[redhat-lspp] rbac-self-test patches
George Wilson
gcwilson at us.ibm.com
Thu May 17 03:23:28 UTC 2007
Thanks very much, Matt, for both the patch and some review. I never
intended the unnecessary restriction and dropped the ball on fixing it.
Thanks,
George Wilson
IBM LTC Security Development
Matt Anderson
<mra at hp.com>
Sent by: To
redhat-lspp-bounc redhat-lspp at redhat.com
es at redhat.com cc
Subject
05/16/07 18:52 [redhat-lspp] rbac-self-test
patches
>From running the rbac-self-test on different systems, and with a
slightly different procedure I ran into some issues. Thanks to help
from George and Klaus they were resolved. The main difference was I had
been ssh'ing into the system as a user and using su to become root.
This caused two problems; sysadm_devpts_t instead of sysadm_tty_t and my
SElinux user was staff_u instead of root. Here are the patches that I
needed in order to get things working for me.
-matt
diff --git a/rbac-self-test/rbac-self-test b/rbac-self-test/rbac-self-test
index acdf59d..f01301c 100644
--- a/rbac-self-test/rbac-self-test
+++ b/rbac-self-test/rbac-self-test
@@ -74,13 +74,18 @@ class SelfTest:
self.program_name = os.path.basename(sys.argv[0])
self.read = False
self.write = True
- self.SystemHigh = 'SystemHigh'
- self.SystemLow = 'SystemLow'
self.expectSuccess = False
self.expectFailure = True
self.success = True
self.failure = False
self.failure_action_performed = False
+ self.SystemHigh = 'SystemHigh'
+ self.SystemLow = 'SystemLow'
+ self.aide_type = 'aide_t'
+ self.program_type = 'rbacselftest_t'
+ self.helperprogram_type = 'rbacselftesthelper_t'
+ self.selinux_user = selinux.getcon()[1].split(':')[0]
+ self.selinux_role = selinux.getcon()[1].split(':')[1]
return(None)
#
@@ -358,7 +363,8 @@ class SelfTest:
if rc == 0:
try:
- rc = self.runcon("root:sysadm_r:aide_t:SystemHigh",
'/usr/sbin/aide', '--init')
+ context = self.selinux_user + ':' + self.selinux_role +
':' + self.aide_type + ':' + self.SystemHigh
+ rc = self.runcon(context, '/usr/sbin/aide', '--init')
except OSError, (oserrno, strerror):
self.message_log('Cannot initialize AIDE database, errno =
' + str(oserrno) + ': ' + strerror)
rc = oserrno
@@ -397,7 +403,8 @@ class SelfTest:
rc = 0
try:
- rc = self.runcon("root:sysadm_r:aide_t:SystemHigh",
'/usr/sbin/aide', '--check')
+ context = self.selinux_user + ':' + self.selinux_role + ':' +
self.aide_type + ':' + self.SystemHigh
+ rc = self.runcon(context, '/usr/sbin/aide', '--check')
except OSError, (oserrno, strerror):
self.message_log('Cannot verify AIDE database, errno = ' +
str(oserrno) + ': ' + strerror)
rc = oserrno
@@ -450,8 +457,8 @@ class SelfTest:
rc = 0
- context1 = 'root:sysadm_r:rbacselftest_t:' + level1
- context2 = 'root:sysadm_r:rbacselftesthelper_t:' + level2
+ context1 = self.selinux_user + ':' + self.selinux_role + ':' +
self.program_type + ':' + level1
+ context2 = self.selinux_user + ':' + self.selinux_role + ':' +
self.helperprogram_type + ':' + level2
if write == True:
testopname = 'write'
diff --git a/rbac-self-test/policy/rbacselftest.te
b/rbac-self-test/policy/rbacselftest.te
index de77b1f..8ee7477 100644
--- a/rbac-self-test/policy/rbacselftest.te
+++ b/rbac-self-test/policy/rbacselftest.te
@@ -110,7 +110,7 @@ allow rbacselftest_t var_run_t:file { getattr setattr
create read write };
# and more
allow rbacselftest_t self:fd use;
-allow rbacselftest_t self:process { noatsecure rlimitinh siginh };
+allow rbacselftest_t self:process { noatsecure rlimitinh setexec siginh };
allow rbacselftest_t sysadm_devpts_t:chr_file write;
allow rbacselftest_t sysadm_tty_device_t:chr_file { read write };
@@ -140,9 +140,12 @@ allow rbacselftest_t rbacselftesthelper_t:process
transition;
allow rbacselftest_t rbacselftesthelper_t:process { noatsecure rlimitinh
siginh };
allow rbacselftesthelper_t local_login_t:fd use;
+allow rbacselftesthelper_t newrole_t:fd use;
allow rbacselftesthelper_t rbacselftest_t:process sigchld;
+allow rbacselftesthelper_t sysadm_devpts_t:chr_file { read write };
-allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write };
+allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write ioctl
getattr };
allow rbacselftesthelper_t rbacselftest_t:fd use;
+allow rbacselftesthelper_t rbacselftest_var_run_t:file { read write };
files_read_all_files(rbacselftesthelper_t)
libs_use_shared_libs(rbacselftesthelper_t)
--
redhat-lspp mailing list
redhat-lspp at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20070516/3f3c3825/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20070516/3f3c3825/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic21994.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20070516/3f3c3825/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20070516/3f3c3825/attachment-0002.gif>
More information about the redhat-lspp
mailing list