problems confining a process

Dominick Grift domg472 at gmail.com
Sat Jul 23 19:07:11 UTC 2011 

It doest, you should be seeing a rule like this:

type_transition unconfined_t CZtp_exec_t : process CZtp_t;

You could trythe following:

mkdir ~/mymod; cd ~/mymod;

echo "policy_module(mymod, 1.0.0) gen_require(\` type unconfined_t,
CZtp_exec_t, CZtp_t; role unconfined_r; domtrans_pattern(unconfined_t,
CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t; ')" > mymod.te;

make -f /usr/share/selinux/devel/Makefile mymod.pp

sudo semodule -i mymod.pp

On Sat, 2011-07-23 at 20:55 +0200, Michael Atighetchi wrote:
> Hi Dominick,
> 
> thanks for the quick reply. Here is what I'm getting when I run the 
> command you suggested:
> 
> [proxyuser at lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
> Found 10 semantic av rules:
>     allow files_unconfined_type file_type : filesystem { mount remount 
> unmount getattr relabelfrom relabelto transition associate quotamod 
> quotaget } ;
>     allow files_unconfined_type file_type : file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton execute_no_trans entrypoint open 
> audit_access } ;
>     allow files_unconfined_type file_type : dir { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton add_name remove_name reparent 
> search rmdir open audit_access execmod } ;
>     allow files_unconfined_type file_type : lnk_file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton open audit_access execmod } ;
>     allow files_unconfined_type file_type : chr_file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton execute_no_trans entrypoint open 
> audit_access } ;
>     allow files_unconfined_type file_type : blk_file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton open audit_access execmod } ;
>     allow files_unconfined_type file_type : sock_file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton open audit_access execmod } ;
>     allow files_unconfined_type file_type : fifo_file { ioctl read write 
> create getattr setattr lock relabelfrom relabelto append unlink link 
> rename execute swapon quotaon mounton open audit_access execmod } ;
>     allow unconfined_usertype application_exec_type : file { ioctl read 
> getattr lock execute execute_no_trans open } ;
> ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]
> 
> I have a hard time telling whether the output qualifies as speciying a 
> domain type transition or not - do you know whether it does? If not, 
> what should I do with the policy you suggested (in terms of commands to 
> get it installed) ?
> 
> Thanks for the help
> Michael
> 
> 
> 
> On 7/23/2011 8:43 PM, Dominick Grift wrote:
> > You are probably missing a domain type transition.
> >
> > running the following command you can see if unconfined_t has a domain
> > type transition defined when it runs executable files with type
> > CZtp_exec_t:
> >
> > sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
> >
> > if none is specified then you must specify that your calling domain
> > unconfined_t, domain type transitions to CZtp_t when a file with type
> > CZtp_exec_t is executed.
> >
> > You will also need to allow the unconfined_r role the CZtp_t domain.
> >
> > After that you may want to allow unconfined_t to interact with CZtp_t in
> > other ways as well but at least by then the type transition should
> > happen.
> >
> > The policy:
> >
> > gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> > ')
> > domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> > role unconfined_r types CZtp_t;
> >
> >
> > On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
> >> Hi,
> >>
> >> I'm trying to create a new policy for a constrained process (started by
> >> an unconstrainted user) and am stuck trying to get the process started
> >> in the right context.
> >>
> >> Here are the steps I followed:
> >>
> >> 0. confirm SELinux status
> >> [proxyuser at lime ~]$ sestatus
> >> SELinux status:                 enabled
> >> SELinuxfs mount:                /selinux
> >> Current mode:                   permissive
> >> Mode from config file:          permissive
> >> Policy version:                 24
> >> Policy from config file:        targeted
> >>
> >> [proxyuser at lime ~]$ cat /etc/redhat-release
> >> Fedora release 14 (Laughlin)
> >>
> >> [proxyuser at lime cz]$ id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0
> >>
> >> 1. create policy via
> >>
> >> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> Note that CZtp is a shell script which in turn calls the JVM.
> >>
> >> [proxyuser at lime cz]$ sudo ./CZtp.sh
> >> Building and Loading Policy
> >> + make -f /usr/share/selinux/devel/Makefile
> >> make: Nothing to be done for `all'.
> >> + /usr/sbin/semodule -i CZtp.pp
> >> + /sbin/restorecon -F -R -v
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> /sbin/restorecon reset
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
> >> system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
> >>
> >> 2. Verify that the the CZtp file is labeled properly:
> >> [proxyuser at lime cz]$ ls -lZ
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> 3. start process
> >> [proxyuser at lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
> >> [proxyuser at lime target]$ ./CZtp
> >>
> >> 4. Verify process context
> >> [proxyuser at lime ~]$ ps -efZ | grep -v grep | grep CZtp
> >> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734  0 14:22 pts/0
> >> 00:00:00 /bin/sh ./CZtp
> >>
> >>
> >> Note that the process shows up as unconfined_t, although it was labeled
> >> with CZtp_exec_t.
> >>
> >> What am I missing?
> >>
> >>
> >>
> >> 4. check process context
> >>
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110723/4fddc642/attachment.bin

More information about the selinux mailing list