how to transition a daemon to its own domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have been attempting to get my app to transition to a different domain unsuccessfully,
what is wring with the following:

###############################TE file #############
########################################
#
# Declarations
#

require {
        type initrc_t;
}

type myapp_t;
type myapp_unit_file_t;
init_daemon_domain(myapp_t, myapp_unit_file_t);
allow initrc_t myapp_unit_file_t : file { read getattr execute open } ;
allow initrc_t   myapp_unit_file_t : file { ioctl read getattr lock execute entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;

type myapp_exec_t;
files_type(myapp_exec_t);

allow initrc_t myapp_exec_t : file { read getattr execute open } ;
allow initrc_t   myapp_exec_t : file { ioctl read getattr lock execute entrypoint open } ;
allow initrc_t myapp_t : process { transition siginh } ;


allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)
#####################################################
########################END OF TE

#######################~INTERFACE#######
## <summary>policy for myapp</summary>

########################################
## <summary>
##      Execute TEMPLATE in the myapp domin.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`myapp_domtrans',`
        gen_require(`
                type myapp_t, myapp_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, myapp_exec_t, myapp_t)
##############################################
########################END OF INTERFACE#######################

and the other :

/appcl/myapp/apiservice.py                           --      gen_context(system_u:object_r:myapp_exec_t,s0)
/usr/lib/systemd/system/myapp.service                --      gen_context(system_u:object_r:myapp_unit_file_t,s0)


unfortunately it remains in  init_t   rather than  transition to mayapp_t, which is my intention, but im wrong somewhere,  any help will be appreciated.
here is some debug info:

# sesearch --allow -t myapp_t | grep transition
   allow initrc_t myapp_t : process { transition siginh } ;
   allow myapp_domain daemon : process transition ;

and there are no avc denials in the logs.  what do i do to correct?

----------------another question -------only for the patient---------------
For those who like reading alot here is where im going  with this:
My aim is to have the service interact over the network at a certain unpriviledged port, and i can interact with it  over some REST interface, and it can call some other programs with untrusted data an give back results.
So far i was able to isolate different proceses that are launched by the app from each other by using  mcs and using  runcon to set the level,  unfortunately everything is still running as system_u:system_r:init_t:s0:cX,cY,    how can i have the child process run with lower selinux priviledges?  like maybe :  system_u:system_r:sandbox_t:s0:cX,cY,
or another equivalent of sandbox? if i try  system_u:system_r:sandbox_t:s0:cX,cY  i get
invalid context error.

Jiun
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux