On 01/14/2016 03:55 PM, RIJKEN Jeroen wrote:
> Dear all,
>
>
>
> This is a two-part question.
>
>
>
> Part 1:
>
> I have created multiple policies for various application, all type names
> begin with ‘thales’. All the types specified are automatically assigned
> to the sysadm_t domain, I can verify this by running the following command:
I am not sure what you mean "are automatically assigned to the sysadm_t
domain".
What does
sesearch -T -R -s sysadm_t -c process -t thales
?
Also it would be better to see your policy.
>
> sesearch --allow -R -s sysadm_t -t thales
>
>
>
> A couple of questions:
>
> Why is this necessary?
>
> Is this done during compilation? What policy creates these rules?
>
> Why are these types not automatically assigned to the staff_t, or any
> other type for that matter?
>
>
>
>
>
> Part 2:
>
> runcon -u system_u -r system_r -t initrc_t sh /path/to/executable
>
> I need to simulate executing a script by the init system because that
> script usually gets started during startup by a command defined in
> rc.local. Otherwise I need to keep rebooting to test my policies. When I
> run the ‘runcon’ command while logged in as root and while running with
> the sysadm_r role and sysadm_t type I get the following AVC error:
>
>
>
> ----
>
> time->Thu Jan 14 14:23:31 2016
>
> type=PATH msg=audit(1452781411.076:7079): item=0 name="/bin/sh"
> inode=390152 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:shell_exec_t
>
> type=CWD msg=audit(1452781411.076:7079): cwd="/target/software"
>
> type=SYSCALL msg=audit(1452781411.076:7079): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffbb439504 a1=7fffbb439740 a2=7fffbb439760
> a3=352687dea0 items=1 ppid=21810 pid=22765 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=66 comm="runcon"
> exe="/usr/bin/runcon" subj=root:sysadm_r:sysadm_t key=(null)
>
> type=AVC msg=audit(1452781411.076:7079): avc: denied { transition }
> for pid=22765 comm="runcon" path="/bin/bash" dev=sda2 ino=390152
> scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t
> tclass=process
>
>
>
> When running in permissive mode the transition happens with no problems,
> when running in enforcing mode I get a ‘execvp: Permission denied’ error
> message.
>
> Is the sysadm_t not allowed to transition to initrc_t? How can I solve
> this issue? I need this script to run under the initrc_t domain. And the
> script is in a folder only the sysadm_t is allowed, because of the
> problem described in part 1.
>
>
>
>
>
> Thanks in advance,
>
> Jeroen
>
> ------------------------------------------------------------------------------------------------------------
> Disclaimer:
>
> If you are not the intended recipient of this email, please notify the sender and
> delete it.
> Any unauthorized copying, disclosure or distribution of this email or its
> attachment(s) is forbidden.
> Thales Nederland BV will not accept liability for any damage caused by this email or
> its attachment(s).
> Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
> Commerce under number 06061578.
> ------------------------------------------------------------------------------------------------------------
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
