On Fri, 2013-10-18 at 14:20 -0400, James Carter wrote:
> I pushed an update of CIL to bitbucket.
Some other things i noticed:
dontaudit seems to not work ( at least not in the scenario below ):
> (macro domtrans_pattern ((type ARG1) (type ARG2) (type ARG3))
> (call domain_auto_transition_pattern (ARG1 ARG2 ARG3))
> (allow ARG3 ARG1 (fd (use)))
> (allow ARG3 ARG1 (rw_fifo_file_perms))
> (allow ARG3 ARG1 (process (sigchld))))
> (macro domain_auto_transition_pattern ((type ARG1) (type ARG2) (type ARG3))
> (call domain_transition_pattern (ARG1 ARG2 ARG3))
> (typetransition ARG1 ARG2 process "*" ARG3))
> (macro domain_transition_pattern ((type ARG1) (type ARG2) (type ARG3))
> (allow ARG1 ARG2 (mmap_file_perms))
> (allow ARG1 ARG3 (process (transition)))
> (dontaudit ARG1 ARG3 (process (noatsecure siginh rlimitinh))))
> (macro systemd_domtrans_cgroups_agent ((type ARG1))
> (call domtrans_pattern (ARG1 systemd_cgroups_agent_exec_t
> systemd_cgroups_agent_t)))
> (optional dependsonsystemd_kernel
> (call systemd_signal (kernel_t))
> (call systemd_sigchld (kernel_t))
> (call systemd_domtrans (kernel_t))
> (call domain_dyntrans_type (kernel_t))
> (call systemd_domtrans_cgroups_agent (kernel_t))
> (call systemd_dyntrans (kernel_t)))
> # sesearch --dontaudit -s kernel_t
>
> allow kernel_t systemd_cgroups_agent_t:process { siginh rlimitinh noatsecure };
>
I am also seeing a weird issue where some things are created with a wrong context
for example:
> # ls -alZ /dev/pts/ptmx
> c---------. root root system_u:system_r:kernel_t:s0 /dev/pts/ptmx
there is a type transition rule:
> (macro filesystem_devpts_filetrans ((type ARG1) (class ARG2) (name ARG3)
> (type ARG4))
> (call devices_list (ARG1))
> (call filetrans_pattern (ARG1 devpts_t ARG2 ARG3 ARG4)))
> (macro filetrans_pattern ((type ARG1) (type ARG2) (class ARG3)
> (name ARG4) (type ARG5))
> (allow ARG1 ARG2 (rw_dir_perms))
> (typetransition ARG1 ARG2 ARG3 ARG4 ARG5))
> (macro term_filetrans_ptmx ((type ARG1) (name ARG2))
> (call filesystem_devpts_filetrans (ARG1 chr_file ARG2 ptmx_t))
> (call devices_filetrans (ARG1 chr_file ARG2 ptmx_t)))
> (macro devices_filetrans ((type ARG1) (class ARG2) (name ARG3) (type ARG4))
> (call filetrans_pattern (ARG1 device_t ARG2 ARG3 ARG4)))
> (call term_filetrans_ptmx (kernel_t "ptmx"))
> # sesearch -ASCT -s kernel_t | grep ptmx
> allow kernel_t ptmx_t : chr_file { create getattr setattr open } ;
> type_transition kernel_t device_t : chr_file ptmx_t "ptmx";
> type_transition kernel_t devpts_t : chr_file ptmx_t "ptmx";
By the way on a slight unrelated note:
In the filecon() we use symlink, char, block (etc) but elsewhere its lnk_file, chr_file, blk_file (etc)
I prefer consistency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
