This avc is a constraint violation! Stuck resolving this via --update on sepolgen generated file

Michael Atighetchi matighet at bbn.com
Fri Sep 23 10:55:54 UTC 2011 

Hi,

I am stuck trying to create a selinux policy for the Software Test 
Automation Framework (STAF) daemon on Fedora 14.
 From the violations, it seems that STAF wants to send out emails and 
restart iptables, which is behavior that should be allowed.

I've created the inital policy with sepolgen and did run the resulting 
.sh script with "--update" a number of times, but so far no success in 
getting a policy that works without generating violations.

I have included the resulting te file as an attachment.

Any ideas about what could be wrong would be greatly appreciated.

The current set of violations are:
[root at lime audit]# grep AVC audit.log  | grep STAF
type=AVC msg=audit(1316772648.834:16749): avc:  denied  { create } for  
pid=13504 comm="STAFProc" name="STAF.tmp" 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc:  denied  { read } for  
pid=13541 comm="killall" name="stat" dev=proc ino=5874476 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.905:16750): avc:  denied  { open } for  
pid=13541 comm="killall" name="stat" dev=proc ino=5874476 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772676.906:16751): avc:  denied  { getattr } for  
pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=system_u:system_r:sendmail_t:s0 tclass=file
type=AVC msg=audit(1316772677.136:16755): avc:  denied  { transition } 
for  pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0 
ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc:  denied  { rlimitinh } 
for  pid=13558 comm="iptables" 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc:  denied  { siginh } for  
pid=13558 comm="iptables" 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
type=AVC msg=audit(1316772677.136:16755): avc:  denied  { noatsecure } 
for  pid=13558 comm="iptables" 
scontext=unconfined_u:unconfined_r:STAFProc_t:s0 
tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process




-- 
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: STAFProc.te
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110923/ad4f60c1/attachment.pl

More information about the selinux mailing list