> -----Original Message----- > From: Christopher J. PeBenito [mailto:cpebenito@xxxxxxxxxx] > Sent: Friday, November 30, 2007 6:11 AM > To: Clarkson, Mike R (US SSA) > Cc: selinux@xxxxxxxxxxxxx > Subject: Re: missing rules in newrole domain (RHEL5.1) > > On Thu, 2007-11-29 at 17:49 -0800, Clarkson, Mike R (US SSA) wrote: > > I recently switched from a targeted-mls policy to the RHEL5.1 mls > > policy. I found that "newrole -r sysadm" failed in enforcing mode, even > > though my selinux user was "root". > > > > I had to add "files_search_default(newrole_t)" and > > "files_getattr_default_dirs(newrole_t)" to the selinuxutil.te file to > > allow newrole to getattr and search the /tmp-inst directory (type > > default_t). > > > > This was happening even with the read_default_t boolean set to true. > > > > Here are the avc denial messages that I was getting: > > > > type=AVC msg=audit(1196385320.559:722): avc: denied { getattr } for > > pid=5092 comm="newrole" path="/tmp-inst" dev=sda1 ino=5341337 > > scontext=root:staff_r:newrole_t:s0-s4:c0.c255 > > tcontext=system_u:object_r:default_t:s0 tclass=dir > > > > type=AVC msg=audit(1196385320.559:723): avc: denied { search } for > > pid=5092 comm="newrole" name="tmp-inst" dev=sda1 ino=5341337 > > scontext=root:staff_r:newrole_t:s0-s4:c0.c255 > > tcontext=system_u:object_r:default_t:s0 tclass=dir > > > > I'm assuming this should have worked out of the box without having to > > add these rules. Is there some configuration step that I missed? > > It just means that you newroled while you were in this directory. > Newrole doesn't utilize read_default_t because we don't want privileged > programs like newrole accessing random default_t objects. This happens regardless of the directory in which I am located when I use newrole. Newrole needs these because we have set up polyinstantiation of the /tmp directory. The instance directories which newrole binds to the /tmp directory are located in the /tmp-inst directory. If it desirable to not allow search and getattr on default_t directories by newrole, then a different file context could be applied to the /tmp-inst directory. So the question then would be in which module should the file context rule be applied. Since this directory is used by newrole for polyinstantiation, it seems to me the best place would be the selinuxutil.fc file. Also, since this will be an issue for anyone polyinstantiating the /tmp directory, it seems like it should come in the policy out of the box. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
