On Wed, 2008-02-06 at 16:01 -0500, Stephen Smalley wrote:
> On Wed, 2008-02-06 at 14:53 -0600, Jeremiah Jahn wrote:
> >
> > On Wed, 2008-02-06 at 15:21 -0500, Stephen Smalley wrote:
> > > On Wed, 2008-02-06 at 14:16 -0600, Jeremiah Jahn wrote:
> > > > I get this error in the audit log:
> > > > type=SELINUX_ERR msg=audit(1202327606.098:732): security_compute_sid: invalid context system_u:system_r:monetra_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:monetra_server_exec_t:s0 tclass=process
> > > > type=SYSCALL msg=audit(1202327606.098:732): arch=40000003 syscall=11 success=no exit=-13 a0=9d9f650 a1=9d9f5d8 a2=9d8c728 a3=9d9ff20 items=0 ppid=2575 pid=2593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="S99monetra" ex
> > > > e="/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null)
> > >
> > > Missing role system_r types monetra_t; statement.
> > >
> > > > I was under the assumption that the following would work:
> > > > allow initrc_t monetra_server_exec_t:file { read execute getattr};
> > > > allow monetra_t monetra_server_exec_t:file { entrypoint };
> > > > type_transition initrc_t monetra_server_exec_t:process monetra_t;
> > >
> > > Also need:
> > > allow initrc_t monetra_t:process transition;
> > this results in the following error:
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t monetra_t:process { transition };
>
> That means you didn't declare monetra_t as a domain, i.e.
> domain_type(monetra_t)
thanx. I did initially use the refpolicy interfaces, but they were a
little broad, and allowed sysadm_t to read some files just because
initrc_t could. So I'm trying to simplify/ do explicitly what I
understand.
>
> The best way to start is to look an existing .te file and follow its
> example. refpolicy has pretty extensive documentation of all of its
> interfaces, although it can be hard to find the one you want. SLIDE
> seems promising; possibly you should try using it and its domain
> builder.
None of the .te files I could find really did what I wanted, or they
interface that were a little vague in what they did. I'm learning to
build the policy, and see how the macro expands to see what it does.
>
> SELinux by Example does walk you through writing a simple domain from
> scratch, I think.
It does, but leaves a few things out, and nobody has an example of
creating a whole separate domain that root/sysadm_t can't use, but can
start up at boot.
>
> Nothing wrong with domain_auto_trans() AFAIK, and I see it used
> throughout refpolicy.
>
this was my bad, domain_dyntrans_type( domain ) was what I was thinking
of.
There can be no twisted thought without a twisted molecule. -- R. W.
Gerard
Attachment:
signature.asc
Description: This is a digitally signed message part
