No subject


Thu Nov 22 16:31:42 UTC 2012 

But it still doesn't authorize the script to run and now the messages
triggers errors in audit2allow:

libsepol.mls_from_string: invalid MLS context
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:proc_t: to sid
libsepol.context_from_record: type op is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:op:s0 to sid
libsepol.context_from_record: type openvpn_ is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:openvpn_:s0 to sid
libsepol.context_from_record: type shell_e is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:shell_e:s0 to sid




$ cat amz_sns.fc
/opt/aws/SimpleNotificationServiceCli.*/bin/.*    --
gen_context(system_u:object_r:amz_sns_exec_t,s0)
/opt/aws/SimpleNotificationServiceCli.*/lib(/.*)?
gen_context(system_u:object_r:amz_sns_lib_t,s0)


$ cat amz_sns.te
policy_module( amz_sns, 1.0.0)

require {
        type openvpn_t;
        type openvpn_tmp_t;
        type shell_exec_t;
}

type amz_sns_t;
type amz_sns_exec_t;
type amz_sns_lib_t;

files_type(amz_sns_lib_t);

domain_type(amz_sns_t)
domain_entry_file(amz_sns_t, amz_sns_exec_t)

allow amz_sns_t amz_sns_exec_t:file { read execute entrypoint };
domain_auto_trans( openvpn_t, amz_sns_exec_t, amz_sns_t );

role system_r types amz_sns_t;  # ???

# The child process sends a signal to its parent as it dies
allow amz_sns_t openvpn_t:process sigchld;

allow amz_sns_t openvpn_tmp_t:file write;   # For /tmp/debug

allow amz_sns_t shell_exec_t:file { read open execute execute_no_trans
};  # Bash exec


Bruno

More information about the selinux mailing list