A policy from scratch and permissive mode

Stefan Schulze Frielinghaus stefan at seekline.net
Mon Dec 23 01:23:58 UTC 2013 

Hi everyone,

its been a while since I wrote my last policy but today I gave it a try
and ran immediately into a problem. The target is an user X11
application, so I started with the following TE file which was basically
generated via selinux-polgengui:

======================================================================
policy_module(foobar, 1.0.0)

attribute_role foobar_roles;
roleattribute system_r foobar_roles;

type foobar_t;
type foobar_exec_t;
application_domain(foobar_t, foobar_exec_t)
role foobar_roles types foobar_t;

permissive foobar_t;

optional_policy(`
        gen_require(`
                type unconfined_t;
                role unconfined_r;
        ')

        foobar_run(unconfined_t, unconfined_r)
')
======================================================================

The interesting part of the IF file is

======================================================================
interface(`foobar_domtrans',`
	gen_require(`
		type foobar_t, foobar_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, foobar_exec_t, foobar_t)
')

interface(`foobar_run',`
	gen_require(`
		type foobar_t;
		attribute_role foobar_roles;
	')

	foobar_domtrans($1)
	roleattribute $2 foobar_roles;
')
======================================================================

Now comes the funny part. If I label the target binary as foobar_exec_t
and execute it (from unconfined_t), then I receive an error message from
the application itself, telling me that the application has not the
rights to access a resource. However, if I label the target binary as
e.g. usr_t and execute it (again from unconfined_t), then the
application starts as expected and does it job.

This confuses me, since I put foobar_t into permissive mode.

I tried to narrow it down by disabling all dontaudit rules via "semodule
-DB" and allowed everything which was then logged. However, even that
did not help.

I did a last try by labeling again the binary as foobar_exec_t and
enabled *globally* the permissive mode. Then the application starts as
expected.

This is kind of strange to me since I said that the type foobar_t should
be permissive. I actually expected no change if I start it as
unconfined_t and transit to foobar_t, or, if I execute it as
unconfined_t directly.

Does someone has a pointer for me?

Cheers,
Stefan

More information about the selinux mailing list