On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
> Hi,
>
> I am stuck trying to create a selinux policy for the Software Test
> Automation Framework (STAF) daemon on Fedora 14.
> From the violations, it seems that STAF wants to send out emails and
> restart iptables, which is behavior that should be allowed.
>
> I've created the inital policy with sepolgen and did run the resulting
> .sh script with "--update" a number of times, but so far no success in
> getting a policy that works without generating violations.
>
> I have included the resulting te file as an attachment.
You have made a mistake. When writing policy one should always try and
take care of any transitions first.
Your policy allows your stafproc_t process to execute iptables but this
is wrong i suspect. I suspect you added that because stafproc_t needs to
restart the iptables service. (this requires a domain transition to the
init script domain. The iptables init script file running in the init
script domain will execute iptables with a domain transition.
You added a lot of policy in your type enforcement file that likely
should not be there. Just because you did not take care of this
transition described above before allowing anything else.
If you want some interactive guidance with your policy, please stop by
#fedora-selinux on irc.freenode.net
> Any ideas about what could be wrong would be greatly appreciated.
>
> The current set of violations are:
> [root@lime audit]# grep AVC audit.log | grep STAF
> type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
> pid=13504 comm="STAFProc" name="STAF.tmp"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
> pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
> for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
> ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
> pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
> type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
> for pid=13558 comm="iptables"
> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
