FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-23-2011, 06:43 PM
Dominick Grift
 
Default problems confining a process

You are probably missing a domain type transition.

running the following command you can see if unconfined_t has a domain
type transition defined when it runs executable files with type
CZtp_exec_t:

sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t

if none is specified then you must specify that your calling domain
unconfined_t, domain type transitions to CZtp_t when a file with type
CZtp_exec_t is executed.

You will also need to allow the unconfined_r role the CZtp_t domain.

After that you may want to allow unconfined_t to interact with CZtp_t in
other ways as well but at least by then the type transition should
happen.

The policy:

gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
')
domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
role unconfined_r types CZtp_t;


On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
> Hi,
>
> I'm trying to create a new policy for a constrained process (started by
> an unconstrainted user) and am stuck trying to get the process started
> in the right context.
>
> Here are the steps I followed:
>
> 0. confirm SELinux status
> [proxyuser@lime ~]$ sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 24
> Policy from config file: targeted
>
> [proxyuser@lime ~]$ cat /etc/redhat-release
> Fedora release 14 (Laughlin)
>
> [proxyuser@lime cz]$ id -Z
> unconfined_u:unconfined_r:unconfined_t:s0
>
> 1. create policy via
>
> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>
> Note that CZtp is a shell script which in turn calls the JVM.
>
> [proxyuser@lime cz]$ sudo ./CZtp.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile
> make: Nothing to be done for `all'.
> + /usr/sbin/semodule -i CZtp.pp
> + /sbin/restorecon -F -R -v
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> /sbin/restorecon reset
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
>
> 2. Verify that the the CZtp file is labeled properly:
> [proxyuser@lime cz]$ ls -lZ
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>
> 3. start process
> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
> [proxyuser@lime target]$ ./CZtp
>
> 4. Verify process context
> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
> 00:00:00 /bin/sh ./CZtp
>
>
> Note that the process shows up as unconfined_t, although it was labeled
> with CZtp_exec_t.
>
> What am I missing?
>
>
>
> 4. check process context
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-23-2011, 06:55 PM
Michael Atighetchi
 
Default problems confining a process

Hi Dominick,

thanks for the quick reply. Here is what I'm getting when I run the
command you suggested:

[proxyuser@lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
Found 10 semantic av rules:
allow files_unconfined_type file_type : filesystem { mount remount
unmount getattr relabelfrom relabelto transition associate quotamod
quotaget } ;
allow files_unconfined_type file_type : file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton execute_no_trans entrypoint open
audit_access } ;
allow files_unconfined_type file_type : dir { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton add_name remove_name reparent
search rmdir open audit_access execmod } ;
allow files_unconfined_type file_type : lnk_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : chr_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton execute_no_trans entrypoint open
audit_access } ;
allow files_unconfined_type file_type : blk_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : sock_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow files_unconfined_type file_type : fifo_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link
rename execute swapon quotaon mounton open audit_access execmod } ;
allow unconfined_usertype application_exec_type : file { ioctl read
getattr lock execute execute_no_trans open } ;
ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]

I have a hard time telling whether the output qualifies as speciying a
domain type transition or not - do you know whether it does? If not,
what should I do with the policy you suggested (in terms of commands to
get it installed) ?

Thanks for the help
Michael



On 7/23/2011 8:43 PM, Dominick Grift wrote:
> You are probably missing a domain type transition.
>
> running the following command you can see if unconfined_t has a domain
> type transition defined when it runs executable files with type
> CZtp_exec_t:
>
> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
>
> if none is specified then you must specify that your calling domain
> unconfined_t, domain type transitions to CZtp_t when a file with type
> CZtp_exec_t is executed.
>
> You will also need to allow the unconfined_r role the CZtp_t domain.
>
> After that you may want to allow unconfined_t to interact with CZtp_t in
> other ways as well but at least by then the type transition should
> happen.
>
> The policy:
>
> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> ')
> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> role unconfined_r types CZtp_t;
>
>
> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
>> Hi,
>>
>> I'm trying to create a new policy for a constrained process (started by
>> an unconstrainted user) and am stuck trying to get the process started
>> in the right context.
>>
>> Here are the steps I followed:
>>
>> 0. confirm SELinux status
>> [proxyuser@lime ~]$ sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 24
>> Policy from config file: targeted
>>
>> [proxyuser@lime ~]$ cat /etc/redhat-release
>> Fedora release 14 (Laughlin)
>>
>> [proxyuser@lime cz]$ id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0
>>
>> 1. create policy via
>>
>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> Note that CZtp is a shell script which in turn calls the JVM.
>>
>> [proxyuser@lime cz]$ sudo ./CZtp.sh
>> Building and Loading Policy
>> + make -f /usr/share/selinux/devel/Makefile
>> make: Nothing to be done for `all'.
>> + /usr/sbin/semodule -i CZtp.pp
>> + /sbin/restorecon -F -R -v
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> /sbin/restorecon reset
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
>> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
>>
>> 2. Verify that the the CZtp file is labeled properly:
>> [proxyuser@lime cz]$ ls -lZ
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> 3. start process
>> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
>> [proxyuser@lime target]$ ./CZtp
>>
>> 4. Verify process context
>> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
>> 00:00:00 /bin/sh ./CZtp
>>
>>
>> Note that the process shows up as unconfined_t, although it was labeled
>> with CZtp_exec_t.
>>
>> What am I missing?
>>
>>
>>
>> 4. check process context
>>


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-23-2011, 07:03 PM
Michael Atighetchi
 
Default problems confining a process

One more point. Here is the .if file that sepolgen generated (see below
between {{{ and }}}).
Should I manually add the gen_requie and domatrans_pattern lines you
suggested to that policy ?

Michael

{{{

## <summary>policy for CZtp</summary>


########################################
## <summary>
## Execute a domain transition to run CZtp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`CZtp_domtrans',`
gen_require(`
type CZtp_t, CZtp_exec_t;
')

domtrans_pattern($1, CZtp_exec_t, CZtp_t)
')


########################################
## <summary>
## Execute CZtp in the CZtp domain, and
## allow the specified role the CZtp domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the CZtp domain.
## </summary>
## </param>
#
interface(`CZtp_run',`
gen_require(`
type CZtp_t;
')

CZtp_domtrans($1)
role $2 types CZtp_t;
')

########################################
## <summary>
## Role access for CZtp
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`CZtp_role',`
gen_require(`
type CZtp_t;
')

role $1 types CZtp_t;

CZtp_domtrans($2)

ps_process_pattern($2, CZtp_t)
allow $2 CZtp_trocess signal;
')

}}}



On 7/23/2011 8:43 PM, Dominick Grift wrote:
> You are probably missing a domain type transition.
>
> running the following command you can see if unconfined_t has a domain
> type transition defined when it runs executable files with type
> CZtp_exec_t:
>
> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
>
> if none is specified then you must specify that your calling domain
> unconfined_t, domain type transitions to CZtp_t when a file with type
> CZtp_exec_t is executed.
>
> You will also need to allow the unconfined_r role the CZtp_t domain.
>
> After that you may want to allow unconfined_t to interact with CZtp_t in
> other ways as well but at least by then the type transition should
> happen.
>
> The policy:
>
> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> ')
> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> role unconfined_r types CZtp_t;
>
>
> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
>> Hi,
>>
>> I'm trying to create a new policy for a constrained process (started by
>> an unconstrainted user) and am stuck trying to get the process started
>> in the right context.
>>
>> Here are the steps I followed:
>>
>> 0. confirm SELinux status
>> [proxyuser@lime ~]$ sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 24
>> Policy from config file: targeted
>>
>> [proxyuser@lime ~]$ cat /etc/redhat-release
>> Fedora release 14 (Laughlin)
>>
>> [proxyuser@lime cz]$ id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0
>>
>> 1. create policy via
>>
>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> Note that CZtp is a shell script which in turn calls the JVM.
>>
>> [proxyuser@lime cz]$ sudo ./CZtp.sh
>> Building and Loading Policy
>> + make -f /usr/share/selinux/devel/Makefile
>> make: Nothing to be done for `all'.
>> + /usr/sbin/semodule -i CZtp.pp
>> + /sbin/restorecon -F -R -v
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> /sbin/restorecon reset
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
>> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
>>
>> 2. Verify that the the CZtp file is labeled properly:
>> [proxyuser@lime cz]$ ls -lZ
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>
>> 3. start process
>> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
>> [proxyuser@lime target]$ ./CZtp
>>
>> 4. Verify process context
>> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
>> 00:00:00 /bin/sh ./CZtp
>>
>>
>> Note that the process shows up as unconfined_t, although it was labeled
>> with CZtp_exec_t.
>>
>> What am I missing?
>>
>>
>>
>> 4. check process context
>>


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-23-2011, 07:07 PM
Dominick Grift
 
Default problems confining a process

It doest, you should be seeing a rule like this:

type_transition unconfined_t CZtp_exec_t : process CZtp_t;

You could trythe following:

mkdir ~/mymod; cd ~/mymod;

echo "policy_module(mymod, 1.0.0) gen_require(` type unconfined_t,
CZtp_exec_t, CZtp_t; role unconfined_r; domtrans_pattern(unconfined_t,
CZtp_exec_t, CZtp_t) role unconfined_r types CZtp_t; ')" > mymod.te;

make -f /usr/share/selinux/devel/Makefile mymod.pp

sudo semodule -i mymod.pp

On Sat, 2011-07-23 at 20:55 +0200, Michael Atighetchi wrote:
> Hi Dominick,
>
> thanks for the quick reply. Here is what I'm getting when I run the
> command you suggested:
>
> [proxyuser@lime ~]$ sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
> Found 10 semantic av rules:
> allow files_unconfined_type file_type : filesystem { mount remount
> unmount getattr relabelfrom relabelto transition associate quotamod
> quotaget } ;
> allow files_unconfined_type file_type : file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton execute_no_trans entrypoint open
> audit_access } ;
> allow files_unconfined_type file_type : dir { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton add_name remove_name reparent
> search rmdir open audit_access execmod } ;
> allow files_unconfined_type file_type : lnk_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton open audit_access execmod } ;
> allow files_unconfined_type file_type : chr_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton execute_no_trans entrypoint open
> audit_access } ;
> allow files_unconfined_type file_type : blk_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton open audit_access execmod } ;
> allow files_unconfined_type file_type : sock_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton open audit_access execmod } ;
> allow files_unconfined_type file_type : fifo_file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton open audit_access execmod } ;
> allow unconfined_usertype application_exec_type : file { ioctl read
> getattr lock execute execute_no_trans open } ;
> ET allow files_unconfined_type file_type : file execmod ; [ allow_execmod ]
>
> I have a hard time telling whether the output qualifies as speciying a
> domain type transition or not - do you know whether it does? If not,
> what should I do with the policy you suggested (in terms of commands to
> get it installed) ?
>
> Thanks for the help
> Michael
>
>
>
> On 7/23/2011 8:43 PM, Dominick Grift wrote:
> > You are probably missing a domain type transition.
> >
> > running the following command you can see if unconfined_t has a domain
> > type transition defined when it runs executable files with type
> > CZtp_exec_t:
> >
> > sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
> >
> > if none is specified then you must specify that your calling domain
> > unconfined_t, domain type transitions to CZtp_t when a file with type
> > CZtp_exec_t is executed.
> >
> > You will also need to allow the unconfined_r role the CZtp_t domain.
> >
> > After that you may want to allow unconfined_t to interact with CZtp_t in
> > other ways as well but at least by then the type transition should
> > happen.
> >
> > The policy:
> >
> > gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> > ')
> > domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> > role unconfined_r types CZtp_t;
> >
> >
> > On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
> >> Hi,
> >>
> >> I'm trying to create a new policy for a constrained process (started by
> >> an unconstrainted user) and am stuck trying to get the process started
> >> in the right context.
> >>
> >> Here are the steps I followed:
> >>
> >> 0. confirm SELinux status
> >> [proxyuser@lime ~]$ sestatus
> >> SELinux status: enabled
> >> SELinuxfs mount: /selinux
> >> Current mode: permissive
> >> Mode from config file: permissive
> >> Policy version: 24
> >> Policy from config file: targeted
> >>
> >> [proxyuser@lime ~]$ cat /etc/redhat-release
> >> Fedora release 14 (Laughlin)
> >>
> >> [proxyuser@lime cz]$ id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0
> >>
> >> 1. create policy via
> >>
> >> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> Note that CZtp is a shell script which in turn calls the JVM.
> >>
> >> [proxyuser@lime cz]$ sudo ./CZtp.sh
> >> Building and Loading Policy
> >> + make -f /usr/share/selinux/devel/Makefile
> >> make: Nothing to be done for `all'.
> >> + /usr/sbin/semodule -i CZtp.pp
> >> + /sbin/restorecon -F -R -v
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> /sbin/restorecon reset
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
> >> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
> >>
> >> 2. Verify that the the CZtp file is labeled properly:
> >> [proxyuser@lime cz]$ ls -lZ
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> 3. start process
> >> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
> >> [proxyuser@lime target]$ ./CZtp
> >>
> >> 4. Verify process context
> >> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
> >> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
> >> 00:00:00 /bin/sh ./CZtp
> >>
> >>
> >> Note that the process shows up as unconfined_t, although it was labeled
> >> with CZtp_exec_t.
> >>
> >> What am I missing?
> >>
> >>
> >>
> >> 4. check process context
> >>
>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-23-2011, 07:10 PM
Dominick Grift
 
Default problems confining a process

No, but you could add the following to the .te file:

gen_require(` type unconfined_t; role unconfined_r; ')
CZtp_role(unconfined_r, unconfined_t)

.. Instead of what i suggested in my previous reply. Both methods should
make the domain transition happen.

On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote:
> One more point. Here is the .if file that sepolgen generated (see below
> between {{{ and }}}).
> Should I manually add the gen_requie and domatrans_pattern lines you
> suggested to that policy ?
>
> Michael
>
> {{{
>
> ## <summary>policy for CZtp</summary>
>
>
> ########################################
> ## <summary>
> ## Execute a domain transition to run CZtp.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`CZtp_domtrans',`
> gen_require(`
> type CZtp_t, CZtp_exec_t;
> ')
>
> domtrans_pattern($1, CZtp_exec_t, CZtp_t)
> ')
>
>
> ########################################
> ## <summary>
> ## Execute CZtp in the CZtp domain, and
> ## allow the specified role the CZtp domain.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access
> ## </summary>
> ## </param>
> ## <param name="role">
> ## <summary>
> ## The role to be allowed the CZtp domain.
> ## </summary>
> ## </param>
> #
> interface(`CZtp_run',`
> gen_require(`
> type CZtp_t;
> ')
>
> CZtp_domtrans($1)
> role $2 types CZtp_t;
> ')
>
> ########################################
> ## <summary>
> ## Role access for CZtp
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`CZtp_role',`
> gen_require(`
> type CZtp_t;
> ')
>
> role $1 types CZtp_t;
>
> CZtp_domtrans($2)
>
> ps_process_pattern($2, CZtp_t)
> allow $2 CZtp_trocess signal;
> ')
>
> }}}
>
>
>
> On 7/23/2011 8:43 PM, Dominick Grift wrote:
> > You are probably missing a domain type transition.
> >
> > running the following command you can see if unconfined_t has a domain
> > type transition defined when it runs executable files with type
> > CZtp_exec_t:
> >
> > sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
> >
> > if none is specified then you must specify that your calling domain
> > unconfined_t, domain type transitions to CZtp_t when a file with type
> > CZtp_exec_t is executed.
> >
> > You will also need to allow the unconfined_r role the CZtp_t domain.
> >
> > After that you may want to allow unconfined_t to interact with CZtp_t in
> > other ways as well but at least by then the type transition should
> > happen.
> >
> > The policy:
> >
> > gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
> > ')
> > domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
> > role unconfined_r types CZtp_t;
> >
> >
> > On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
> >> Hi,
> >>
> >> I'm trying to create a new policy for a constrained process (started by
> >> an unconstrainted user) and am stuck trying to get the process started
> >> in the right context.
> >>
> >> Here are the steps I followed:
> >>
> >> 0. confirm SELinux status
> >> [proxyuser@lime ~]$ sestatus
> >> SELinux status: enabled
> >> SELinuxfs mount: /selinux
> >> Current mode: permissive
> >> Mode from config file: permissive
> >> Policy version: 24
> >> Policy from config file: targeted
> >>
> >> [proxyuser@lime ~]$ cat /etc/redhat-release
> >> Fedora release 14 (Laughlin)
> >>
> >> [proxyuser@lime cz]$ id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0
> >>
> >> 1. create policy via
> >>
> >> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> Note that CZtp is a shell script which in turn calls the JVM.
> >>
> >> [proxyuser@lime cz]$ sudo ./CZtp.sh
> >> Building and Loading Policy
> >> + make -f /usr/share/selinux/devel/Makefile
> >> make: Nothing to be done for `all'.
> >> + /usr/sbin/semodule -i CZtp.pp
> >> + /sbin/restorecon -F -R -v
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> /sbin/restorecon reset
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
> >> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
> >>
> >> 2. Verify that the the CZtp file is labeled properly:
> >> [proxyuser@lime cz]$ ls -lZ
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
> >> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
> >>
> >> 3. start process
> >> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
> >> [proxyuser@lime target]$ ./CZtp
> >>
> >> 4. Verify process context
> >> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
> >> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
> >> 00:00:00 /bin/sh ./CZtp
> >>
> >>
> >> Note that the process shows up as unconfined_t, although it was labeled
> >> with CZtp_exec_t.
> >>
> >> What am I missing?
> >>
> >>
> >>
> >> 4. check process context
> >>
>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-23-2011, 07:37 PM
Michael Atighetchi
 
Default problems confining a process

H Dominick,

thanks for the quick reply again, and for getting me over the hump.

I went with the changes to the .te file, and am now getting the process
started
in the right domain.

For completeness sake, here the following info:

[proxyuser@lime cz]$ sudo sesearch -SCT --allow -s unconfined_t -t
CZtp_exec_t
<snip>
Found 1 semantic te rules:
type_transition unconfined_t CZtp_exec_t : process CZtp_t;

The process now shows up with:
[proxyuser@lime target]$ ps -efZ | grep CZtp
unconfined_u:unconfined_r:CZtp_t:s0 501 6355 5903 0 15:26 pts/1
00:00:00 /bin/sh ./CZtp



On 7/23/2011 9:10 PM, Dominick Grift wrote:
> No, but you could add the following to the .te file:
>
> gen_require(` type unconfined_t; role unconfined_r; ')
> CZtp_role(unconfined_r, unconfined_t)
>
> .. Instead of what i suggested in my previous reply. Both methods should
> make the domain transition happen.
>
> On Sat, 2011-07-23 at 21:03 +0200, Michael Atighetchi wrote:
>> One more point. Here is the .if file that sepolgen generated (see below
>> between {{{ and }}}).
>> Should I manually add the gen_requie and domatrans_pattern lines you
>> suggested to that policy ?
>>
>> Michael
>>
>> {{{
>>
>> ##<summary>policy for CZtp</summary>
>>
>>
>> ########################################
>> ##<summary>
>> ## Execute a domain transition to run CZtp.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ## Domain allowed access.
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_domtrans',`
>> gen_require(`
>> type CZtp_t, CZtp_exec_t;
>> ')
>>
>> domtrans_pattern($1, CZtp_exec_t, CZtp_t)
>> ')
>>
>>
>> ########################################
>> ##<summary>
>> ## Execute CZtp in the CZtp domain, and
>> ## allow the specified role the CZtp domain.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ## Domain allowed access
>> ##</summary>
>> ##</param>
>> ##<param name="role">
>> ##<summary>
>> ## The role to be allowed the CZtp domain.
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_run',`
>> gen_require(`
>> type CZtp_t;
>> ')
>>
>> CZtp_domtrans($1)
>> role $2 types CZtp_t;
>> ')
>>
>> ########################################
>> ##<summary>
>> ## Role access for CZtp
>> ##</summary>
>> ##<param name="role">
>> ##<summary>
>> ## Role allowed access
>> ##</summary>
>> ##</param>
>> ##<param name="domain">
>> ##<summary>
>> ## User domain for the role
>> ##</summary>
>> ##</param>
>> #
>> interface(`CZtp_role',`
>> gen_require(`
>> type CZtp_t;
>> ')
>>
>> role $1 types CZtp_t;
>>
>> CZtp_domtrans($2)
>>
>> ps_process_pattern($2, CZtp_t)
>> allow $2 CZtp_trocess signal;
>> ')
>>
>> }}}
>>
>>
>>
>> On 7/23/2011 8:43 PM, Dominick Grift wrote:
>>> You are probably missing a domain type transition.
>>>
>>> running the following command you can see if unconfined_t has a domain
>>> type transition defined when it runs executable files with type
>>> CZtp_exec_t:
>>>
>>> sesearch -SCT --allow -s unconfined_t -t CZtp_exec_t
>>>
>>> if none is specified then you must specify that your calling domain
>>> unconfined_t, domain type transitions to CZtp_t when a file with type
>>> CZtp_exec_t is executed.
>>>
>>> You will also need to allow the unconfined_r role the CZtp_t domain.
>>>
>>> After that you may want to allow unconfined_t to interact with CZtp_t in
>>> other ways as well but at least by then the type transition should
>>> happen.
>>>
>>> The policy:
>>>
>>> gen_require(` type unconfined_t, CZtp_exec_t, CZtp_t; role unconfined_r;
>>> ')
>>> domtrans_pattern(unconfined_t, CZtp_exec_t, CZtp_t)
>>> role unconfined_r types CZtp_t;
>>>
>>>
>>> On Sat, 2011-07-23 at 20:32 +0200, Michael Atighetchi wrote:
>>>> Hi,
>>>>
>>>> I'm trying to create a new policy for a constrained process (started by
>>>> an unconstrainted user) and am stuck trying to get the process started
>>>> in the right context.
>>>>
>>>> Here are the steps I followed:
>>>>
>>>> 0. confirm SELinux status
>>>> [proxyuser@lime ~]$ sestatus
>>>> SELinux status: enabled
>>>> SELinuxfs mount: /selinux
>>>> Current mode: permissive
>>>> Mode from config file: permissive
>>>> Policy version: 24
>>>> Policy from config file: targeted
>>>>
>>>> [proxyuser@lime ~]$ cat /etc/redhat-release
>>>> Fedora release 14 (Laughlin)
>>>>
>>>> [proxyuser@lime cz]$ id -Z
>>>> unconfined_u:unconfined_r:unconfined_t:s0
>>>>
>>>> 1. create policy via
>>>>
>>>> sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>>
>>>> Note that CZtp is a shell script which in turn calls the JVM.
>>>>
>>>> [proxyuser@lime cz]$ sudo ./CZtp.sh
>>>> Building and Loading Policy
>>>> + make -f /usr/share/selinux/devel/Makefile
>>>> make: Nothing to be done for `all'.
>>>> + /usr/sbin/semodule -i CZtp.pp
>>>> + /sbin/restorecon -F -R -v
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>> /sbin/restorecon reset
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp context
>>>> system_u:system_r:CZtp_exec_t:s0->system_ubject_r:CZtp_exec_t:s0
>>>>
>>>> 2. Verify that the the CZtp file is labeled properly:
>>>> [proxyuser@lime cz]$ ls -lZ
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>> -rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
>>>> /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
>>>>
>>>> 3. start process
>>>> [proxyuser@lime cz]$ cd /home/proxyuser/trunk/aps-base/crumple-zone/target/
>>>> [proxyuser@lime target]$ ./CZtp
>>>>
>>>> 4. Verify process context
>>>> [proxyuser@lime ~]$ ps -efZ | grep -v grep | grep CZtp
>>>> unconfined_u:unconfined_r:unconfined_t:s0 501 5789 5734 0 14:22 pts/0
>>>> 00:00:00 /bin/sh ./CZtp
>>>>
>>>>
>>>> Note that the process shows up as unconfined_t, although it was labeled
>>>> with CZtp_exec_t.
>>>>
>>>> What am I missing?
>>>>
>>>>
>>>>
>>>> 4. check process context
>>>>
>>


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org