[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selfmade policy not getting enforced on Fedora9




On May 28, 2008, at 8:44 PM, Daniel J Walsh wrote:
You need to define a transition rule from the domain that is executing
the demo application.

So if you are running as unconfined_t you will need a rule like

domtrans_pattern(unconfined_t, demo_exec_t, demo_t)
role unconfined_r types demo_t;

Hey,

You folks rock, thx a bunch. I forget the transition rule. As suggested, I added:


domain_auto_trans(unconfined_t, demo_exec_t, demo_t);


and now the app runs as demo_t:


[stefan localhost policy]$ ps -efZ | grep demo
unconfined_u:unconfined_r:demo_t:s0-s0:c0.c1023 root 2856 2510 0 20:56 pts/2 00:00:00 /usr/local/bin/demo


However, when I set SELinux to enforcing mode again, the app produces a seg fault, doesn't even coming to the point, where it writes to the file. Furthermore, the SELinux Troubleshooter doesn't alert me about having blocked something..

May I dare to ask, what's still missing?


The policy as a whole:


policy_module(demo,1.0.0)

########################################
#
# Declarations
#

type demo_t;
type demo_exec_t;
application_domain(demo_t, demo_exec_t);
domain_auto_trans(unconfined_t, demo_exec_t, demo_t);
role unconfined_r types demo_t;
role system_r types demo_t;

require {
	type unconfined_t;
	role unconfined_r;
}

type demo_tmp_t;
files_tmp_file(demo_tmp_t)

type demo_etc_rw_t;
files_type(demo_etc_rw_t)

########################################
#
# demo local policy
#

## internal communication is often done using fifo and unix sockets.
allow demo_t self:fifo_file rw_file_perms;
allow demo_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(demo_t)

libs_use_ld_so(demo_t)
libs_use_shared_libs(demo_t)

miscfiles_read_localization(demo_t)


allow demo_t demo_tmp_t:file manage_file_perms;
allow demo_t demo_tmp_t:dir create_dir_perms;
files_tmp_filetrans(demo_t,demo_tmp_t, { file dir })

allow demo_t demo_etc_rw_t:file manage_file_perms;
allow demo_t demo_etc_rw_t:dir manage_dir_perms;
files_etc_filetrans(demo_t,demo_etc_rw_t, { file dir })

optional_policy(`
	gen_require(`
		type user_t;
		type user_devpts_t;
		type user_tty_device_t;
		role user_r;
	')

	demo_run(user_t, user_r, { user_tty_device_t user_devpts_t })
')


Many thanks,
Stefan

Attachment: PGP.sig
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]