I just only want to give permissions for the files that are used. The java application is a server that might be compromised, so if an attacker gains permissions to run arbitrary code, or to read arbitrary files, the usr_t type files can provide information about the system, so I think that it is not recommendable grant access to all usr_t type files.<br>
<br><div class="gmail_quote">2010/7/15 Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Thu, Jul 15, 2010 at 12:10:18PM +0200, giovanni testing wrote:<br>
> Hi,<br>
><br>
> I've fixed it (thanks to "/sbin/ausearch -i | grep nano | grep avc"), and<br>
> the allow lines needed are:<br>
><br>
> allow MyPolicy_t bin_t:file entrypoint;<br>
> allow MyPolicy_t usr_t:file { read open };<br>
<br>
</div>corecmd_bin_entry_type(MyPolicy_t)<br>
files_read_usr_files(MyPolicy_t)<br>
<div class="im"><br>
><br>
> I think that the second one is not appropiated, because MyPolicy now can<br>
> access to every "usr_t" file (but is only needed to access to<br>
> "/usr/share/terminfo/x/xterm").<br>
<br>
</div>What is the problem with it? Do you have any special reason for now wanting to allow it to read usr_t files?<br>
<div class="im"><br>
> To fix that, I'm thinking in a solution that I don't know if is possible:<br>
> label the file "/usr/share/terminfo/x/xterm" with "xterm_t" instead of<br>
> "usr_t", but maybe it can block other applications to use<br>
> "/usr/share/terminfo/x/xterm", so the "xterm_t" needs to be equivalent to<br>
> "usr_t". To do it I'm thinking to use an alias, but if is bidirectional it<br>
> will be insecure again. As these lines can seem a bit confusing, there is a<br>
> little scheme:<br>
><br>
> I need:<br>
> - "MyPolicy_t" can use "xterm_t"<br>
> - "MyPolicy_t" cannot "usr_t"<br>
> - Other policies continue being able to use "/usr/share/terminfo/x/xterm"<br>
> while they allow use "usr_t" and they have not specified to allow "xterm_t".<br>
><br>
> So accessing to "usr_t" needs to be able to access to "xterm_t", but<br>
> accessing to "xterm_t" not needs to be able to access to "usr_t" (this is<br>
> what I say that it not needs to be bidirectional). Maybe it can be done that<br>
> way (putting the following lines instead the two before):<br>
><br>
> allow MyPolicy_t bin_t:file entrypoint;<br>
> allow usr_t xterm_t:file manage_file_perms;<br>
> allow MyPolicy_t xterm_t:file { read open };<br>
<br>
</div>usr_t is a file type. file_types cannot be a source of an interacting.<br>
<br>
Again, what security benefit does labeling /usr/share/terminfo/x/xterm type xterm_t provide? What is so important that you do not want MyPolicy_t to be able to read files with type etc_t?<br>
<br>
If you really want to do it then just label it that type and give everything that needs to be able to interact with it the permissions they need.<br>
<div class="im"><br>
> 2010/7/14 Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>><br>
><br>
> > On Wed, 2010-07-14 at 17:47 +0200, giovanni testing wrote:<br>
> > > Thank you for reply so fast.<br>
> > ><br>
> > > I'm trying runcon but throws "Permission denied" and no AVC appears (I<br>
> > > dont know how to fix it).<br>
> > ><br>
> > > This happens when applying the command "runcon -t MyPolicy_t<br>
> > > nano" (nano is executed to make easier the task of probe the file<br>
> > > permissions of the policy (try to open files of MyPolicy and verify<br>
> > > that they are read only, read and write or no accessible)).<br>
> > ><br>
> > > What should I do to fix it?<br>
> ><br>
> > Post your .te file.<br>
> > Also, run:<br>
> > /sbin/ausearch -i | grep nano<br>
> ><br>
> > --<br>
> > Stephen Smalley<br>
> > National Security Agency<br>
> ><br>
> ><br>
<br>
</div><div><div></div><div class="h5">> --<br>
> selinux mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
<br>
</div></div><br>--<br>
selinux mailing list<br>
<a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br></blockquote></div><br>