On Wed, 2008-05-14 at 11:12 -0400, Sciola, Dario wrote:
Classification: UNCLASSIFIED
Hi,
I've got a small application that I'm trying to get running as a
service on and FC8 SELinux box. I've got an entry in my inittab file
to kick start the app, but all my attempts at writing an appropriate
policy leaves that app running in the init_t domain.
This kind of question likely belongs on selinux(a)tycho.nsa.gov, not here
- it isn't really Fedora-specific.
The inittab file entry is:
cds:2345:respawn:/usr/bin/CDSserver -l -p 2732
ps -efZ (observing this as a 'root' user) gives:
system_u:system_r:init_t:s0 root 2663 1 0 10:01 ?
00:00:00 /usr/bin/CDSserver -l -p 2732
My .te file contains:
policy_module(cdsserver,1.0.3)
########################################
#
# Declarations
#
########################################
# Type declarations
###################
# the target domain:
type cds_t;
# Entrypoint for exec
type cds_exec_t;
# domain type
#domain_type(cds_t)
# Mark cds_t as a domain and cds_exec_t as an entrypoint
init_daemon_domain(cds_t, cds_exec_t)
init_daemon_domain is for a normal daemon started by an /etc/rc.d
script, not for something directly started by /sbin/init.
You want init_domain() instead I think.
domain_entry_file(cds_t, cds_exec_t)
This should be covered by the above.
allow cds_t self:process execmem;
Better if you can avoid that.
...
My .fc file contains:
/usr/bin/CDSserver --
gen_context(system_u:object_r:cds_exec_t,s0)
My .if file contains:
interface(`cds_domtrans',`
gen_require(`
type cds_t, cds_exec_t;
')
domain_auto_trans($1,cds_exec_t,cds_t)
allow $1 cds_t:fd use;
allow cds_t $1:fd use;
allow cds_t $1:fifo_file rw_file_perms;
allow cds_t $1:process sigchld;
')
I've also tried putting init_t as $1 in the domain_auto_trans()
An .if file serves no purpose unless you have something that calls the
interfaces it defines. It just defines a set of interfaces for
other .te files to use.
Why isn't the process transitioning to cds_t? I've looked at
a lot of
sites and examples and can't seem to figure out my problem. The policy
is the targeted FC8 policy. Module compiles and loads (semodule) fine.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
Any ideas?
Dario Sciola
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list --
Stephen Smalley
National Security Agency