On Thu, 2009-07-30 at 12:04 +0800, Cliffe wrote:
Dear SELinux Gurus,
I am a PhD candidate conducting research into the usability of
security mechanisms. I would really appreciate some help regarding the
use of SELinux. Let me know if this is not the right place to be
asking these types of questions.
I generated a policy for opera using polgengui. I then ran the
generated ./opera.sh.
Although SELinux was still set to enforcing mode opera seemed to run
unconfined. The executable and process was labelled as expected
(unconfined_u:unconfined_r:opera_t). AVCs were generated, but not
enforced.
I added to opera.te using
grep opera /var/log/audit/audit.log | audit2allow >> opera.te
and reran ./opera.sh
until no AVCs were generated.
Looking at opera.te I noticed the line “permissive opera_t”, and not
knowing exactly what this line does, I thought it may be placing this
domain into permissive mode (although the gui tools suggest
otherwise). Removing the line causes “/bin/sh: /usr/bin/opera:
Permission denied”. No AVCs are generated.
Yes permissive opera_t makes opera_t a permissive domain indeed.
To expose any possible hidden denials run: semodule -DB
To hide them again: semodule -B
So I am not sure why opera seams to be unconfined, or if removing
the
permissive line was on the right track. Any advice?
Also I tried creating a policy for kwrite. This time the created
policy seemed to be in effect as soon as I ran the kwrite.sh script. I
set setenforce 0 and added to kwrite.te (as above for opera) until no
error msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists
with “kwrite(2533): Couldn’t register name
‘”org.kate-editor.kwrite-2533’” with DBUS – another process owns it
already!”. When setenforce 0 it runs without AVCs.
This is probably a DBUS issue. DBUS is a SELinux object manager. This
means that DBUS itself provides classes and permission for some of its
objects. Dbus also enforces policy for these objects.
DBUS logs some user avc denials in audit.log (ausearch -m user_avc -ts
today | grep dbus)
DBUS also logs some denials in /var/log/messages.
Again I am sure I am missing something simple and your advice will
help a lot.
I need to resolve this asap and will really appreciate any advice.
Soon I will be running a comparative study comparing a number of
security mechanisms and I need to sort this out.
Good luck.
On a unrelated note:
I recently created a extensive series of screencasts showing how to
confine a GUI app with SELinux (google-gadgets)
http://www.youtube.com/results?search_query=SELinux+confine+a+GUI+app
Thank you,
Cliffe.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list