Greetings everyone!
I'm trying to set up a demonstration of SELinux functionality for a few people, and have been hitting my head against a brick wall on it for 2 days, was hoping that maybe you guys could give me some advice...Background:
System: Fedora Core 3, updated to latest packages via "yum update" Strict policy, version 1.19.10-2, and the strict policy sources installed.
The Goal: To demonstrate locking down access to a file to only a certain role, privileged_r. User account should have to access that role via the newrole command.
The current problem: According to the policy writing docs, a role should be created via the full_user_role() macro. So, in domains/misc/custom_policy.te, I placed the following line (along with other custom rules that have already been compiled successfully and work):
full_user_role(privileged)
The docs also say that new user roles should be added to the in_user_role macro within macros/user_macros.te, so I did that as well, making that macro look like this:
undefine(`in_user_role') define(`in_user_role', ` role user_r types $1; role staff_r types $1; role privileged_r type $1; ')
Now, when trying to compile the policy after that, I get the following error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf domains/misc/custom_policy.te:13:ERROR 'unknown type privileged_userhelper_t' at token ';' on line 115000: #line 13 allow privileged_mozilla_t privileged_userhelper_t:process transition; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/strict/policy/policy.18] Error 1
I've been banging my head against the wall on this one for a day and a half - have searched the web, read numerous docs on creating policy, looked at how the full_user_role macro is used elsewhere in the policy, and I simply can't figure out what I'm doing wrong.
Anyone have any ideas?
Jeremy
On Thu, 2005-06-09 at 13:28 -0700, Jeremy Utley wrote:
The current problem: According to the policy writing docs, a role should be created via the full_user_role() macro. So, in domains/misc/custom_policy.te, I placed the following line (along with other custom rules that have already been compiled successfully and work):
full_user_role(privileged)
In order to support role changes via newrole, you need some further rules. These are defined in the role_tty_type_change() macro defined in domains/user.te, which means that you presently have to add rules to domains/user.te; that macro definition should likely be moved to base_user_macros.te or user_macros.te so that it can be used elsewhere.
If you want the role to be able to use userhelper, sudo, or su, you also need to include reach_sysadm(privileged); that macro is also presently defined in domains/user.te and should likely be moved to user_macros.te or base_user_macros.te.
Now, when trying to compile the policy after that, I get the following error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf domains/misc/custom_policy.te:13:ERROR 'unknown type privileged_userhelper_t' at token ';' on line 115000: #line 13 allow privileged_mozilla_t privileged_userhelper_t:process transition; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/strict/policy/policy.18] Error 1
That's a bug in mozilla_macros.te, already removed in the FC4/development strict policy. Remove the userhelper transition from it:
--- macros/program/mozilla_macros.te.orig 2005-06-10 08:37:54.636627280 -0400 +++ macros/program/mozilla_macros.te 2005-06-10 08:38:11.886004976 -0400 @@ -116,9 +116,6 @@ dontaudit $1_mozilla_t file_type:dir getattr; allow $1_mozilla_t self:sem create_sem_perms;
-ifdef(`userhelper.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') dontaudit $1_mozilla_t selinux_config_t:dir search;
#
selinux@lists.fedoraproject.org
-
Jeremy Utley -
Stephen Smalley