What is missing with this policy

Daniel J Walsh dwalsh at redhat.com
Fri Nov 12 14:00:55 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/12/2010 06:45 AM, Dominick Grift wrote:
> On Thu, Nov 11, 2010 at 06:55:44PM -0800, David Highley wrote:
>> When I install the following policy I see these warnings, what is
>> missing?
>>
>> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
>> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
>>
>> sshdfilter.fc:
>> /etc/rc\.d/init\.d/sshdfilter --
>> gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
>> /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0)
>> /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0)
>> #/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0)
> 
> try removing the commented line from the .fc file. Also what text editor are you using? Ive seen issues with some editors appending hidden symbols on end of line which caused problems (emacs)
> 
>>
>> sshdfilter.if:
>> ## <summary></summary>
>>
>> sshdfilter.te:
>> policy_module(sshdfilter, 1.0.7)
>>
>> type sshdfilter_t;
>> type sshdfilter_exec_t;
>> init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
>>
>> type sshdfilter_initrc_exec_t;
>> init_script_file(sshdfilter_initrc_exec_t)
>>
>> type sshdfilter_etc_t;
>> files_config_file(sshdfilter_etc_t)
>>
>> dev_read_urand(sshdfilter_t)
>> corecmd_search_bin(sshdfilter_t)
>> miscfiles_read_localization(sshdfilter_t)
>>
>> require {
>>         type var_run_t;
>>         type usr_t;
>>         type syslogd_t;
>>         type etc_t;
>>         type shell_exec_t;
>>         type sshdfilter_t;
>>         type bin_t;
>>         type devlog_t;
>>         type sshdfilter_etc_t;
>>         type proc_t;
>>         type net_conf_t;
>>         class sock_file { write getattr };
>>         class lnk_file read;
>>         class unix_dgram_socket { write create connect ioctl sendto };
>>         class file { execute read ioctl execute_no_trans getattr open create };
>>         class fifo_file { write ioctl read open getattr };
>>         class dir { write add_name remove_name };
>> }
>>
>> #============= sshdfilter_t ==============
>> allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans };
>> allow sshdfilter_t bin_t:lnk_file read;
>> allow sshdfilter_t devlog_t:sock_file { write getattr };
>> allow sshdfilter_t etc_t:file { read getattr open };
>> allow sshdfilter_t proc_t:file { read getattr open };
>> allow sshdfilter_t self:fifo_file { read write ioctl getattr };
>> allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect };
>> allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans };
>> allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr };
>> allow sshdfilter_t syslogd_t:unix_dgram_socket sendto;
>> allow sshdfilter_t usr_t:file { read getattr open ioctl };
>> allow sshdfilter_t var_run_t:dir { write add_name remove_name };
>> allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl };
>> allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr };
>> allow sshdfilter_t net_conf_t:file { read getattr open };
>>
>> optional_policy(`
>>         iptables_domtrans(sshdfilter_t)
>> ')
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux


Also if you te file includes gen_require, you probably are not doing
something correctly.

You should use interfaces.

audit2allow -R

Will search for matching interfaces.

corecmd_exec_bin(sshdfilter_t)
corecmd_exec_shell(sshdfilter_t)

files_read_etc_files(sshdfilter_t)
files_read_usr_files(sshdfilter_t)
...


If you are writing a file or directory into a type that you do not own,
that is a time for you to define a type and then do a transition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzdSJcACgkQrlYvE4MpobPS4gCguFctLjApzOPZeOM9D55NhaY1
+noAoK/V1GajelqZiEX/ityu07iyGylP
=bhNk
-----END PGP SIGNATURE-----

More information about the selinux mailing list