problems confining a process
Michael Atighetchi
matighet at bbn.com
Sat Jul 23 19:37:27 UTC 2011
H Dominick,
thanks for the quick reply again, and for getting me over the hump.
I went with the changes to the .te file, and am now getting the process
started
in the right domain.
For completeness sake, here the following info:
[proxyuser at lime cz]$ sudo sesearch -SCT --allow -s unconfined_t -t
CZtp_exec_t
<snip>
Found 1 semantic te rules:
type_transition unconfined_t CZtp_exec_t : process CZtp_t;
The process now shows up with:
[proxyuser at lime target]$ ps -efZ | grep CZtp
unconfined_u:unconfined_r:CZtp_t:s0 501 6355 5903 0 15:26 pts/1
00:00:00 /bin/sh ./CZtp
On 7/23/2011 9:10 PM, Dominick Grift wrote:
> No, but you could add the following to the .te file:
>
> gen_require(` type unconfined_t; role unconfined_r; ')
> CZtp_role(unconfined_r, unconfined_t)
>
> .. Instead of what i suggested in my previous reply. Both methods should
> make the domain transition happen.
>
> On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote:
>> One more point. Here is the .if file that sepolgen generated (see below
>> between {{{ and }}}).
>> Should I manually add the gen_requie and domatrans_pattern lines you
>> suggested to that policy ?
>>
>> Michael
>>
>> {{{
>>
>> ##<summary>policy for CZtp</summary>
>>
>>
>> ########################################
>> ##<summary>
>> ## Execute a domain transition to run CZtp.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ## Domain allowed access.
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_domtrans',`
>> gen_require(`
>> type CZtp_t, CZtp_exec_t;
>> ')
>>
>> domtrans_pattern($1, CZtp_exec_t, CZtp_t)
>> ')
>>
>>
>> ########################################
>> ##<summary>
>> ## Execute CZtp in the CZtp domain, and
>> ## allow the specified role the CZtp domain.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ## Domain allowed access
>> ##</summary>
>> ##</param>
>> ##<param name="role">
>> ##<summary>
>> ## The role to be allowed the CZtp domain.
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_run',`
>> gen_require(`
>> type CZtp_t;
>> ')
>>
>> CZtp_domtrans($1)
>> role $2 types CZtp_t;
>> ')
>>
>> ########################################
>> ##<summary>
>> ## Role access for CZtp
>> ##</summary>
>> ##<param name="role">
>> ##<summary>
>> ## Role allowed access
>> ##</summary>
>> ##</param>
>> ##<param name="domain">
>> ##<summary>
>> ## User domain for the role
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_role',`
>> gen_require(`
>> type CZtp_t;
>> ')
>>
>> role $1 types CZtp_t;
>>
>> CZtp_domtrans($2)
>>
>> ps_process_pattern($2, CZtp_t)
>> allow $2 CZtp_t:process signal;
>> ')
>>
>> }}}
>>
>>
>>
>> On 7/23/2011 8:43 PM, Dominick Grift wrote:
>>> You are probably missing a domain type transition.
>>>
>>> running the following command you can see if unconfined_t has a domain
>>> type transition defined when it runs executable files with type
>>> CZtp_exec_t:
>>>
>>> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
>>>
>>> if none is specified then you must specify that your calling domain
>>> unconfined_t, domain type transitions to CZtp_t when a file with type
>>> CZtp_exec_t is executed.
>>>
>>> You will also need to allow the unconfined_r role the CZtp_t domain.
>>>
>>> After that you may want to allow unconfined_t to interact with CZtp_t in
>>> other ways as well but at least by then the type transition should
>>> happen.
>>>
>>> The policy:
>>>
>>> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
>>> ')
>>> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
>>> role unconfined_r types CZtp_t;
>>>
>>>
>>> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
>>>> Hi,
>>>>
>>>> I'm trying to create a new policy for a constrained process (started by
>>>> an unconstrainted user) and am stuck trying to get the process started
>>>> in the right context.
>>>>
>>>> Here are the steps I followed:
>>>>
>>>> 0. confirm SELinux status
>>>> [proxyuser at lime ~]$ sestatus
>>>> SELinux status: enabled
>>>> SELinuxfs mount: /selinux
>>>> Current mode: permissive
>>>> Mode from config file: permissive
>>>> Policy version: 24
>>>> Policy from config file: targeted
>>>>
>>>> [proxyuser at lime ~]$ cat /etc/redhat-release
>>>> Fedora release 14 (Laughlin)
>>>>
>>>> [proxyuser at lime cz]$ id -Z
>>>> unconfined_u:unconfined_r:unconfined_t:s0
>>>>
>>>> 1. create policy via
>>>>
>>>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>>
>>>> Note that CZtp is a shell script which in turn calls the JVM.
>>>>
>>>> [proxyuser at lime cz]$ sudo ./CZtp.sh
>>>> Building and Loading Policy
>>>> + make -f /usr/share/selinux/devel/Makefile
>>>> make: Nothing to be done for `all'.
>>>> + /usr/sbin/semodule -i CZtp.pp
>>>> + /sbin/restorecon -F -R -v
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>> /sbin/restorecon reset
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
>>>> system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
>>>>
>>>> 2. Verify that the the CZtp file is labeled properly:
>>>> [proxyuser at lime cz]$ ls -lZ
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>> -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>>
>>>> 3. start process
>>>> [proxyuser at lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
>>>> [proxyuser at lime target]$ ./CZtp
>>>>
>>>> 4. Verify process context
>>>> [proxyuser at lime ~]$ ps -efZ | grep -v grep | grep CZtp
>>>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
>>>> 00:00:00 /bin/sh ./CZtp
>>>>
>>>>
>>>> Note that the process shows up as unconfined_t, although it was labeled
>>>> with CZtp_exec_t.
>>>>
>>>> What am I missing?
>>>>
>>>>
>>>>
>>>> 4. check process context
>>>>
>>
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com
More information about the selinux
mailing list