getting myapp to exec /sbin/swapon
by Brian Ginn
I am attempting to get myapp to exec /sbin/swapon
audit2allow says I need:
allow myapp_t fixed_disk_device_t:blk_file { read write };
This compiles, but semodule won't install it:
[root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root@domingo ~]#
I don't see any constraint, or class permission that would affect this.
I do see that modules/kernel/storage.te contains:
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
Could these be causing my problem?
Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?
Thanks,
Brian
14 years, 10 months
policy to allow myapp to exec chfn
by Brian Ginn
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks,
Brian
14 years, 10 months