Re: using an interface defined in another loaded module
by SZIGETVÁRI János
Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine
now that I have copied the .if file of the submodule to the directory you
mentioned!
I did not know I was reqired to copy the module's interface file to
SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer"
script using the "traditional" way of:
# make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney <gary.tierney(a)gmx.com> ezt írta (időpont: 2019. ápr. 3., Sze,
17:14):
> On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
> >Could anyone please give me some insight on this?
> >
> >Thanks a lot!
> >
>
> Hi,
>
> How are you building and installing your policy modules? The interface
> definitions (.if files) aren't preserved in the compiled policy package,
> so are typically kept elsewhere. On Fedora this is under
> /usr/share/selinux/devel/include and its associated subdirectories
> (which are recursively walked to find .if files when building policy
> using the refpolicy framework, i.e., the selinux-policy-devel package).
>
> So it should be as simple as copying your .if files to:
> /usr/share/selinux/devel/include (though the "services" subdir is likely
> more appropriate).
>
> Thanks,
> Gary.
>
> >Best Regards,
> >János Szigetvári
> >
> >SZIGETVÁRI János <jszigetvari(a)gmail.com> ezt írta (időpont: 2019. márc.
> >31., V, 13:47):
> >
> >> ... snip ...
> >_______________________________________________
> >selinux mailing list -- selinux(a)lists.fedoraproject.org
> >To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
3 years, 11 months
- 4
- 9
Converting the filetrans_pattern interface into a CIL macro
by Daniel Skip
Hello all. I have been playing with CIL on Selinux and have ran into a problem trying to convert the filetrans_pattern interface into a CIL macro.
The filetrans_pattern is as follows:
define(`filetrans_pattern',`
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3 $5;
')
I converted that into a CIL macro like so:
(macro filetrans_pattern ((type ARG1)(type ARG2)(type ARG3)(class
ARG4)(name ARG5))
(allow ARG1 ARG2 (dirs (rw)))
(typetransition ARG1 ARG2 ARG4 ARG3 ARG5))
So far so good. The issue is when I try to call the Macro it says I am missing an argument and the .cil policy won't build. Here is my call statement:
(call filetrans_pattern (example_t example_tmp_t dir))
I want it so that whenever I run my process type of example_t it will transition into the example_tmp_t and store any tmp files inside of my newly created example_tmp_t directory. I know I'm missing something but can't figure out what. Let me know what you think. Thanks!
3 years, 11 months
- 2
- 2
init_t translation
by Louis Garcia
I am new to compiling selinux policy modules. When I sesearch for source
domain init_t for httpd_sys_contect_t I get 5 replies:
$sesearch -T -s init_t -t httpd_sys_content_t
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"smarty";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"upgrade";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"uploads";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"wp-content";
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
"settings.php";
If I read this correctly, init_t has access to 4 directories; smarty,
upgrade, uploads and wp-content. One file settings.php
I created a systemd service file running as a timer. The service just
executes a script. Selinux denies with these errors;
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for
pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open }
for pid=1079 comm="(index.sh)"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied {
execute_no_trans } for pid=1079 comm="(index.sh)"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for
pid=1079 comm="make_index.sh"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for
pid=1081 comm="make_index.sh" name="index.html"
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for
pid=1081 comm="make_index.sh" name="index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for
pid=1081 comm="make_index.sh"
path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for
pid=1081 comm="make_index.sh" name="index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
How can I create a type translation that says; it this correct?
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
"make_index.sh";
3 years, 11 months
- 2
- 1
- ← Newer
- 1
- Older →