Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
0. confirm SELinux status [proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
1. create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile make: Nothing to be done for `all'. + /usr/sbin/semodule -i CZtp.pp + /sbin/restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
2. Verify that the the CZtp file is labeled properly: [proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
3. start process [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
4. Verify process context [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
4. check process context
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
Hi Dominick,
thanks for the quick reply. Here is what I'm getting when I run the command you suggested:
[proxyuser@lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t Found 10 semantic av rules: allow files_unconfined_type file_type : filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } ; allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open audit_access } ; allow files_unconfined_type file_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod } ; allow files_unconfined_type file_type : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open audit_access } ; allow files_unconfined_type file_type : blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow unconfined_usertype application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]
I have a hard time telling whether the output qualifies as speciying a domain type transition or not - do you know whether it does? If not, what should I do with the policy you suggested (in terms of commands to get it installed) ?
Thanks for the help Michael
On 7/23/2011 8:43 PM, Dominick Grift wrote:
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
It doest, you should be seeing a rule like this:
type_transition unconfined_t CZtp_exec_t : process CZtp_t;
You could trythe following:
mkdir ~/mymod; cd ~/mymod;
echo "policy_module(mymod, 1.0.0) gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t; ')" > mymod.te;
make -f /usr/share/selinux/devel/Makefile mymod.pp
sudo semodule -i mymod.pp
On Sat, 2011-07-23 at 20:55 +0200, Michael Atighetchi wrote:
Hi Dominick,
thanks for the quick reply. Here is what I'm getting when I run the command you suggested:
[proxyuser@lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t Found 10 semantic av rules: allow files_unconfined_type file_type : filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } ; allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open audit_access } ; allow files_unconfined_type file_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod } ; allow files_unconfined_type file_type : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open audit_access } ; allow files_unconfined_type file_type : blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow files_unconfined_type file_type : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod } ; allow unconfined_usertype application_exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]
I have a hard time telling whether the output qualifies as speciying a domain type transition or not - do you know whether it does? If not, what should I do with the policy you suggested (in terms of commands to get it installed) ?
Thanks for the help Michael
On 7/23/2011 8:43 PM, Dominick Grift wrote:
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
One more point. Here is the .if file that sepolgen generated (see below between {{{ and }}}). Should I manually add the gen_requie and domatrans_pattern lines you suggested to that policy ?
Michael
{{{
## <summary>policy for CZtp</summary>
######################################## ## <summary> ## Execute a domain transition to run CZtp. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`CZtp_domtrans',` gen_require(` type CZtp_t, CZtp_exec_t; ')
domtrans_pattern($1, CZtp_exec_t, CZtp_t) ')
######################################## ## <summary> ## Execute CZtp in the CZtp domain, and ## allow the specified role the CZtp domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the CZtp domain. ## </summary> ## </param> # interface(`CZtp_run',` gen_require(` type CZtp_t; ')
CZtp_domtrans($1) role $2 types CZtp_t; ')
######################################## ## <summary> ## Role access for CZtp ## </summary> ## <param name="role"> ## <summary> ## Role allowed access ## </summary> ## </param> ## <param name="domain"> ## <summary> ## User domain for the role ## </summary> ## </param> # interface(`CZtp_role',` gen_require(` type CZtp_t; ')
role $1 types CZtp_t;
CZtp_domtrans($2)
ps_process_pattern($2, CZtp_t) allow $2 CZtp_t:process signal; ')
}}}
On 7/23/2011 8:43 PM, Dominick Grift wrote:
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
No, but you could add the following to the .te file:
gen_require(` type unconfined_t; role unconfined_r; ') CZtp_role(unconfined_r, unconfined_t)
.. Instead of what i suggested in my previous reply. Both methods should make the domain transition happen.
On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote:
One more point. Here is the .if file that sepolgen generated (see below between {{{ and }}}). Should I manually add the gen_requie and domatrans_pattern lines you suggested to that policy ?
Michael
{{{
## <summary>policy for CZtp</summary>
######################################## ## <summary> ## Execute a domain transition to run CZtp. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`CZtp_domtrans',` gen_require(` type CZtp_t, CZtp_exec_t; ')
domtrans_pattern($1, CZtp_exec_t, CZtp_t)
')
######################################## ## <summary> ## Execute CZtp in the CZtp domain, and ## allow the specified role the CZtp domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the CZtp domain. ## </summary> ## </param> # interface(`CZtp_run',` gen_require(` type CZtp_t; ')
CZtp_domtrans($1) role $2 types CZtp_t;
')
######################################## ## <summary> ## Role access for CZtp ## </summary> ## <param name="role"> ## <summary> ## Role allowed access ## </summary> ## </param> ## <param name="domain"> ## <summary> ## User domain for the role ## </summary> ## </param> # interface(`CZtp_role',` gen_require(` type CZtp_t; ')
role $1 types CZtp_t; CZtp_domtrans($2) ps_process_pattern($2, CZtp_t) allow $2 CZtp_t:process signal;
')
}}}
On 7/23/2011 8:43 PM, Dominick Grift wrote:
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
H Dominick,
thanks for the quick reply again, and for getting me over the hump.
I went with the changes to the .te file, and am now getting the process started in the right domain.
For completeness sake, here the following info:
[proxyuser@lime cz]$ sudo sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t <snip> Found 1 semantic te rules: type_transition unconfined_t CZtp_exec_t : process CZtp_t;
The process now shows up with: [proxyuser@lime target]$ ps -efZ | grep CZtp unconfined_u:unconfined_r:CZtp_t:s0 501 6355 5903 0 15:26 pts/1 00:00:00 /bin/sh ./CZtp
On 7/23/2011 9:10 PM, Dominick Grift wrote:
No, but you could add the following to the .te file:
gen_require(` type unconfined_t; role unconfined_r; ') CZtp_role(unconfined_r, unconfined_t)
.. Instead of what i suggested in my previous reply. Both methods should make the domain transition happen.
On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote:
One more point. Here is the .if file that sepolgen generated (see below between {{{ and }}}). Should I manually add the gen_requie and domatrans_pattern lines you suggested to that policy ?
Michael
{{{
##<summary>policy for CZtp</summary>
######################################## ##<summary> ## Execute a domain transition to run CZtp. ##</summary> ##<param name="domain"> ##<summary> ## Domain allowed access. ##</summary> ##</param> # interface(`CZtp_domtrans',` gen_require(` type CZtp_t, CZtp_exec_t; ')
domtrans_pattern($1, CZtp_exec_t, CZtp_t)
')
######################################## ##<summary> ## Execute CZtp in the CZtp domain, and ## allow the specified role the CZtp domain. ##</summary> ##<param name="domain"> ##<summary> ## Domain allowed access ##</summary> ##</param> ##<param name="role"> ##<summary> ## The role to be allowed the CZtp domain. ##</summary> ##</param> # interface(`CZtp_run',` gen_require(` type CZtp_t; ')
CZtp_domtrans($1) role $2 types CZtp_t;
')
######################################## ##<summary> ## Role access for CZtp ##</summary> ##<param name="role"> ##<summary> ## Role allowed access ##</summary> ##</param> ##<param name="domain"> ##<summary> ## User domain for the role ##</summary> ##</param> # interface(`CZtp_role',` gen_require(` type CZtp_t; ')
role $1 types CZtp_t; CZtp_domtrans($2) ps_process_pattern($2, CZtp_t) allow $2 CZtp_t:process signal;
')
}}}
On 7/23/2011 8:43 PM, Dominick Grift wrote:
You are probably missing a domain type transition.
running the following command you can see if unconfined_t has a domain type transition defined when it runs executable files with type CZtp_exec_t:
sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
if none is specified then you must specify that your calling domain unconfined_t, domain type transitions to CZtp_t when a file with type CZtp_exec_t is executed.
You will also need to allow the unconfined_r role the CZtp_t domain.
After that you may want to allow unconfined_t to interact with CZtp_t in other ways as well but at least by then the type transition should happen.
The policy:
gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r; ') domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t;
On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
Hi,
I'm trying to create a new policy for a constrained process (started by an unconstrainted user) and am stuck trying to get the process started in the right context.
Here are the steps I followed:
- confirm SELinux status
[proxyuser@lime ~]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime ~]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
[proxyuser@lime cz]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0
- create policy via
sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
Note that CZtp is a shell script which in turn calls the JVM.
[proxyuser@lime cz]$ sudo ./CZtp.sh Building and Loading Policy
- make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
- /usr/sbin/semodule -i CZtp.pp
- /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp /sbin/restorecon reset /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context system_u:system_r:CZtp_exec_t:s0->system_u:object_r:CZtp_exec_t:s0
- Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
- start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/ [proxyuser@lime target]$ ./CZtp
- Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0 00:00:00 /bin/sh ./CZtp
Note that the process shows up as unconfined_t, although it was labeled with CZtp_exec_t.
What am I missing?
- check process context
selinux@lists.fedoraproject.org