Hi!
Im trying to learn SELinux from bottom up, but having some fundamental issues regarding the basics. Im trying to load the mozilla.pp module in targeted, which works fine. I set the correct contexts with restorecon on firefox-bin. But when i run the binary it stills runs in unconfined_t when looking at running processes (ps auxZ). Ivé tried to compile it myself from different sources, and load it, but get the same results all the time. Then i tried with netutils.pp and discovered the same problem witrh ping.
Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know im making some really fundamental mistake somewhere, but i cant find out what it is!
With best regards / Tomten
On Tue, 2006-11-28 at 19:36 +0100, Jimmy wrote:
Hi!
Im trying to learn SELinux from bottom up, but having some fundamental issues regarding the basics. Im trying to load the mozilla.pp module in targeted, which works fine. I set the correct contexts with restorecon on firefox-bin. But when i run the binary it stills runs in unconfined_t when looking at running processes (ps auxZ). Ivé tried to compile it myself from different sources, and load it, but get the same results all the time. Then i tried with netutils.pp and discovered the same problem witrh ping.
Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know im making some really fundamental mistake somewhere, but i cant find out what it is!
If mozilla's domain was a "simple" domain, then mozilla.pp would just contain its definition, and you would still need to set up a transition from unconfined_t to mozilla's domain, likely by calling an interface defined by mozilla.if from unconfined.te. But mozilla's domain is templated for instantiation once per user role, and targeted policy has no notion of user roles or domains, mozilla.pp doesn't even contain the actual domain definition, just a few type declarations for file types used for mozilla - the real domain definition happens as a result of template expansion for each user role.
In short, mozilla's policy was written for the strict policy. You'd have to do some work to instantiate it for unconfined in targeted and ensure that none of its assumptions are broken there, and your ability to limit what it can do will be severely constrained with targeted policy.
Jimmy wrote:
Hi!
Im trying to learn SELinux from bottom up, but having some fundamental issues regarding the basics. Im trying to load the mozilla.pp module in targeted, which works fine. I set the correct contexts with restorecon on firefox-bin. But when i run the binary it stills runs in unconfined_t when looking at running processes (ps auxZ). Ivé tried to compile it myself from different sources, and load it, but get the same results all the time. Then i tried with netutils.pp and discovered the same problem witrh ping.
Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know im making some really fundamental mistake somewhere, but i cant find out what it is!
With best regards / Tomten
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to write a transition rule from unconfined_t to mozilla_t
Something like
mozilla_per_role_template(user, unconfined_t, system_r)
But there is a bug in policy right now
gen_require(` type mozilla_exec_t; type mozilla_conf_t; ')
Needs to be added to the mozilla_per_role_template interface definition.
Daniel J Walsh wrote:
Jimmy wrote:
Hi!
Im trying to learn SELinux from bottom up, but having some fundamental issues regarding the basics. Im trying to load the mozilla.pp module in targeted, which works fine. I set the correct contexts with restorecon on firefox-bin. But when i run the binary it stills runs in unconfined_t when looking at running processes (ps auxZ). Ivé tried to compile it myself from different sources, and load it, but get the same results all the time. Then i tried with netutils.pp and discovered the same problem witrh ping.
Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know im making some really fundamental mistake somewhere, but i cant find out what it is!
With best regards / Tomten
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to write a transition rule from unconfined_t to mozilla_t
Something like
mozilla_per_role_template(user, unconfined_t, system_r)
But there is a bug in policy right now
gen_require(` type mozilla_exec_t; type mozilla_conf_t; ')
Needs to be added to the mozilla_per_role_template interface definition.
Looking further into this, I realize there is a lot of work to be done to make this happen. I think it is better to work on a simpler domain. I plan on adding a confinement of mozilla in FC7. But right now an concentrating on RHEL 5/FC6
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jimmy -
Stephen Smalley