--> answer in your mail body!
fedora-selinux-list-request@redhat.com a écrit : Send fedora-selinux-list mailing list submissions to fedora-selinux-list@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request@redhat.com
You can reach the person managing the list at fedora-selinux-list-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. using runcon -l s1 (Clarkson, Mike R (US SSA)) 2. Re: using runcon -l s1 (Daniel J Walsh) 3. Re: Helper program for a daemon (Al Pacifico)
----------------------------------------------------------------------
Message: 1 Date: Mon, 23 Apr 2007 10:22:11 -0700 From: "Clarkson, Mike R (US SSA)" Subject: using runcon -l s1 To: Message-ID:
Content-Type: text/plain; charset="us-ascii"
I am trying to figure out how to get "runcon -l s1" to work while having selinux in enforcing mode. So far, I can only use the runcon command successfully with selinux in permissive mode. Here is the error I get when in enforcing mode:
runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
execvp: Permission denied
--> you should know that enforcing mode makes that SELinux will be fully activated that meens policies are respected ans as a user you have a role and this role will assign to you specific permissions!!! that's why you get this message your role doesn't give you access to this permission. this the principal way for protection of SELinux.
My shell is running as root in the unconfined_t domain. Here is the output of id -Z:
root:system_r:unconfined_t:s0-s15:c0.c255
-->this context is assigned to root as défault context. you can modify it with newrole
The executable that I'm trying to run with runcon is "SimulatedImport". This is a very simple program which simply creates a small text file. I have created a domain named "import_t" for this program.
I have an selinux policy that I built as an mls policy off the targeted policy.
When I run audit2allow I get the following:
audit2allow -i /var/log/audit/audit.log -l -v -r
require {
class dir search;
class file { getattr read };
class process transition;
type auditd_log_t;
type unconfined_t;
role system_r;
};
allow unconfined_t auditd_log_t:dir search;
#TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit" : search
allow unconfined_t auditd_log_t:file { getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" NAME="audit.log" : getattr
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit.log" : read
allow unconfined_t self:process transition;
#TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" NAME="SimulatedImport" : transition
Adding "allow unconfined_t self:process transition;" to my "import" module seems to have no effect. -->i think you should use allow for transition from a domain to another so i don't thik that this rule you added is right.
Any help would be appreciated.
Thanks,
Mike
-------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20070423/f62...
------------------------------
Message: 2 Date: Tue, 24 Apr 2007 08:31:49 -0400 From: Daniel J Walsh Subject: Re: using runcon -l s1 To: "Clarkson, Mike R (US SSA)" Cc: fedora-selinux-list@redhat.com Message-ID: 462DF8B5.5060301@redhat.com Content-Type: text/plain; charset=windows-1252; format=flowed
Clarkson, Mike R (US SSA) wrote:
I am trying to figure out how to get runcon l s1 to work while having selinux in enforcing mode. So far, I can only use the runcon command successfully with selinux in permissive mode. Here is the error I get when in enforcing mode:
runcon -l s1 ./SimulatedImport /home/m252/SimulatedImport/output/junk
execvp: Permission denied
My shell is running as root in the unconfined_t domain. Here is the output of id Z:
root:system_r:unconfined_t:s0-s15:c0.c255
The executable that Im trying to run with runcon is SimulatedImport. This is a very simple program which simply creates a small text file. I have created a domain named import_t for this program.
I have an selinux policy that I built as an mls policy off the targeted policy.
When I run audit2allow I get the following:
audit2allow -i /var/log/audit/audit.log -l -v -r
require {
class dir search;
class file { getattr read };
class process transition;
type auditd_log_t;
type unconfined_t;
role system_r;
};
allow unconfined_t auditd_log_t:dir search;
#TYPE=AVC MSG=audit(1177347232.381:45684): COMM="audit2allow" NAME="audit" : search
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit" : search
allow unconfined_t auditd_log_t:file { getattr read };
#TYPE=AVC MSG=audit(1177347344.098:45699): COMM="audit2allow" NAME="audit.log" : getattr
#TYPE=AVC MSG=audit(1177347344.098:45698): COMM="audit2allow" NAME="audit.log" : read
allow unconfined_t self:process transition;
#TYPE=AVC MSG=audit(1177347223.780:45683): COMM="runcon" NAME="SimulatedImport" : transition
Adding allow unconfined_t self:process transition; to my import module seems to have no effect.
I think you are being prevented by a constraint of MLS
As a guess I would suggest trying:
mls_process_set_level(unconfined_t)
Any help would be appreciated.
Thanks,
Mike
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
------------------------------
Message: 3 Date: Tue, 24 Apr 2007 08:36:01 -0700 From: "Al Pacifico" Subject: Re: Helper program for a daemon To: fedora-selinux-list@redhat.com Cc: Daniel J Walsh Message-ID: 5d3cd4150704240836q7d6627a0qc931aa67461f9082@mail.gmail.com Content-Type: text/plain; charset="iso-8859-1"
On 4/19/07, Daniel J Walsh wrote:
Al Pacifico wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox).
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
My (2) questions:
- What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
I'm a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, won't he/she have more privileges than slimserver then?
The generated slimserver.fc file contains:
# slimserver executable will have: # label: system_u:object_r:slimserver_exec_t # MLS sensitivity: s0 # MCS categories:
/usr/sbin/slimserver -- gen_context(system_u:object_r:slimserver_exec_t,s0) /var/run/slimserver.pid gen_context(system_u:object_r:slimserver_var_run_t,s0) /var/log/slimserver gen_context(system_u:object_r:slimserver_var_log_t,s0)
and the slimserver.if file contains: interface(`slimserver_domtrans',` gen_require(` type slimserver_t, slimserver_exec_t; ')
domain_auto_trans($1,slimserver_exec_t,slimserver_t) allow $1 slimserver_t:fd use; allow slimserver_t $1:fd use; allow slimserver_t $1:fifo_file rw_file_perms; allow slimserver_t $1:process sigchld;
')
- There is no reason to add the scanner program be added to
slimserver.fc that was generated by policygentool, is there?
Only if you are creating a context for slimserver_scanner_exec_t, otherwise just let it be labeled sbin_t.
The file itself just needs to be labeled appropriately, right? Or does that file play some role in policy compilation in a step that I did not explicitly executed when I invoked 'make -f /usr/share/selinux/devel/Makefile'?
Thanks in advance.
-al
Al Pacifico Seattle, WA
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org