On Wed, 2008-02-06 at 15:21 -0500, Stephen Smalley wrote: > On Wed, 2008-02-06 at 14:16 -0600, Jeremiah Jahn wrote: > > I get this error in the audit log: > > type=SELINUX_ERR msg=audit(1202327606.098:732): security_compute_sid: invalid context system_u:system_r:monetra_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:monetra_server_exec_t:s0 tclass=process > > type=SYSCALL msg=audit(1202327606.098:732): arch=40000003 syscall=11 success=no exit=-13 a0=9d9f650 a1=9d9f5d8 a2=9d8c728 a3=9d9ff20 items=0 ppid=2575 pid=2593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="S99monetra" ex > > e="/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null) > > Missing role system_r types monetra_t; statement. > > > I was under the assumption that the following would work: > > allow initrc_t monetra_server_exec_t:file { read execute getattr}; > > allow monetra_t monetra_server_exec_t:file { entrypoint }; > > type_transition initrc_t monetra_server_exec_t:process monetra_t; > > Also need: > allow initrc_t monetra_t:process transition; this results in the following error: libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t monetra_t:process { transition }; > > But why not just use policy interfaces to do that? Here lies my major problem. My level of understanding is based generally on what I can track down in books. O'reilly's SELinux and Tresys's SElinux by example. The ORA book is incomplete at best, with little or no actual reference value. The Tresys book is far better, and takes a good deal of time explaining PRE-refpolicy. Although it goes into the general ideas behind the refpolicy and some of the macros, that's about it. No where can I find information about the actual format of the .te files for example, perhaps I missed it, but hey. When I look online for something more update from Tresys or the NSA, the documentation seems to focus on very specific things. For example the Interface docs have no real overview of the .te format, "roles seem to need be at the bottom, right before users". Also there seems to really be no docs other than the books that really describe what "non interface" macros are out there. There no really good starting point for someone trying to do something outside all of the examples. In my case, "don't let the sysadm read or touch credit card data." </rant> I truly am grateful for the amount of hard work everyone has put into SELinux, it's a huge undertaking, and makes my job possible. But ohy vey is it confusing. > > > I can't do init_daemon_domain(monetra_t,monetra_server_exec_t) because I > > can't let sysadm_t read anything involving monetra_t. And I'd thought > > I'd read in "selinux by example" that > > domain_auto_trans(initrc_t,monetra_server_exec_t,monetra_t) is generally > > a bad idea. > > Why? don't have my book in front of me..:) Couldn't tell you. > If you think the United States has stood still, who built the largest shopping center in the world? -- Richard M. Nixon
Attachment:
signature.asc
Description: This is a digitally signed message part