Hi everyone,
its been a while since I wrote my last policy but today I gave it a try and ran immediately into a problem. The target is an user X11 application, so I started with the following TE file which was basically generated via selinux-polgengui:
====================================================================== policy_module(foobar, 1.0.0)
attribute_role foobar_roles; roleattribute system_r foobar_roles;
type foobar_t; type foobar_exec_t; application_domain(foobar_t, foobar_exec_t) role foobar_roles types foobar_t;
permissive foobar_t;
optional_policy(` gen_require(` type unconfined_t; role unconfined_r; ')
foobar_run(unconfined_t, unconfined_r) ') ======================================================================
The interesting part of the IF file is
====================================================================== interface(`foobar_domtrans',` gen_require(` type foobar_t, foobar_exec_t; ')
corecmd_search_bin($1) domtrans_pattern($1, foobar_exec_t, foobar_t) ')
interface(`foobar_run',` gen_require(` type foobar_t; attribute_role foobar_roles; ')
foobar_domtrans($1) roleattribute $2 foobar_roles; ') ======================================================================
Now comes the funny part. If I label the target binary as foobar_exec_t and execute it (from unconfined_t), then I receive an error message from the application itself, telling me that the application has not the rights to access a resource. However, if I label the target binary as e.g. usr_t and execute it (again from unconfined_t), then the application starts as expected and does it job.
This confuses me, since I put foobar_t into permissive mode.
I tried to narrow it down by disabling all dontaudit rules via "semodule -DB" and allowed everything which was then logged. However, even that did not help.
I did a last try by labeling again the binary as foobar_exec_t and enabled *globally* the permissive mode. Then the application starts as expected.
This is kind of strange to me since I said that the type foobar_t should be permissive. I actually expected no change if I start it as unconfined_t and transit to foobar_t, or, if I execute it as unconfined_t directly.
Does someone has a pointer for me?
Cheers, Stefan
With the help of Dominick Grift I solved the problem.
Just for the records. The logfile /var/log/audit/audit.log is not the only place you might wanna look for failed resource accesses. In my case journalctl logged several (denied) attempts to DBUS which where not logged in /var/log/audit/audit.log. Once I allowed them, the application runs fine even in enforcing mode.
All in all, I learned to have a look at
- ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today - journalctl - dmesg/messages or whatever logfile else
Cheers, Stefan
selinux@lists.fedoraproject.org