|
Hi SELinux experts, Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain? [root/sysadm_r/s0@cp3020 ~]# date +%T 23:24:07 [root/sysadm_r/s0@cp3020 ~]# vlock [root/sysadm_r/s0@cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" Password: ---- time->Wed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' ---- time->! Wed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' [root/sysadm_r/s0@cp3020 ~]# As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below: [root/sysadm_r/s0@cp3020 ~]# vlock *** This tty is not a VC (virtual console). *** *** It may not be securely locked. *** This TTY is now locked. Please enter the password to unlock. root's Password: [root/sysadm_r/s0@cp3020 ~]# So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure? ! Thanks again! Best regards, Harry ----------< br> policy_module(vlock, 1.0.0) ######################################## # # Declarations # type vlock_t; type vlock_exec_t; application_domain(vlock_t,vlock_exec_t) ######################################## # # Vlock local policy # allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; allow vlock_t self:unix_dgram_socket { create connect }; allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; kernel_read_system_state(vlock_t) corecmd_list_bin(vlock_t) corecmd_read_bin_symlinks(vlock_t) files_read_etc_files(vlock_t) files_read_var_files(vlock_t) files_read_var_symlinks(vlock_t) term_use_all_user_ttys(vlock_t) term_use_all_user_ptys(vlock_t) auth_domtrans_chk_passwd(vlock_t) miscfiles_read_localization(vlock_t) logging_send_syslog_msg(vlock_t) selinux_getattr_fs(vlock_t) ! 使用新一代 Windows Live Messenger 轻松交流和共享! 立刻下载! |
