Hi everyone,
its been a while since I wrote my last policy but today I gave it a try
and ran immediately into a problem. The target is an user X11
application, so I started with the following TE file which was basically
generated via selinux-polgengui:
======================================================================
policy_module(foobar, 1.0.0)
attribute_role foobar_roles;
roleattribute system_r foobar_roles;
type foobar_t;
type foobar_exec_t;
application_domain(foobar_t, foobar_exec_t)
role foobar_roles types foobar_t;
permissive foobar_t;
optional_policy(`
gen_require(`
type unconfined_t;
role unconfined_r;
')
foobar_run(unconfined_t, unconfined_r)
')
======================================================================
The interesting part of the IF file is
======================================================================
interface(`foobar_domtrans',`
gen_require(`
type foobar_t, foobar_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, foobar_exec_t, foobar_t)
')
interface(`foobar_run',`
gen_require(`
type foobar_t;
attribute_role foobar_roles;
')
foobar_domtrans($1)
roleattribute $2 foobar_roles;
')
======================================================================
Now comes the funny part. If I label the target binary as foobar_exec_t
and execute it (from unconfined_t), then I receive an error message from
the application itself, telling me that the application has not the
rights to access a resource. However, if I label the target binary as
e.g. usr_t and execute it (again from unconfined_t), then the
application starts as expected and does it job.
This confuses me, since I put foobar_t into permissive mode.
I tried to narrow it down by disabling all dontaudit rules via "semodule
-DB" and allowed everything which was then logged. However, even that
did not help.
I did a last try by labeling again the binary as foobar_exec_t and
enabled *globally* the permissive mode. Then the application starts as
expected.
This is kind of strange to me since I said that the type foobar_t should
be permissive. I actually expected no change if I start it as
unconfined_t and transit to foobar_t, or, if I execute it as
unconfined_t directly.
Does someone has a pointer for me?
Cheers,
Stefan