|
On 09/02/2014 10:54 AM, Göran Uddeborg
wrote:
Look for SELINUX_ERR, I believe you have a RBAC problem.I'm trying to create a module for the Net ID electronic identification system used in Sweden. With the standard policy, this does not work with SELinux enabled, but works fine in permissive mode. Net ID works as a plugin to Firefox. The plugin starts a separate program "iid". This program needs access to some files in the user's home directory, and also to open a graphical window for reading a passphrase and the like. My idea was create a specific domain for this program, and try to allow this domain as little as necessary. I'm working with this in permissive mode, trying check what it tries to do, and trying to find the correct M4 macros to enable it. One thing confuses me. If I try to run the same thing in enforcing mode, the application doesn't come up at all. That's not surprising, the new policy isn't finished yet. But what IS surprising is I don't get any AVC telling me why. Even if I rebuld with "semodule -DB" I only get a couple of comments about the plugin-container not being allowed to read/write an unix_stream_socket with the type xdm_t. As I understand it, that is unrelated and normally dontaudited. But then, why don't I get any AVC:s? What is blocking without telling? For reference, I attach the policy so far as I've come. But note that it is not under development. (But comments on mistakes I've made and other suggestions are welcome in any case! :-) You need to add something like role unconfined_r types netid_t |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
