This avc is a constraint violation! Stuck resolving this via --update on sepolgen generated file

Michael Atighetchi matighet at bbn.com
Fri Sep 23 11:46:31 UTC 2011 

On 9/23/2011 1:21 PM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 12:55 +0200, Michael Atighetchi wrote:
>> Hi,
>>
>> I am stuck trying to create a selinux policy for the Software Test
>> Automation Framework (STAF) daemon on Fedora 14.
>>   From the violations, it seems that STAF wants to send out emails and
>> restart iptables, which is behavior that should be allowed.
>>
>> I've created the inital policy with sepolgen and did run the resulting
>> .sh script with "--update" a number of times, but so far no success in
>> getting a policy that works without generating violations.
>>
>> I have included the resulting te file as an attachment.
> You have made a mistake. When writing policy one should always try and
> take care of any transitions first.
>
> Your policy allows your stafproc_t process to execute iptables but this
> is wrong i suspect. I suspect you added that because stafproc_t needs to
> restart the iptables service. (this requires a domain transition to the
> init script domain. The iptables init script file running in the init
> script domain will execute iptables with a domain transition.
>
> You added a lot of policy in your type enforcement file that likely
> should not be there. Just because you did not take care of this
> transition described above before allowing anything else.
>
> If you want some interactive guidance with your policy, please stop by
> #fedora-selinux on irc.freenode.net
Dominick,

thanks for the fast response. I'll add the transition you suggested in 
the other email and start over with a small type enforcement file.
What I was trying to do is to use sepolgen to generate a minimalistic 
policy, then run the processes through its paces and add
observed violations via --update.
Regarding transitions, is there a way to programmatically figure out 
what transitions a process might need or do you have to know something 
about the processes to construct required transitions ?
I will gladly take you up on the interactive guidance early next week.

Thanks and have a great weekend
Michael


>> Any ideas about what could be wrong would be greatly appreciated.
>>
>> The current set of violations are:
>> [root at lime audit]# grep AVC audit.log  | grep STAF
>> type=AVC msg=audit(1316772648.834:16749): avc:  denied  { create } for
>> pid=13504 comm="STAFProc" name="STAF.tmp"
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=unconfined_u:object_r:krb5_host_rcache_t:s0 tclass=file
>> type=AVC msg=audit(1316772676.905:16750): avc:  denied  { read } for
>> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
>> type=AVC msg=audit(1316772676.905:16750): avc:  denied  { open } for
>> pid=13541 comm="killall" name="stat" dev=proc ino=5874476
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
>> type=AVC msg=audit(1316772676.906:16751): avc:  denied  { getattr } for
>> pid=13541 comm="killall" path="/proc/1433/stat" dev=proc ino=5874476
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=system_u:system_r:sendmail_t:s0 tclass=file
>> type=AVC msg=audit(1316772677.136:16755): avc:  denied  { transition }
>> for  pid=13558 comm="env" path="/etc/rc.d/init.d/iptables" dev=dm-0
>> ino=652904 scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>> type=AVC msg=audit(1316772677.136:16755): avc:  denied  { rlimitinh }
>> for  pid=13558 comm="iptables"
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>> type=AVC msg=audit(1316772677.136:16755): avc:  denied  { siginh } for
>> pid=13558 comm="iptables"
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>> type=AVC msg=audit(1316772677.136:16755): avc:  denied  { noatsecure }
>> for  pid=13558 comm="iptables"
>> scontext=unconfined_u:unconfined_r:STAFProc_t:s0
>> tcontext=unconfined_u:system_r:STAFProc_t:s0 tclass=process
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-- 
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110923/bcde345e/attachment-0001.html

More information about the selinux mailing list