc_t self:capability { setuid sys_ptrace audit_write dac_override net_raw chown kill setgid net_admin };
allow STAFProc_t self:netlink_audit_socket { write nlmsg_relay create read };
allow STAFProc_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow STAFProc_t self:netlink_socket { write getattr setopt getopt read bind create };
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow STAFProc_t self:process { siginh rlimitinh transition noatsecure };
allow STAFProc_t self:process { execmem sigkill setpgid execstack setsched signal signull };
allow STAFProc_t self:rawip_socket { getopt create setopt };
allow STAFProc_t self:tcp_socket { setopt read bind create getattr accept write ioctl connect shutdown getopt listen };
allow STAFProc_t self:udp_socket { write getattr connect read create ioctl };
allow STAFProc_t self:unix_dgram_socket { write create connect };
allow STAFProc_t self:unix_stream_socket connectto;
allow STAFProc_t sendmail_t:dir { search getattr };
allow STAFProc_t setroubleshootd_t:dir { search getattr };
allow STAFProc_t setroubleshootd_t:file { read getattr open };
allow STAFProc_t slapd_t:dir { search getattr };
allow STAFProc_t slapd_t:file { read getattr open };
allow STAFProc_t sshd_t:dir { search getattr };
allow STAFProc_t sshd_t:file { read getattr open };
allow STAFProc_t startSplitter_exec_t:file { ioctl execute read open getattr execute_no_trans };
allow STAFProc_t sudo_exec_t:file { read getattr open execute execute_no_trans };
allow STAFProc_t syslogd_t:dir { search getattr };
allow STAFProc_t syslogd_t:file { read getattr open };
allow STAFProc_t system_cronjob_t:dir { search getattr };
allow STAFProc_t system_cronjob_t:file { read getattr open };
allow STAFProc_t system_dbusd_t:dir { search getattr };
allow STAFProc_t system_dbusd_t:file { read getattr open };
allow STAFProc_t tmp_t:sock_file { write create };
allow STAFProc_t unconfined_t:dir { search getattr };
allow STAFProc_t unconfined_t:file { read getattr open };
allow STAFProc_t user_home_t:file { execute read create execute_no_trans write ioctl unlink open };
allow STAFProc_t usr_t:file { execute read create getattr write ioctl unlink open };
allow STAFProc_t vnc_port_t:tcp_socket { name_bind name_connect };
consoletype_exec(STAFProc_t)
corecmd_exec_ls(STAFProc_t)
corecmd_exec_shell(STAFProc_t)
corenet_tcp_bind_generic_node(STAFProc_t)
corenet_tcp_bind_ircd_port(STAFProc_t)
corenet_tcp_connect_ldap_port(STAFProc_t)
corenet_tcp_connect_postgresql_port(STAFProc_t)
dev_list_sysfs(STAFProc_t)
dev_read_rand(STAFProc_t)
dev_read_urand(STAFProc_t)
files_manage_generic_tmp_files(STAFProc_t)
files_read_system_conf_files(STAFProc_t)
files_read_usr_symlinks(STAFProc_t)
files_rw_etc_files(STAFProc_t)
files_rw_usr_dirs(STAFProc_t)
hal_read_state(STAFProc_t)
hostname_exec(STAFProc_t)
init_read_state(STAFProc_t)
iptables_exec(STAFProc_t)
java_exec(STAFProc_t)
kernel_list_proc(STAFProc_t)
kernel_read_kernel_sysctls(STAFProc_t)
kernel_read_modprobe_sysctls(STAFProc_t)
kernel_read_network_state(STAFProc_t)
kernel_read_system_state(STAFProc_t)
logging_read_generic_logs(STAFProc_t)
logging_send_syslog_msg(STAFProc_t)
miscfiles_read_generic_certs(STAFProc_t)
modutils_exec_insmod(STAFProc_t)
modutils_list_module_config(STAFProc_t)
modutils_read_module_config(STAFProc_t)
modutils_read_module_deps(STAFProc_t)
mta_tmp_filetrans_host_rcache(STAFProc_t)
nis_use_ypbind_uncond(STAFProc_t)
sendmail_domtrans(STAFProc_t)
sysnet_read_config(STAFProc_t)
udev_read_state(STAFProc_t)
userdom_manage_user_home_content_dirs(STAFProc_t)
userdom_manage_user_tmp_files(STAFProc_t)
userdom_read_user_home_content_symlinks(STAFProc_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux