error :: chrome's global requirements were not met
by Adrian Sevcenco
Hi! I try to add a policy for chrome for allowing read access for stuff
from LD_LIBRARY_PATH
and i done this :
[root@sev selinux]# cat chrome.audit | audit2allow -M chrome
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i chrome.pp
[root@sev selinux]# semodule -i chrome.pp
libsepol.print_missing_requirements: chrome's global requirements were
not met: type/attribute chrome_sandbox_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
with this :
[root@sev selinux]# cat chrome.audit
type=AVC msg=audit(1297435306.238:20321): avc: denied { read } for
pid=22631 comm="chrome" name="clhep" dev=sda5 ino=8195388
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1297435306.238:20321): arch=c000003e syscall=2
success=no exit=-2 a0=7fffb3534570 a1=0 a2=0 a3=2f7065686c632f70 items=0
ppid=0 pid=22631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="chrome"
exe="/opt/google/chrome/chrome"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
the sym link in question have this properties:
adrian@sev: ~ $ ls -lZ /home/physics-tools/clhep/clhep
lrwxrwxrwx. adrian adrian unconfined_u:object_r:user_home_t:SystemLow
/home/physics-tools/clhep/clhep -> /home/physics-tools/clhep/2.1.0.0/
anybody any idea about the problem?
Thanks!
Adrian
13 years, 2 months
chrome access of high energy physics library
by Adrian Sevcenco
Anyone have any idea why this is happening?
"SELinux is preventing /opt/google/chrome/chrome from read access on the
lnk_file /home/physics-tools/clhep/clhep"
Additional Information:
Source Context unconfined_u:unconfined_r:chrome_sandbox_t
:SystemLow-SystemHigh
Target Context unconfined_u:object_r:user_home_t:SystemLow
Target Objects /home/physics-tools/clhep/clhep [ lnk_file ]
Source chrome
Source Path /opt/google/chrome/chrome
Source RPM Packages google-chrome-stable-9.0.597.94-73967
Target RPM Packages
Policy RPM selinux-policy-3.9.7-29.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
[root@sev ~]# uname -a
Linux myhost.ro 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC
2010 x86_64 x86_64 x86_64 GNU/Linux
13 years, 2 months
Need help restricting root access to a file or directory.
by DJ Goldfingerz
Hello all,
let me start by saying I'm new to selinux and writing policies. Let me
explain what I'm trying to do.
I've setup 2 copies of /bin/bash for user1 and user2:
-rwxr-xr-x 1 root root 801512 Oct 21 2008 /bin/bash
-r-sr-s---+ 1 root root 801512 Oct 21 2008 /bin/bash1
-r-sr-s---+ 1 root root 801512 Oct 21 2008 /bin/bash2
Both bash1 and bash2 have acls to restrict their access:
# file: bin/bash1
# owner: root
# group: root
user::r-x
group::r-x
group:user1:r-x
mask::r-x
other::---
# file: bin/bash2
# owner: root
# group: root
user::r-x
group::r-x
group:user2:r-x
mask::r-x
other::---
Now what I was hoping to do was to use SELinux to limit which files and
folders user1 and user2 could read, write, execute and delete. In this
example I'd like to write a simple policy that would limit read access to
user1 on folder /mydir/test but user2 could read and write to any files in
the folder.
My ultimate goal is to use SELinux for doing RBAC (role base access
control). I'm using this example as an easy starting point for me to learn
how to use SELinux to control user access when those users have root access.
Thank you.
13 years, 2 months
AVC report from command line
by vishesh kumar
I am new in SeLinux , can anyone guide me How to view AVC report from
command line in fedora. I am accessing my server through ssh and i
have no graphical interface to work with.
--
http://linuxmantra.com
13 years, 2 months
