Step-by-Step Guide To Creating SELinux Policy for Google Earth
Benjy Grogan
benjy.grogan at gmail.com
Sat Jun 24 02:54:19 UTC 2006
On 6/20/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Tue, 2006-06-20 at 15:46 -0400, Benjy Grogan wrote:
> > How do you verify that you're using enableaudit.pp and not base.pp? I
> > get these avcs after building and loading enableaudit but my Google
> > Earth policy still gives off zero avcs after 20 minutes of use. Which
> > would be great if it actually ran in enforcing mode.
> >
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3836): avc:
> > denied { siginh } for
> > pid=7029 comm="setfiles" scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3837): avc:
> > denied { rlimitinh } for pid=7029 comm="setfiles"
> > scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> > Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3838): avc:
> > denied { noatsecure } for pid=7029 comm="setfiles"
> > scontext=user_u:system_r:semanage_t:s0
> > tcontext=user_u:system_r:setfiles_t:s0 tclass=process
>
> Those avcs suggest that you are using enableaudit.pp, as they would
> normally be silenced by dontaudit rules. Try running the program under
> strace and checking the output to see precisely where it is failing.
> One case where we get no auditing at all is the net_admin capability
> check upon netlink recv; that will be fixed by a pending patch in the
> audit tree. Hopefully googleearth doesn't need that though ;)
Thanks. strace showed me that the problem was my own fault. I was
incorrectly using auditdeny.
I'm currently trying to get my Google Earth selinux policy to allow
CUPS. It's allowed but I find the cupsd_t domain's need to access the
SElinux config and security file contexts strange. You can see below.
Is this normal?
# Google Earth printing to CUPS
gen_require(`
type cupsd_etc_t;
type cupsd_rw_etc_t;
type cupsd_var_run_t;
type ipp_port_t;
')
# how come cupsd_t has been denied these privileges and why would it need them?
allow cupsd_t security_t:dir search;
allow cupsd_t security_t:file read;
allow cupsd_t selinux_config_t:dir search;
allow cupsd_t selinux_config_t:file { getattr read };
# use CUPS service...
cups_read_config(googleearth_t)
allow googleearth_t cupsd_var_run_t:dir search;
allow googleearth_t self:netlink_route_socket { r_netlink_socket_perms };
corenet_tcp_sendrecv_ipp_port(googleearth_t)
corenet_tcp_connect_ipp_port(googleearth_t)
Benjy
>
> --
> Stephen Smalley
> National Security Agency
>
>
More information about the selinux
mailing list