its been a while since I wrote my last policy but today I gave it a try
and ran immediately into a problem. The target is an user X11
application, so I started with the following TE file which was basically
generated via selinux-polgengui:
roleattribute system_r foobar_roles;
role foobar_roles types foobar_t;
The interesting part of the IF file is
type foobar_t, foobar_exec_t;
domtrans_pattern($1, foobar_exec_t, foobar_t)
roleattribute $2 foobar_roles;
Now comes the funny part. If I label the target binary as foobar_exec_t
and execute it (from unconfined_t), then I receive an error message from
the application itself, telling me that the application has not the
rights to access a resource. However, if I label the target binary as
e.g. usr_t and execute it (again from unconfined_t), then the
application starts as expected and does it job.
This confuses me, since I put foobar_t into permissive mode.
I tried to narrow it down by disabling all dontaudit rules via "semodule
-DB" and allowed everything which was then logged. However, even that
did not help.
I did a last try by labeling again the binary as foobar_exec_t and
enabled *globally* the permissive mode. Then the application starts as
This is kind of strange to me since I said that the type foobar_t should
be permissive. I actually expected no change if I start it as
unconfined_t and transit to foobar_t, or, if I execute it as
Does someone has a pointer for me?
Show replies by date
With the help of Dominick Grift I solved the problem.
Just for the records. The logfile /var/log/audit/audit.log is not the
only place you might wanna look for failed resource accesses. In my case
journalctl logged several (denied) attempts to DBUS which where not
logged in /var/log/audit/audit.log. Once I allowed them, the application
runs fine even in enforcing mode.
All in all, I learned to have a look at
- ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
- dmesg/messages or whatever logfile else