On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
> Hi,
>
> I am stuck trying to create a selinux policy for the Software Test
> Automation Framework (STAF) daemon on Fedora 14.
> From the violations, it seems that STAF wants to send out emails and
> restart iptables, which is behavior that should be allowed.
>
> I've created the inital policy with sepolgen and did run the resulting
> .sh script with "--update" a number of times, but so far no success in
> getting a policy that works without generating violations.
Somehing like this:
optional_policy(`
gen_require(`
type STAFProc_t, iptables_initrc_exec_t;
role unconfined_r, system_r;
')
init_labeled_script_domtrans(STAFProc_t, iptables_initrc_exec_t)
domain_system_change_exemption(STAFProc_t)
# this may be duplicates
# role_transition unconfined_r iptables_initrc_exec_t system_r;
# allow unconfined_r system_r;
')
Might deal with allowing unconfined_r:STAFProc_t, to restart iptables
init daemon via /etc/rc.d/init.d/iptables.
That might have dealt with the constraint issues.
> I have included the resulting te file as an attachment.
>
> Any ideas about what could be wrong would be greatly appreciated.
>
> The current set of violations are:
> [root@lime audit]# grep AVC audit.log | grep STAF
> type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
> pid=13504 comm="STAFProc" name="STAF.tmp"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
> pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
> for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
> ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
> pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
