FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-23-2011, 06:32 PM
Michael Atighetchi
 
Default problems confining a process

Hi,

I'm trying to create a new policy for a constrained process (started by
an unconstrainted user) and am stuck trying to get the process started
in the right context.

Here are the steps I followed:

0. confirm SELinux status
[proxyuser@lime ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

[proxyuser@lime ~]$ cat /etc/redhat-release
Fedora release 14 (Laughlin)

[proxyuser@lime cz]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0

1. create policy via

sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp

Note that CZtp is a shell script which in turn calls the JVM.

[proxyuser@lime cz]$ sudo ./CZtp.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZtp.pp
+ /sbin/restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
/sbin/restorecon reset
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0

2. Verify that the the CZtp file is labeled properly:
[proxyuser@lime cz]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
-rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp

3. start process
[proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
[proxyuser@lime target]$ ./CZtp

4. Verify process context
[proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
00:00:00 /bin/sh ./CZtp


Note that the process shows up as unconfined_t, although it was labeled
with CZtp_exec_t.

What am I missing?



4. check process context

--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org