Re: making a file context change work for initrc_t and unconfined_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2012-02-02 at 17:58 -0500, Maria Iano wrote:

Alright let's walk through this:
( A few rules may be duplicate rules, there might also be some typo's )

mkdir ~/mylikewise; cd ~/mylikewise; echo "policy_module(mylikewise,
1.0.0)" > mylikewise.te;

> Here is the list:
> 
> type=AVC msg=audit(1328198424.686:20): avc:  denied  { write } for   
> pid=1165 comm="lwiod" name=".netlogond" dev=dm-0 ino=393091  
> scontext=system_u:system_r:lwiod_t:s0  
> tcontext=system_u:object_r:netlogond_var_socket_t:s0 tclass=sock_file

> type=AVC msg=audit(1328198424.686:20): avc:  denied  { connectto }  
> for  pid=1165 comm="lwiod" path="/var/lib/likewise/.netlogond"  
> scontext=system_u:system_r:lwiod_t:s0  
> tcontext=system_u:system_r:netlogond_t:s0 tclass=unix_stream_socket

echo "optional_policy(\` gen_require(\` type lwiod_t, netlogond_t,
netlogond_var_socket_t, likewise_var_lib_t; ')
stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328203534.556:16): avc:  denied  { getattr } for   
> pid=1141 comm="lwsmd" path="/etc/likewise/likewise-krb5-ad.conf"  
> dev=dm-0 ino=786321 scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file

> type=AVC msg=audit(1328203534.536:14): avc:  denied  { getattr } for   
> pid=1141 comm="lwsmd" path="/var/lib/likewise/krb5-affinity.conf"  
> dev=dm-0 ino=395410 scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file getattr_file_perms; ')"
>> mylikewise.te;

> type=AVC msg=audit(1328203534.221:9): avc:  denied  { getattr } for   
> pid=1143 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"  
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file

!!!! Something wrong here this file should have been created with type
eventlogd_var_lib_t

echo "optional_policy(\` gen_require(\` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
getattr_file_perms; ')" >> mylikewise.te;

> type=AVC msg=audit(1328200531.030:128): avc:  denied  { getattr } for   
> pid=1486 comm="lsassd" path="/proc/1043" dev=proc ino=10798  
> scontext=system_u:system_r:lsassd_t:s0  
> tcontext=system_u:system_r:auditd_t:s0 tclass=dir

echo "optional_policy(\` gen_require(\` type lsassd_t; ')
domain_dontaudit_search_all_domains_state(lsassd_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.037:5): avc:  denied  { lock } for   
> pid=1108 comm="lwsmd" path="/var/lib/likewise/.lwsmd-lock" dev=dm-0  
> ino=395380 scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file

??? i was expecting a private type for .lwsmd-lock. 

echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file lock;')" >>
mylikewise.te;

> 
> type=AVC msg=audit(1328198424.260:19): avc:  denied  { lock } for   
> pid=1151 comm="eventlogd" path="/var/lib/likewise/db/lwi_events.db"  
> dev=dm-0 ino=395386 scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file

!!! something is wrong here, this file should have been created with type eventlogd_var_lib_t

echo "optional_policy(` gen_require(` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file lock;
')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.032:4): avc:  denied  { write } for   
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198423.032:4): avc:  denied  { open } for   
> pid=1108 comm="lwsmd" name=".lwsmd-lock" dev=dm-0 ino=395380  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file

??? i was expecting a private type for this file

echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_var_lib_t; ') allow lwsmd_t likewise_var_lib_t:file
write_file_perms; ')" >> mylikewise.te

> type=AVC msg=audit(1328198423.043:6): avc:  denied  { read } for   
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.043:6): avc:  denied  { open } for   
> pid=1108 comm="lwsmd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type lwsmd_t; ')
kernel_read_system_state(lwsmd_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328198423.343:8): avc:  denied  { read } for   
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwregd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.343:8): avc:  denied  { open } for   
> pid=1112 comm="lwregd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwregd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type lwregd_t; ')
kernel_read_system_state(lwregd_t)')" >> mylikewise.te;

> type=AVC msg=audit(1328203534.538:15): avc:  denied  { read } for   
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328203534.538:15): avc:  denied  { open } for   
> pid=1141 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395410  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file

> type=AVC msg=audit(1328203534.557:17): avc:  denied  { read } for   
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328203534.557:17): avc:  denied  { open } for   
> pid=1141 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type lwsmd_t,
netlogond_var_lib_t, likewise_krb5_ad_t; ') allow lwsmd_t
{ netlogond_var_lib_t likewise_krb5_ad_t }:file read_file_perms; ')" >>
mylikewise.te;

> 
> type=AVC msg=audit(1328203534.223:10): avc:  denied  { read } for   
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.223:10): avc:  denied  { open } for   
> pid=1143 comm="eventlogd" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type eventlogd_t; ')
kernel_read_system_state(eventlogd_t)')" >> mylikewise.te;

> 
> type=AVC msg=audit(1328203534.286:11): avc:  denied  { read } for   
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:netlogond_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328203534.286:11): avc:  denied  { open } for   
> pid=1150 comm="netlogond" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:netlogond_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file


echo "optional_policy(\` gen_require(\` type netlogond_t; ')
kernel_read_system_state(netlogond_t)')" >> mylikewise.te;

> 
> type=AVC msg=audit(1328198424.259:18): avc:  denied  { read write }  
> for  pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0  
> ino=395386 scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198424.259:18): avc:  denied  { open } for   
> pid=1151 comm="eventlogd" name="lwi_events.db" dev=dm-0 ino=395386  
> scontext=system_u:system_r:eventlogd_t:s0  
> tcontext=unconfined_u:object_r:likewise_var_lib_t:s0 tclass=file

mislabeled: should by eventlogd_var_lib_t

echo "optional_policy(\` gen_require(\` type eventlogd_t,
likewise_var_lib_t; ') allow eventlogd_t likewise_var_lib_t:file
rw_file_perms; ')" >> mylikewise.te;

> 
> type=AVC msg=audit(1328198423.936:12): avc:  denied  { read } for   
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwiod_t:s0  
> tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1328198423.936:12): avc:  denied  { open } for   
> pid=1164 comm="lwiod" name="stat" dev=proc ino=4026532032  
> scontext=system_u:system_r:lwiod_t:s0  

echo "optional_policy(\` gen_require(\` type lwiod_t; ')
kernel_read_system_state(lwiod_t)')" >> mylikewise.te;

> 
> type=AVC msg=audit(1328198350.869:21213): avc:  denied  { read } for   
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1328198350.869:21213): avc:  denied  { open } for   
> pid=1912 comm="lwsmd" name="krb5-affinity.conf" dev=dm-0 ino=395406  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:netlogond_var_lib_t:s0 tclass=file

> 
> type=AVC msg=audit(1328198350.873:21215): avc:  denied  { read } for   
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file
> type=AVC msg=audit(1328198350.873:21215): avc:  denied  { open } for   
> pid=1912 comm="lwsmd" name="likewise-krb5-ad.conf" dev=dm-0 ino=786321  
> scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:object_r:likewise_krb5_ad_t:s0 tclass=file

echo "optional_policy(\` gen_require(\` type lwsmd_t,
likewise_krb5_ad_t, netlogond_var_lib_t; ') allow lwsmd_t
{ likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms; ')" >>
mylikewise.te;

> type=AVC msg=audit(1328198423.053:7): avc:  denied  { setpgid } for   
> pid=1112 comm="lwsmd" scontext=system_u:system_r:lwsmd_t:s0  
> tcontext=system_u:system_r:lwsmd_t:s0 tclass=process

echo "optional_policy(\` gen_require(\` type lwsmd_t; ') allow lwsmd_t
self:process setpgid; ')" >> mylikewise.te;

> 
> type=AVC msg=audit(1328198423.945:13): avc:  denied  { setrlimit }  
> for  pid=1164 comm="lwiod" scontext=system_u:system_r:lwiod_t:s0  
> tcontext=system_u:system_r:lwiod_t:s0 tclass=process
> type=AVC msg=audit(1328198423.945:13): avc:  denied  { sys_resource }  
> for  pid=1164 comm="lwiod" capability=24   
> scontext=system_u:system_r:lwiod_t:s0  
> tcontext=system_u:system_r:lwiod_t:s0 tclass=capability

echo "optional_policy(\` gen_require(\`  type lwiod_t; ') allow lwiod_t
self:capability setrlimit; ')" >> mylikewise.te;


> 
> 
> 

There is one file that somehow was created with the wrong type or
mislabeled otherwise:  

/var/lib/likewise/db/lwi_events.db (should have type eventlogd_var_lib_t
and not likewise_var_lib_t)

This file should have been created by eventlogd, and if it was i would
have been created with the right type? strange...

make -f /usr/share/selinux/devel/Makefile mylikewise.pp
sudo semodule -i mylikewise.pp

Please test again (make sure you restore all locations
including /var/lib/likewise)

if any questions or comments please do not hesitate to ask.

I am looking forward to your reply.


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux