Re: Selfmade policy not getting enforced on Fedora9

Hey guys, As you might guess, I've a problem with my SELinux-policy under Fedora 9. I created a little test application 'demo' which reads some text from stdin and writes it in a config file /etc/hackbar/config.txt. Afterwarts, I developed a policy with types demo_t, demo_exec_t und demo_etc_t and allowed demo_exec_to to read/write demo_etc_t. Everything's fine. For testing purposes I changed /etc/hackbar/config.txt to type etc_t which demo_exec_t shouldn't be able to access as there doesn't exist an allow demo_exec_t r/w etc_t. [stefan@localhost policy]$ ls -Z /usr/local/bin/demo -rwsr-sr-x root root system_u:object_r:demo_exec_t:s0 /usr/local/bin/demo [stefan@localhost policy]$ ls -Z /etc/hackbar/config.txt -rwxr-xr-x root root system_u:object_r:etc_t:s0 /etc/hackbar/config.txt Again I ran the application but it is still allowed to change that file?! [stefan@localhost policy]$ /usr/local/bin/demo Enter text: foobar Read from file: foobar Regarding to standard UNIX permissions access should be granted as the demo-app has suid set, but shouldn't SELinux permitt access anyway in this case? SELinux is in enforcing mode. [stefan@localhost policy]$ /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 22 Policy from config file: targeted I'm rather confused... best regards, Stefan ------------------------------------------------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list