Re: making a file context change work for initrc_t and unconfined_t

Dominick Grift <dominick.grift@xxxxxxxxx> · Fri, 03 Feb 2012 10:43:04 +0100

On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:

> 
> policy_module(mylikewise, 1.0.0)
> 
> optional_policy(`
> gen_require(`
> attribute likewise_domains;
> type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
> type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t,
> eventlogd_t;
> ')
> 
> stream_connect_pattern(lwiod_t, likewise_var_lib_t,
> netlogond_var_socket_t, netlogond_t)
> 
> kernel_read_system_state(likewise_domains)
> domain_dontaudit_search_all_domains_state(lsassd_t)
> 
> allow lwsmd_t likewise_var_lib_t:file write_file_perms;
> allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
> read_file_perms;
> 
> allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
> 
> allow lwsmd_t self:process setpgid;
> allow lwiod_t self:process setrlimit;
> allow lwiod_t self:capability sys_resource;
> ')
> 
> ..
> 
> To build it:
> 
> make -f /usr/share/selinux/devel/Makefile mylikewise.pp
> 
> to install it:
> 
> sudo semodule -i mylikewise.pp
> 
> 

Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db
and /var/lib/likewise/.lwsmd-lock might have been mislabeled.

The "lwi_events.db" has chars that need to be escaped. (either the dot
or underscore or both)

The .lwsmd-lock has not file context specification at all currently

Please try the following (watch the line breaks though this e-mail
client messes up the lay out):

mylikewise.te:

policy_module(mylikewise, 1.0.0)

optional_policy(`
gen_require(`
attribute likewise_domains;
type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t;
')

stream_connect_pattern(lwiod_t, likewise_var_lib_t,
netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(likewise_domains)
domain_dontaudit_search_all_domains_state(lsassd_t)
allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
read_file_perms;

allow lwsmd_t self:process setpgid;
allow lwiod_t self:process setrlimit;
allow lwiod_t self:capability sys_resource;
')

mylikewise.fc:

/var/lib/likewise/db/lwi\_events\.db --
gen_context(system_u:object_r:eventlogd_var_lib_t,s0)

/var/lib/likewise/\.lwsmd-lock --
gen_context(system_u:object_r:lwsmd_var_lib_t,s0)

to build:

make -f /usr/share/selinux/devel/Makefile mylikewise.pp

to install

sudo semodule -i mylikewise.pp

restore contexts

restorecon -R -v /var/lib/likewise

See if the two paths above have the right type:

ls -alZ /var/lib/likewise/.lwsmd-lock
ls -alZ /var/lib/likewise/db/lwi_events.db

(also see if , when you remove them, they get created with the right
type)

If this is fixed then please test the app again. This change may
introduce some new AVC denials.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux