Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core' message is no longer red, the subsequent 6 or so messages are formatted differently (i.e., the '[OK]' is not nicely indented, and it is not in green). Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a feature ;) )
Anyway, the following patch puts the red and green back in the boot. The change mimics the privileges given for console_device_t:chr_file
--- /etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te 2004-09-16 07:14:24.000000000 -0700 +++ ./consoletype.te 2004-09-16 11:37:14.000000000 -0700 @@ -52,5 +52,5 @@ allow consoletype_t pam_var_run_t:file { getattr read }; ') ifdef(`distro_redhat', ` -dontaudit consoletype_t tmpfs_t:chr_file { read write }; +allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write }; ')
The follow makes rhgb work in strict/enforcing. The problem is that it wants to mount /etc/rhgb, but it is currently labeled 'etc_t'. Labeling /etc/rhgb as 'root_t' makes it work. Not sure if this is really 'proper'. I'd be more comfortable with it being labeled something like 'etc_rhgb_t' or some such, or moving the mount point....
--- /etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700 +++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700 @@ -1,2 +1,3 @@ /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t #/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/etc/rhgb -d system_u:object_r:root_t
Tom London wrote:
Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core' message is no longer red, the subsequent 6 or so messages are formatted differently (i.e., the '[OK]' is not nicely indented, and it is not in green). Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a feature ;) )
Anyway, the following patch puts the red and green back in the boot. The change mimics the privileges given for console_device_t:chr_file
/etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te 2004-09-16 07:14:24.000000000 -0700 +++ ./consoletype.te 2004-09-16 11:37:14.000000000 -0700 @@ -52,5 +52,5 @@ allow consoletype_t pam_var_run_t:file { getattr read }; ') ifdef(`distro_redhat', ` -dontaudit consoletype_t tmpfs_t:chr_file { read write }; +allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write }; ')
Modified
The follow makes rhgb work in strict/enforcing. The problem is that it wants to mount /etc/rhgb, but it is currently labeled 'etc_t'. Labeling /etc/rhgb as 'root_t' makes it work. Not sure if this is really 'proper'. I'd be more comfortable with it being labeled something like 'etc_rhgb_t' or some such, or moving the mount point....
/etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700 +++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700 @@ -1,2 +1,3 @@ /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t #/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/etc/rhgb -d system_u:object_r:root_t
Changed to mnt_t
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 16 Sep 2004 17:08:55 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
<<<SNIP>>>
/etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700 +++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700 @@ -1,2 +1,3 @@ /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t #/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/etc/rhgb -d system_u:object_r:root_t
Changed to mnt_t
Better!
thanks, tom
uhhh... Sorry, but I didn't check before.
Need this in rhgb.te:
--- /etc/selinux/strict/src-1.17.18-1/policy/domains/program/rhgb.te 2004-09-17 11:32:00.886510890 -0700 +++ ./rhgb.te 2004-09-17 11:33:42.601099238 -0700 @@ -34,7 +34,7 @@ allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t root_t:dir { mounton }; +allow rhgb_t { root_t mnt_t }:dir { mounton }; allow rhgb_t rhgb_t:capability { sys_admin }; dontaudit rhgb_t var_run_t:dir { search };
Otherwise can't mount....
tom
On Thu, 16 Sep 2004 14:39:37 -0700, Tom London selinux@gmail.com wrote:
On Thu, 16 Sep 2004 17:08:55 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
<<<SNIP>>>
/etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc 2004-09-16 07:14:24.000000000 -0700 +++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700 @@ -1,2 +1,3 @@ /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t #/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t +/etc/rhgb -d system_u:object_r:root_t
Changed to mnt_t
Better!
thanks, tom -- Tom London
On Sat, 18 Sep 2004 04:35, Tom London selinux@gmail.com wrote:
Need this in rhgb.te:
--- /etc/selinux/strict/src-1.17.18-1/policy/domains/program/rhgb.te 2004-09-17 11:32:00.886510890 -0700 +++ ./rhgb.te 2004-09-17 11:33:42.601099238 -0700 @@ -34,7 +34,7 @@ allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t root_t:dir { mounton }; +allow rhgb_t { root_t mnt_t }:dir { mounton }; allow rhgb_t rhgb_t:capability { sys_admin }; dontaudit rhgb_t var_run_t:dir { search };
Otherwise can't mount....
Does it still need access to mount on type root_t?
RHGB doesn't work for me at the moment due to other errors so I can't test.
Russell Coker wrote:
On Sat, 18 Sep 2004 04:35, Tom London selinux@gmail.com wrote:
Need this in rhgb.te:
--- /etc/selinux/strict/src-1.17.18-1/policy/domains/program/rhgb.te 2004-09-17 11:32:00.886510890 -0700 +++ ./rhgb.te 2004-09-17 11:33:42.601099238 -0700 @@ -34,7 +34,7 @@ allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t root_t:dir { mounton }; +allow rhgb_t { root_t mnt_t }:dir { mounton }; allow rhgb_t rhgb_t:capability { sys_admin }; dontaudit rhgb_t var_run_t:dir { search };
Otherwise can't mount....
Does it still need access to mount on type root_t?
RHGB doesn't work for me at the moment due to other errors so I can't test.
No I removed root_t.
Runing latest Rawhide w/Dan's latest stuff:
rhgb fails with:
Sep 23 19:41:43 fedora kernel: audit(1095968474.168:0): avc: denied { search } for pid=1593 exe=/usr/bin/rhgb name=rhgb dev=hda2 ino=280446 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:mnt_t tclass=dir Sep 23 19:41:43 fedora kernel: audit(1095968474.168:0): avc: denied { search } for pid=1593 exe=/usr/bin/rhgb name=rhgb dev=hda2 ino=280446 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:mnt_t tclass=dir
tom
On Wed, 22 Sep 2004 14:46:42 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
Russell Coker wrote:
On Sat, 18 Sep 2004 04:35, Tom London selinux@gmail.com wrote:
Need this in rhgb.te:
--- /etc/selinux/strict/src-1.17.18-1/policy/domains/program/rhgb.te 2004-09-17 11:32:00.886510890 -0700 +++ ./rhgb.te 2004-09-17 11:33:42.601099238 -0700 @@ -34,7 +34,7 @@ allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t root_t:dir { mounton }; +allow rhgb_t { root_t mnt_t }:dir { mounton }; allow rhgb_t rhgb_t:capability { sys_admin }; dontaudit rhgb_t var_run_t:dir { search };
Otherwise can't mount....
Does it still need access to mount on type root_t?
RHGB doesn't work for me at the moment due to other errors so I can't test.
No I removed root_t.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org