making a file context change work for initrc_t and unconfined_t

Maria Iano maria at iano.org
Fri Feb 3 20:41:06 UTC 2012 

On Feb 3, 2012, at 4:43 AM, Dominick Grift wrote:

> On Fri, 2012-02-03 at 10:02 +0100, Dominick Grift wrote:
>
>>
>> policy_module(mylikewise, 1.0.0)
>>
>> optional_policy(`
>> gen_require(`
>> attribute likewise_domains;
>> type lwiod_t, netlogond_t, netlogond_var_socket_t,  
>> likewise_var_lib_t;
>> type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t,
>> eventlogd_t;
>> ')
>>
>> stream_connect_pattern(lwiod_t, likewise_var_lib_t,
>> netlogond_var_socket_t, netlogond_t)
>>
>> kernel_read_system_state(likewise_domains)
>> domain_dontaudit_search_all_domains_state(lsassd_t)
>>
>> allow lwsmd_t likewise_var_lib_t:file write_file_perms;
>> allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
>> read_file_perms;
>>
>> allow eventlogd_t likewise_var_lib_t:file rw_file_perms;
>>
>> allow lwsmd_t self:process setpgid;
>> allow lwiod_t self:process setrlimit;
>> allow lwiod_t self:capability sys_resource;
>> ')
>>
>> ..
>>
>> To build it:
>>
>> make -f /usr/share/selinux/devel/Makefile mylikewise.pp
>>
>> to install it:
>>
>> sudo semodule -i mylikewise.pp
>>
>>
>
> Actually, i think i figured out why /var/lib/likewise/db/lwi_events.db
> and /var/lib/likewise/.lwsmd-lock might have been mislabeled.
>
> The "lwi_events.db" has chars that need to be escaped. (either the dot
> or underscore or both)
>
> The .lwsmd-lock has not file context specification at all currently
>
> Please try the following (watch the line breaks though this e-mail
> client messes up the lay out):
>
> mylikewise.te:
>
> policy_module(mylikewise, 1.0.0)
>
> optional_policy(`
> gen_require(`
> attribute likewise_domains;
> type lwiod_t, netlogond_t, netlogond_var_socket_t, likewise_var_lib_t;
> type lsassd_t, lwsmd_t, netlogond_var_lib_t, likewise_krb5_ad_t;
> ')
>
> stream_connect_pattern(lwiod_t, likewise_var_lib_t,
> netlogond_var_socket_t, netlogond_t)
>
> kernel_read_system_state(likewise_domains)
> domain_dontaudit_search_all_domains_state(lsassd_t)
> allow lwsmd_t { netlogond_var_lib_t likewise_krb5_ad_t }:file
> read_file_perms;
>
> allow lwsmd_t self:process setpgid;
> allow lwiod_t self:process setrlimit;
> allow lwiod_t self:capability sys_resource;
> ')
>
> mylikewise.fc:
>
> /var/lib/likewise/db/lwi\_events\.db --
> gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
>
> /var/lib/likewise/\.lwsmd-lock --
> gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
>
> to build:
>
> make -f /usr/share/selinux/devel/Makefile mylikewise.pp
>
> to install
>
> sudo semodule -i mylikewise.pp
>
> restore contexts
>
> restorecon -R -v /var/lib/likewise
>
> See if the two paths above have the right type:
>
> ls -alZ /var/lib/likewise/.lwsmd-lock
> ls -alZ /var/lib/likewise/db/lwi_events.db
>
> (also see if , when you remove them, they get created with the right
> type)
>
> If this is fixed then please test the app again. This change may
> introduce some new AVC denials.

I installed the mylikewise policy. those two files do have the right  
type now. After I remove them they do get created with the right type.

After installing the new policy there were some additional AVCs. Here  
they are:

type=AVC msg=audit(1328288896.867:124): avc:  denied  { name_connect }  
for  pid=1803 comm="eventlogd" dest=135  
scontext=system_u:system_r:eventlogd_t:s0  
tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1328288705.888:70): avc:  denied  { unlink } for   
pid=1803 comm="eventlogd" name=".eventlog" dev=dm-0 ino=392489  
scontext=system_u:system_r:eventlogd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file

type=AVC msg=audit(1328288542.603:69): avc:  denied  { write } for   
pid=1162 comm="lsassd" name=".eventlog" dev=dm-0 ino=392489  
scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=sock_file

type=AVC msg=audit(1328288896.867:124): avc:  denied  { name_connect }  
for  pid=1803 comm="eventlogd" dest=135  
scontext=system_u:system_r:eventlogd_t:s0  
tcontext=system_u:object_r:epmap_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1328288542.586:68): avc:  denied  { getattr } for   
pid=1161 comm="lsassd"  
path 
= 
2F7661722F6C69622F6C696B65776973652F6B72623563635F6C736173732E55532E41442E47414E4E4554542E434F4D202864656C6574656429 
  dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288542.585:66): avc:  denied  { read write  
open } for  pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN"  
dev=dm-0 ino=394337 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288542.586:67): avc:  denied  { unlink } for   
pid=1161 comm="lsassd" name="krb5cc_lsass.AD.DOMAIN" dev=dm-0  
ino=394337 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328287031.471:5): avc:  denied  { read } for   
pid=1165 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0  
ino=395406 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328287031.471:5): avc:  denied  { open } for   
pid=1165 comm="lsassd" name="lsass-adcache.filedbAD.DOMAIN" dev=dm-0  
ino=395406 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

type=AVC msg=audit(1328288893.067:123): avc:  denied  { unlink } for   
pid=1849 comm="lsassd" name="lsass-adcache.filedb.AD.DOMAIN" dev=dm-0  
ino=395406 scontext=system_u:system_r:lsassd_t:s0  
tcontext=system_u:object_r:likewise_var_lib_t:s0 tclass=file

Thank you,
Maria

More information about the selinux mailing list