problems confining a process

Dominick Grift domg472 at gmail.com
Sat Jul 23 18:43:24 UTC 2011 

You are probably missing a domain type transition.

running the following command you can see if unconfined_t has a domain
type transition defined when it runs executable files with type
CZtp_exec_t:

sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t

if none is specified then you must specify that your calling domain
unconfined_t, domain type transitions to CZtp_t when a file with type
CZtp_exec_t is executed.

You will also need to allow the unconfined_r role the CZtp_t domain.

After that you may want to allow unconfined_t to interact with CZtp_t in
other ways as well but at least by then the type transition should
happen.

The policy:

gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
')
domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
role unconfined_r types CZtp_t;


On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
> Hi,
> 
> I'm trying to create a new policy for a constrained process (started by 
> an unconstrainted user) and am stuck trying to get the process started 
> in the right context.
> 
> Here are the steps I followed:
> 
> 0. confirm SELinux status
> [proxyuser at lime ~]$ sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        targeted
> 
> [proxyuser at lime ~]$ cat /etc/redhat-release
> Fedora release 14 (Laughlin)
> 
> [proxyuser at lime cz]$ id -Z
> unconfined_u:unconfined_r:unconfined_t:s0
> 
> 1. create policy via
> 
> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> 
> Note that CZtp is a shell script which in turn calls the JVM.
> 
> [proxyuser at lime cz]$ sudo ./CZtp.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile
> make: Nothing to be done for `all'.
> + /usr/sbin/semodule -i CZtp.pp
> + /sbin/restorecon -F -R -v 
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> /sbin/restorecon reset 
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context 
> system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
> 
> 2. Verify that the the CZtp file is labeled properly:
> [proxyuser at lime cz]$ ls -lZ 
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> 
> 3. start process
> [proxyuser at lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
> [proxyuser at lime target]$ ./CZtp
> 
> 4. Verify process context
> [proxyuser at lime ~]$ ps -efZ | grep -v grep | grep CZtp
> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734  0 14:22 pts/0 
> 00:00:00 /bin/sh ./CZtp
> 
> 
> Note that the process shows up as unconfined_t, although it was labeled 
> with CZtp_exec_t.
> 
> What am I missing?
> 
> 
> 
> 4. check process context
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110723/17146344/attachment.bin

More information about the selinux mailing list