On Sun, 2014-01-19 at 19:34 +0300, jiun bookworm wrote:
When you write a new policy always deal with potential transition cases
first.
domain transitions happen on execute and file transitions happen on
create
>
> allow myapp_t self:fifo_file rw_fifo_file_perms;
> allow myapp_t self:unix_stream_socket create_stream_socket_perms;
> allow myapp_t self:process signal;
> allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
Above its mmapping a file with type etc_runtime_t. You should look at
the raw avc denials to see which file that is and where it is, then see
if its labeled appropriately. it should probably be labeled lib_t or
something
> allow myapp_t proc_t:file { read open};
> allow myapp_t bin_t:dir write;
The above might be an access check. You should try to confirm that by
using audit to record this event and then look at the syscall.
> allow myapp_t proc_t:file getattr;
> allow myapp_t tmp_t:dir {write add_name};
> allow myapp_t tmp_t:file {write open create};
The above file should be created with a type transition to a private
myapp_tmp_t files_tmp_file
> allow myapp_t user_home_dir_t:dir { search getattr read open write
> add_name};
> allow myapp_t user_home_t:file { read open getattr ioctl create};
> allow myapp_t user_home_t:dir { read open search getattr };
The above don't quite add up. myapp is adding a directory entry and
writing to some directory in /home but without a type transition rule i
do not see how it can create the file with user_home_t.
You should analyze the raw avc denials related to the rules above to see
what exactly is happening and why
> allow myapp_t ldconfig_exec_t:file {execute read open
> execute_no_trans};
figure out what command exactly is executing it by looking at the raw
avc denials comm="" field
ldconfig should usually be run as is (e.g. without a domain transition)
> allow myapp_t net_conf_t:file { read open getattr ioctl};
> allow myapp_t mongod_port_t:tcp_socket name_connect;
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write read bind append};
> allow myapp_t self:udp_socket { create connect getattr getopt setopt
> write read bind append};
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
The policy is pretty simple if you take care of the tmp file that is
created and the mislabeled etc_runtime_t library
These are some of the things that i think should be in there and that
might solve some issues:
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
type myapp_unit_file_t;
systemd_unit_file(myapp_unit_file_t)
type myapp_tmp_t;
files_tmp_file(myapp_tmp_t)
manage_files_pattern(myapp_t myapp_tmp_t, myapp_tmp_t)
files_tmp_filetrans(myapp_t, myapp_tmp_t, file)
corenet_tcp_connect_mongodb_port(myapp_t)
lib_exec_ldconfig(myapp_t)
auth_use_nsswitch(myapp_t)
The remainder should probably be retested, re-analyzed
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
