Hello,
It seems I have to use Teamviewer. I downloaded and installed it. Now I'm trying to put together a policy module to make it run without putting SELinux in permissive mode.
This program uses a daemon, and for this I've created a new domain:
type teamviewerd_t; type teamviewerd_exec_t; init_daemon_domain(teamviewerd_t, teamviewerd_exec_t)
/opt/teamviewer/tv_bin/teamviewerd -- gen_context(system_u:object_r:teamviewerd_exec_t,s0)
Then I started to add "allow" rules. Ausearch tells me I get an AVC when "init_t" tries to use "execmem". I'm guessing this is because the execmem test is done before the type transition happens.
Obviously, I don't want to allow init_t the execmem permission in general. Is there some good way around this? My best idea so far is to create a wrapper binary, give this wrapper the teamviewerd_exec_t type, and let it do exec() on the real teamviewerd program. But it feels a bit clumsy. Are there more direct ways to do it?
On 07/07/2016 07:46 PM, Göran Uddeborg wrote:
Hello,
It seems I have to use Teamviewer. I downloaded and installed it. Now I'm trying to put together a policy module to make it run without putting SELinux in permissive mode.
This program uses a daemon, and for this I've created a new domain:
type teamviewerd_t; type teamviewerd_exec_t; init_daemon_domain(teamviewerd_t, teamviewerd_exec_t) /opt/teamviewer/tv_bin/teamviewerd -- gen_context(system_u:object_r:teamviewerd_exec_t,s0)
Then I started to add "allow" rules. Ausearch tells me I get an AVC when "init_t" tries to use "execmem". I'm guessing this is because the execmem test is done before the type transition happens.
Obviously, I don't want to allow init_t the execmem permission in general. Is there some good way around this? My best idea so far is to create a wrapper binary, give this wrapper the teamviewerd_exec_t type, and let it do exec() on the real teamviewerd program. But it feels a bit clumsy. Are there more direct ways to do it? -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Hi, Could you attach raw AVCs and source policy files?
Thank you.
Lukas Vrabec:
Hi, Could you attach raw AVCs and source policy files?
Thank you.
Of course.
The policy is "under development". It is mostly coming from running in permissive mode with dontaudit rules disabled, and putting the output through "audit2allow". I've started to clean it up a little; much should be dontaudit:ed instead. But as I said, I've only started.
To avoid spamming the list I placed the complete files at
ftp://ftp.uddeborg.se/pub/teamviewer-selinux
The pieces that I believe are interesting for the purpose of this discussion are:
From teamviewer.te:
type teamviewerd_t; type teamviewerd_exec_t; init_daemon_domain(teamviewerd_t, teamviewerd_exec_t)
allow init_t self:process execmem; allow teamviewerd_t self:process { execmem setsched };
From teamviewer.fc:
/opt/teamviewer/tv_bin/teamviewerd -- gen_context(system_u:object_r:teamviewerd_exec_t,s0)
Relevant AVC:s before I added the allow rules:
type=AVC msg=audit(1467890892.113:74507): avc: denied { execmem } for pid=26267 comm="teamviewerd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 type=AVC msg=audit(1467890892.114:74508): avc: denied { execmem } for pid=26267 comm="teamviewerd" scontext=system_u:system_r:teamviewerd_t:s0 tcontext=system_u:system_r:teamviewerd_t:s0 tclass=process permissive=1
selinux@lists.fedoraproject.org