Re: Transitioning out of a confined user domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2016-10-13 01:15, Doug Brown wrote:

I think your policy is missing this:

role staff_t types nodejswebserver_t
Thanks for the suggestion! I added this (changing "staff_t" to "staff_r" above) but the problem still occurs. 


On 2016-10-13 08:03, Miroslav Grepl wrote:

Could you paste your outpus of audit2allow and we can continue with that?
I tried this as shown below, but the rule output by audit2allow is already in the loaded policy:
[root@earth nodejs_webserver]# ausearch -m avc -su staff_t -ts recent |grep transition |audit2allow 


#============= staff_t ==============

allow staff_t nodejswebserver_t:process transition;
[root@earth nodejs_webserver]# sesearch -A -s staff_t -t nodejswebserver_t -c process 
Found 2 semantic av rules:
allow staff_t nodejswebserver_t : process { transition noatsecure siginh rlimitinh } ; 
   allow staff_t domain : process { getsched getcap getattr } ;

[root@earth nodejs_webserver]#


Here is what I currently have:

role staff_r types nodejswebserver_t;
domain_system_change_exemption(staff_t);
domtrans_pattern(staff_t, nodejswebserver_exec_t, nodejswebserver_t);
type_transition staff_t nodejswebserver_exec_t:process nodejswebserver_t;
role_transition staff_r nodejswebserver_exec_t system_r;
allow staff_t nodejswebserver_t:process transition;
allow staff_t nodejswebserver_t:process { noatsecure rlimitinh siginh };

And the audit log entries:
2016-10-13 13:11:45 type=AVC msg=audit(1476364305.299:49175): avc: denied { transition } for pid=3566 comm="bash" path="/sw/sbin/node" dev="dm-0" ino=294783 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:system_r:nodejswebserver_t:s0 tclass=process permissive=0 2016-10-13 13:11:45 type=PATH msg=audit(1476364305.299:49175): item=0 name="/sw/sbin/node" inode=294783 dev=fc:00 mode=0100755 ouid=1000 ogid=1000 rdev=00:00 obj=system_u:object_r:nodejswebserver_exec_t:s0 nametype=NORMAL 


--
  Mark Montague
  mark@xxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux