Re: problems confining a process

No, but you could add the following to the .te file: gen_require(` type unconfined_t; role unconfined_r; ') CZtp_role(unconfined_r, unconfined_t) .. Instead of what i suggested in my previous reply. Both methods should make the domain transition happen. On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote: > One more point. Here is the .if file that sepolgen generated (see below > between {{{ and }}}). > Should I manually add the gen_requie and domatrans_pattern lines you > suggested to that policy ? > > Michael > > {{{ > > ##<summary>policy for CZtp</summary> > > > ######################################## > ##<summary> > ## Execute a domain transition to run CZtp. > ##</summary> > ##<param name="domain"> > ##<summary> > ## Domain allowed access. > ##</summary> > ##</param> > # > interface(`CZtp_domtrans',` > gen_require(` > type CZtp_t, CZtp_exec_t; > ') > > domtrans_pattern($1, CZtp_exec_t, CZtp_t) > ') > > > ######################################## > ##<summary> > ## Execute CZtp in the CZtp domain, and > ## allow the specified role the CZtp domain. > ##</summary> > ##<param name="domain"> > ##<summary> > ## Domain allowed access > ##</summary> > ##</param> > ##<param name="role"> > ##<summary> > ## The role to be allowed the CZtp domain. > ##</summary> > ##</param> > # > interface(`CZtp_run',` > gen_require(` > type CZtp_t; > ') > > CZtp_domtrans($1) > role $2 types CZtp_t; > ') > > ######################################## > ##<summary> > ## Role access for CZtp > ##</summary> > ##<param name="role"> > ##<summary> > ## Role allowed access > ##</summary> > ##</param> > ##<param name="domain"> > ##<summary> > ## User domain for the role > ##</summary> > ##</param> > # > interface(`CZtp_role',` > gen_require(` > type CZtp_t; > ') > > role $1 types CZtp_t; > > CZtp_domtrans($2) > > ps_process_pattern($2, CZtp_t) > allow $2 CZtp_t:process signal; > ') > > }}} > > > > On 7/23/2011 8:43 PM, Dominick Grift wrote: >> You are probably missing a domain type transition. >> >> running the following command you can see if unconfined_t has a domain >> type transition defined when it runs executable files with type >> CZtp_exec_t: >> >> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t >> >> if none is specified then you must specify that your calling domain >> unconfined_t, domain type transitions to CZtp_t when a file with type >> CZtp_exec_t is executed. >> >> You will also need to allow the unconfined_r role the CZtp_t domain. >> >> After that you may want to allow unconfined_t to interact with CZtp_t in >> other ways as well but at least by then the type transition should >> happen. >> >> The policy: >> >> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; >> ') >> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) >> role unconfined_r types CZtp_t; >> >> >> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote: >>> Hi, >>> >>> I'm trying to create a new policy for a constrained process (started by >>> an unconstrainted user) and am stuck trying to get the process started >>> in the right context. >>> >>> Here are the steps I followed: >>> >>> 0. confirm SELinux status >>> [proxyuser@lime ~]$ sestatus >>> SELinux status: enabled >>> SELinuxfs mount: /selinux >>> Current mode: permissive >>> Mode from config file: permissive >>> Policy version: 24 >>> Policy from config file: targeted >>> >>> [proxyuser@lime ~]$ cat /etc/redhat-release >>> Fedora release 14 (Laughlin) >>> >>> [proxyuser@lime cz]$ id -Z >>> unconfined_u:unconfined_r:unconfined_t:s0 >>> >>> 1. create policy via >>> >>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp >>> >>> Note that CZtp is a shell script which in turn calls the JVM. >>> >>> [proxyuser@lime cz]$ sudo ./CZtp.sh >>> Building and Loading Policy >>> + make -f /usr/share/selinux/devel/Makefile >>> make: Nothing to be done for `all'. >>> + /usr/sbin/semodule -i CZtp.pp >>> + /sbin/restorecon -F -R -v >>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp >>> /sbin/restorecon reset >>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context >>> system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0 >>> >>> 2. Verify that the the CZtp file is labeled properly: >>> [proxyuser@lime cz]$ ls -lZ >>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp >>> -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 >>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp >>> >>> 3. start process >>> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ >>> [proxyuser@lime target]$ ./CZtp >>> >>> 4. Verify process context >>> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp >>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 >>> 00:00:00 /bin/sh ./CZtp >>> >>> >>> Note that the process shows up as unconfined_t, although it was labeled >>> with CZtp_exec_t. >>> >>> What am I missing? >>> >>> >>> >>> 4. check process context >>> >