ok, thanks for the help,
i have one more question:before i i was able to achieve transition, i could call a terminal application with runcon
'/bin/runcon/ -t sandbox_t -l s0:cX,cY /usr/bin/appl /path/to/inputfile '
On Sun, Jan 19, 2014 at 9:45 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Sun, 2014-01-19 at 19:34 +0300, jiun bookworm wrote:
When you write a new policy always deal with potential transition cases
first.
domain transitions happen on execute and file transitions happen on
create
Above its mmapping a file with type etc_runtime_t. You should look at
>
> allow myapp_t self:fifo_file rw_fifo_file_perms;
> allow myapp_t self:unix_stream_socket create_stream_socket_perms;
> allow myapp_t self:process signal;
> allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
the raw avc denials to see which file that is and where it is, then see
if its labeled appropriately. it should probably be labeled lib_t or
something
The above might be an access check. You should try to confirm that by
> allow myapp_t proc_t:file { read open};
> allow myapp_t bin_t:dir write;
using audit to record this event and then look at the syscall.
The above file should be created with a type transition to a private
> allow myapp_t proc_t:file getattr;
> allow myapp_t tmp_t:dir {write add_name};
> allow myapp_t tmp_t:file {write open create};
myapp_tmp_t files_tmp_file
The above don't quite add up. myapp is adding a directory entry and
> allow myapp_t user_home_dir_t:dir { search getattr read open write
> add_name};
> allow myapp_t user_home_t:file { read open getattr ioctl create};
> allow myapp_t user_home_t:dir { read open search getattr };
writing to some directory in /home but without a type transition rule i
do not see how it can create the file with user_home_t.
You should analyze the raw avc denials related to the rules above to see
what exactly is happening and why
figure out what command exactly is executing it by looking at the raw
> allow myapp_t ldconfig_exec_t:file {execute read open
> execute_no_trans};
avc denials comm="" field
ldconfig should usually be run as is (e.g. without a domain transition)
The policy is pretty simple if you take care of the tmp file that is
> allow myapp_t net_conf_t:file { read open getattr ioctl};
> allow myapp_t mongod_port_t:tcp_socket name_connect;
>
> allow myapp_t self:tcp_socket { create setopt connect getattr getopt
> write read bind append};
> allow myapp_t self:udp_socket { create connect getattr getopt setopt
> write read bind append};
> allow myapp_t self:netlink_route_socket { create bind getattr write
> nlmsg_read nlmsg_write read setattr lock getopt setopt append };
>
created and the mislabeled etc_runtime_t library
These are some of the things that i think should be in there and that
might solve some issues:
systemd_unit_file(myapp_unit_file_t)
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
type myapp_unit_file_t;
type myapp_tmp_t;
files_tmp_file(myapp_tmp_t)
manage_files_pattern(myapp_t myapp_tmp_t, myapp_tmp_t)
files_tmp_filetrans(myapp_t, myapp_tmp_t, file)
corenet_tcp_connect_mongodb_port(myapp_t)
lib_exec_ldconfig(myapp_t)
auth_use_nsswitch(myapp_t)
The remainder should probably be retested, re-analyzed
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
