Dear all, This is a two-part question. Part 1: I have created multiple policies for various application, all type names begin with ‘thales’. All the types specified are automatically assigned to the sysadm_t domain, I can verify this by running the following command: sesearch --allow -R -s sysadm_t -t thales A couple of questions: Why is this necessary? Is this done during compilation? What policy creates these rules? Why are these types not automatically assigned to the staff_t, or any other type for that matter? Part 2: runcon -u system_u -r system_r -t initrc_t sh /path/to/executable I need to simulate executing a script by the init system because that script usually gets started during startup by a command defined in rc.local. Otherwise I need to keep rebooting to test my policies. When I run the ‘runcon’ command while
logged in as root and while running with the sysadm_r role and sysadm_t type I get the following AVC error: ---- time->Thu Jan 14 14:23:31 2016 type=PATH msg=audit(1452781411.076:7079): item=0 name="/bin/sh" inode=390152 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t type=CWD msg=audit(1452781411.076:7079): cwd="/target/software" type=SYSCALL msg=audit(1452781411.076:7079): arch=c000003e syscall=59 success=no exit=-13 a0=7fffbb439504 a1=7fffbb439740 a2=7fffbb439760 a3=352687dea0 items=1 ppid=21810 pid=22765 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=66 comm="runcon" exe="/usr/bin/runcon" subj=root:sysadm_r:sysadm_t key=(null) type=AVC msg=audit(1452781411.076:7079): avc: denied { transition } for pid=22765 comm="runcon" path="/bin/bash" dev=sda2 ino=390152 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=process When running in permissive mode the transition happens with no problems, when running in enforcing mode I get a ‘execvp: Permission denied’ error message. Is the sysadm_t not allowed to transition to initrc_t? How can I solve this issue? I need this script to run under the initrc_t domain. And the script is in a folder only the sysadm_t is allowed, because of the problem described in part
1. Thanks in advance, Jeroen ------------------------------------------------------------------------------------------------------------ Disclaimer: If you are not the intended recipient of this email, please notify the sender and delete it. Any unauthorized copying, disclosure or distribution of this email or its attachment(s) is forbidden. Thales Nederland BV will not accept liability for any damage caused by this email or its attachment(s). Thales Nederland BV is seated in Hengelo and is registered at the Chamber of Commerce under number 06061578. ------------------------------------------------------------------------------------------------------------ |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx