On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
Hi,
I am stuck trying to create a selinux policy for the Software Test
Automation Framework (STAF) daemon on Fedora 14.
From the violations, it seems that STAF wants to send out emails and
restart iptables, which is behavior that should be allowed.
I've created the inital policy with sepolgen and did run the resulting
.sh script with "--update" a number of times, but so far no success in
getting a policy that works without generating violations.
Somehing like this:
optional_policy(`
gen_require(`
type STAFProc_t, iptables_initrc_exec_t;
role unconfined_r, system_r;
')
init_labeled_script_domtrans(STAFProc_t, iptables_initrc_exec_t)
domain_system_change_exemption(STAFProc_t)
# this may be duplicates
# role_transition unconfined_r iptables_initrc_exec_t system_r;
# allow unconfined_r system_r;
')
Might deal with allowing unconfined_r:STAFProc_t, to restart iptables
init daemon via /etc/rc.d/init.d/iptables.
That might have dealt with the constraint issues.
I have included the resulting te file as an attachment.
Any ideas about what could be wrong would be greatly appreciated.
The current set of violations are:
[root@lime audit]# grep AVC audit.log | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc: denied { create } for
pid=13504 comm="STAFProc" name="STAF.tmp"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { read } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc: denied { open } for
pid=13541 comm="killall" name="stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc: denied { getattr } for
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc: denied { transition }
for pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { rlimitinh }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { siginh } for
pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc: denied { noatsecure }
for pid=13558 comm="iptables"
scontext=unconfined_u:unconfined_r:STAFProc_t:s0
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux