Selfmade policy not getting enforced on Fedora9
Stefan Schleifer
stefan.schleifer at gmail.com
Wed May 28 18:18:47 UTC 2008
Hey guys,
As you might guess, I've a problem with my SELinux-policy under Fedora
9.
I created a little test application 'demo' which reads some text from
stdin and writes it in a config file /etc/hackbar/config.txt.
Afterwarts, I developed a policy with types demo_t, demo_exec_t und
demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.
Everything's fine.
For testing purposes I changed /etc/hackbar/config.txt to type etc_t
which demo_exec_t shouldn't be able to access as there doesn't exist
an allow demo_exec_t r/w etc_t.
[stefan at localhost policy]$ ls -Z /usr/local/bin/demo
-rwsr-sr-x root root system_u:object_r:demo_exec_t:s0 /usr/local/
bin/demo
[stefan at localhost policy]$ ls -Z /etc/hackbar/config.txt
-rwxr-xr-x root root system_u:object_r:etc_t:s0 /etc/hackbar/
config.txt
Again I ran the application but it is still allowed to change that
file?!
[stefan at localhost policy]$ /usr/local/bin/demo
Enter text: foobar
Read from file: foobar
Regarding to standard UNIX permissions access should be granted as the
demo-app has suid set, but shouldn't SELinux permitt access anyway in
this case?
SELinux is in enforcing mode.
[stefan at localhost policy]$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted
I'm rather confused...
best regards,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20080528/b861536e/attachment.bin
More information about the selinux
mailing list