Selfmade policy not getting enforced on Fedora9

Stefan Schleifer stefan.schleifer at gmail.com
Wed May 28 19:23:53 UTC 2008 

On May 28, 2008, at 8:44 PM, Daniel J Walsh wrote:
> You need to define a transition rule from the domain that is executing
> the demo application.
>
> So if you are running as unconfined_t you will need a rule like
>
> domtrans_pattern(unconfined_t, demo_exec_t, demo_t)
> role unconfined_r types demo_t;

Hey,

You folks rock, thx a bunch. I forget the transition rule. As  
suggested, I added:


domain_auto_trans(unconfined_t, demo_exec_t, demo_t);


and now the app runs as demo_t:


[stefan at localhost policy]$ ps -efZ | grep demo
unconfined_u:unconfined_r:demo_t:s0-s0:c0.c1023 root 2856 2510 0 20:56  
pts/2 00:00:00 /usr/local/bin/demo


However, when I set SELinux to enforcing mode again, the app produces  
a seg fault, doesn't even coming to the point, where it writes to the  
file. Furthermore, the SELinux Troubleshooter doesn't alert me about  
having blocked something..

May I dare to ask, what's still missing?


The policy as a whole:


policy_module(demo,1.0.0)

########################################
#
# Declarations
#

type demo_t;
type demo_exec_t;
application_domain(demo_t, demo_exec_t);
domain_auto_trans(unconfined_t, demo_exec_t, demo_t);
role unconfined_r types demo_t;
role system_r types demo_t;

require {
	type unconfined_t;
	role unconfined_r;
}

type demo_tmp_t;
files_tmp_file(demo_tmp_t)

type demo_etc_rw_t;
files_type(demo_etc_rw_t)

########################################
#
# demo local policy
#

## internal communication is often done using fifo and unix sockets.
allow demo_t self:fifo_file rw_file_perms;
allow demo_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(demo_t)

libs_use_ld_so(demo_t)
libs_use_shared_libs(demo_t)

miscfiles_read_localization(demo_t)


allow demo_t demo_tmp_t:file manage_file_perms;
allow demo_t demo_tmp_t:dir create_dir_perms;
files_tmp_filetrans(demo_t,demo_tmp_t, { file dir })

allow demo_t demo_etc_rw_t:file manage_file_perms;
allow demo_t demo_etc_rw_t:dir manage_dir_perms;
files_etc_filetrans(demo_t,demo_etc_rw_t, { file dir })

optional_policy(`
	gen_require(`
		type user_t;
		type user_devpts_t;
		type user_tty_device_t;
		role user_r;
	')

	demo_run(user_t, user_r, { user_tty_device_t user_devpts_t })
')


Many thanks,
Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20080528/97f93c1b/attachment.bin

More information about the selinux mailing list