FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-26-2011, 07:33 AM
Michael Atighetchi
 
Default problems labeling files

Hi,

I'm having issues with getting files labeled correctly.

First some background:

[proxyuser@lime selinux]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

[proxyuser@lime selinux]$ cat /etc/redhat-release
Fedora release 14 (Laughlin)

Here the problem: I have setup the following file contexts

[proxyuser@lime selinux]$ sudo semanage fcontext -l | grep aps-base
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp regular
file system_ubject_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
file system_ubject_r:CZwd_exec_t:s0

Relabeling for one of the files succeeds:
sudo restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp

[proxyuser@lime selinux]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
-rwxr-xr-x. proxyuser proxyuser system_ubject_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp


However, relabeling of the other file silently fails:
[proxyuser@lime selinux]$ sudo restorecon -F -R -v
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
[proxyuser@lime selinux]$ ls -lZ
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
-rwxrwxr-x. proxyuser proxyuser unconfined_ubject_r:user_home_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

What am I missing?

--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 09:25 AM
Dominick Grift
 
Default problems labeling files

On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
> system_ubject_r:CZtp_exec_t:s0
> /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
> file system_ubject_r:CZwd_exec_t:s0

Maybe you have not declared the CZwd_exec_t type properly. Would need to
see your policy to be able to determine that.

Types have properties, For example some types are domain types others
file type, executable file type, port types etc. etc.

Type attributes are used to tell selinux what type it is dealing with.
It is kind of like grouping/classifying/tagging types. Rules are in
place that are specific to various groups of types.

For you to be able to for example relabel a type of a file object, the
type with need to be classified a file type. Because there is a rule
that states that files can only be labelled with file types.

So if you have not classfied your CZwd_exec_t to be a file type then it
may or may not be the cause of this issue.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 10:17 AM
Michael Atighetchi
 
Default problems labeling files

Hi Dominick,
responses inline below.

On 7/26/2011 11:25 AM, Dominick Grift wrote:


On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:

system_ubject_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
file system_ubject_r:CZwd_exec_t:s0

Maybe you have not declared the CZwd_exec_t type properly. Would need to
see your policy to be able to determine that.

Here is the policy:

policy_module(CZwd,1.0.0)

########################################
#
# Declarations
#

type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;

permissive CZwd_t;

########################################
#
# CZwd local policy
#

allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(CZwd_t)

files_read_etc_files(CZwd_t)

miscfiles_read_localization(CZwd_t)

gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)




Types have properties, For example some types are domain types others
file type, executable file type, port types etc. etc.

Type attributes are used to tell selinux what type it is dealing with.
It is kind of like grouping/classifying/tagging types. Rules are in
place that are specific to various groups of types.

For you to be able to for example relabel a type of a file object, the
type with need to be classified a file type. Because there is a rule
that states that files can only be labelled with file types.

I see - the policy above doesn't seem to specify a property on the type.

So if you have not classfied your CZwd_exec_t to be a file type then it
may or may not be the cause of this issue.

How do I add the type to the policy? Any idea what other mistakes can
cause this behavior.


For what it is worth, I generated the CZwd.* files by copying the files
from a previous invocation of sepolgen and
replacing all references from the previous file to the new file. It is
only for this process that I have the labeling problems.

For other processes, I explicitly called sepolgen from scratch.

I've attached the current set of files for CZwd.

Michael


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh -- gen_context(system_ubject_r:CZwd_exec_t,s0)

## <summary>policy for CZwd</summary>


########################################
## <summary>
## Execute a domain transition to run CZwd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`CZwd_domtrans',`
gen_require(`
type CZwd_t, CZwd_exec_t;
')

domtrans_pattern($1, CZwd_exec_t, CZwd_t)
')


########################################
## <summary>
## Execute CZwd in the CZwd domain, and
## allow the specified role the CZwd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the CZwd domain.
## </summary>
## </param>
#
interface(`CZwd_run',`
gen_require(`
type CZwd_t;
')

CZwd_domtrans($1)
role $2 types CZwd_t;
')

########################################
## <summary>
## Role access for CZwd
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`CZwd_role',`
gen_require(`
type CZwd_t;
')

role $1 types CZwd_t;

CZwd_domtrans($2)

ps_process_pattern($2, CZwd_t)
allow $2 CZwd_trocess signal;
')

#!/bin/sh -e

moduleName=CZwd
tgtFile=/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi

if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" ${moduleName}.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se ${moduleName}`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> ${moduleName}.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi

echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile || exit
/usr/sbin/semodule -i ${moduleName}.pp

# Fixing the file context
/sbin/restorecon -F -R -v ${tgtFile}
policy_module(CZwd,1.0.0)

########################################
#
# Declarations
#

type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;

permissive CZwd_t;

########################################
#
# CZwd local policy
#

allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(CZwd_t)

files_read_etc_files(CZwd_t)

miscfiles_read_localization(CZwd_t)

gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)

gen_require(` type CZtp_exec_t; role unconfined_r; ')
CZwd_role(unconfined_r, CZtp_exec_t)



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 10:27 AM
Dominick Grift
 
Default problems labeling files

On Tue, 2011-07-26 at 12:17 +0200, Michael Atighetchi wrote:

>
> type CZwd_t;
> type CZwd_exec_t;
> application_domain(CZwd_t, CZwd_exec_t)
> role system_r types CZwd_t;

> I see - the policy above doesn't seem to specify a property on the type.

It does. The application_domain() assigns the proper attributes to the
second parameter (CZwd_exec_t) So this type is a usable executable file
type.

> I've attached the current set of files for CZwd.

so the type for the
"/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh" file is
declared and a usable application executable type.

We can confirm this:

seinfo -x -tCZwd_exec_t

This should output atleast "application_exec_type"

Maybe the file context specification is not proper, so we should verify
this as well:

matchpathcon /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

This should return the expected security context (type CZwd_exec_t)
If it does not return the expected file context specification, then
there is something wrong with your file context specification.



>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 10:28 AM
Michael Atighetchi
 
Default problems labeling files

One thing I realized using sepolgen is that it reject filenames that
have "." in them.

In the example below, I was trying to label "runSeed.sh", so maybe
the fact that it has a "." in it broke the labeling ?



In any case, I reran sepolgen again and renamed the script to be
CZwd (instead of runSeed.sh).

With that, the files get's labeled properly now:



[proxyuser@lime target]$ ls -lZ CZwd

-rwxrwxr-x. proxyuser proxyuser system_ubject_r:CZwd_exec_t:s0
CZwd





Michael





On 7/26/2011 12:17 PM, Michael Atighetchi wrote:
Hi
Dominick,


responses inline below.




On 7/26/2011 11:25 AM, Dominick Grift wrote:





On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:


system_ubject_r:CZtp_exec_t:s0


/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
regular


file****** system_ubject_r:CZwd_exec_t:s0



Maybe you have not declared the CZwd_exec_t type properly. Would
need to


see your policy to be able to determine that.



Here is the policy:




policy_module(CZwd,1.0.0)




########################################


#


# Declarations


#




type CZwd_t;


type CZwd_exec_t;


application_domain(CZwd_t, CZwd_exec_t)


role system_r types CZwd_t;




permissive CZwd_t;




########################################


#


# CZwd local policy


#




allow CZwd_t self:fifo_file manage_fifo_file_perms;


allow CZwd_t self:unix_stream_socket create_stream_socket_perms;




domain_use_interactive_fds(CZwd_t)




files_read_etc_files(CZwd_t)




miscfiles_read_localization(CZwd_t)




gen_require(` type unconfined_t; role unconfined_r; ')


CZwd_role(unconfined_r, unconfined_t)








Types have properties, For example some
types are domain types others


file type, executable file type, port types etc. etc.




Type attributes are used to tell selinux what type it is dealing
with.


It is kind of like grouping/classifying/tagging types. Rules are
in


place that are specific to various groups of types.




For you to be able to for example relabel a type of a file
object, the


type with need to be classified a file type. Because there is a
rule


that states that files can only be labelled with file types.



I see - the policy above doesn't seem to specify a property on the
type.


So if you have not classfied your
CZwd_exec_t to be a file type then it


may or may not be the cause of this issue.





How do I add the type to the policy? Any idea what other mistakes
can cause this behavior.




For what it is worth, I generated the CZwd.* files by copying the
files from a previous invocation of sepolgen and


replacing all references from the previous file to the new file.
It is only for this process that I have the labeling problems.


For other processes, I explicitly called sepolgen from scratch.




I've attached the current set of files for CZwd.




Michael











--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 10:29 AM
Dominick Grift
 
Default problems labeling files

On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
> One thing I realized using sepolgen is that it reject filenames that
> have "." in them.
> In the example below, I was trying to label "runSeed.sh", so maybe the
> fact that it has a "." in it broke the labeling ?

Yes sometimes you need to escape dots

the matchpathcon should expose that
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 10:38 AM
Michael Atighetchi
 
Default problems labeling files

On 7/26/2011 12:29 PM, Dominick Grift wrote:
>
> On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
>> One thing I realized using sepolgen is that it reject filenames that
>> have "." in them.
>> In the example below, I was trying to label "runSeed.sh", so maybe the
>> fact that it has a "." in it broke the labeling ?
> Yes sometimes you need to escape dots
>
> the matchpathcon should expose that

Thanks a bunch - I got things working by removing the "." in the
filename and rerunning sepolgen on the new file.

Support on this mailing list rocks!
Michael

--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 01:04 PM
Daniel J Walsh
 
Default problems labeling files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
> On 7/26/2011 12:29 PM, Dominick Grift wrote:
>>
>> On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
>>> One thing I realized using sepolgen is that it reject filenames
>>> that have "." in them. In the example below, I was trying to
>>> label "runSeed.sh", so maybe the fact that it has a "." in it
>>> broke the labeling ?
>> Yes sometimes you need to escape dots
>>
>> the matchpathcon should expose that
>
> Thanks a bunch - I got things working by removing the "." in the
> filename and rerunning sepolgen on the new file.
>
> Support on this mailing list rocks! Michael
>

Could you attach the policy that was generated with the . in the file
name? Also what version of sepolgen were you using?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4uu3EACgkQrlYvE4MpobPdIQCg37LrYJdCJa 6mlalIINwXRMQg
krwAmwa0hIugnwbXksiDThEvDG6CMLQG
=Hyxr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 01:53 PM
Michael Atighetchi
 
Default problems labeling files

Hi Daniel,

I'm using sepolgen from policycoreutils-gui-2.0.85-28.fc14.x86_64.

The policy file that I hand modified (and caused the labeling problems)
was attached to the previous email.

Note that sepolgen refuses to generate policies for files that have a
"." in them, which seems like a pretty significant restriction.

Here is the trace:

[proxyuser@lime selinux]$ sepolgen -t 3
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

Name must be alpha numberic with no spaces.

sepolgen [ -m ] [ -t type ] [ executable | Name ]
valid Types:

0 Standard Init Daemon
1 DBUS System Daemon
2 Internet Services Daemon
3 User Application
4 Web Application/Script (CGI)
5 Minimal X Windows User Role
6 Minimal Terminal User Role
7 User Role
8 Admin User Role
10 Root Admin User Role
11 Sandbox
[proxyuser@lime selinux]$

So long
Michael


On 7/26/2011 3:04 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
>> On 7/26/2011 12:29 PM, Dominick Grift wrote:
>>> On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
>>>> One thing I realized using sepolgen is that it reject filenames
>>>> that have "." in them. In the example below, I was trying to
>>>> label "runSeed.sh", so maybe the fact that it has a "." in it
>>>> broke the labeling ?
>>> Yes sometimes you need to escape dots
>>>
>>> the matchpathcon should expose that
>> Thanks a bunch - I got things working by removing the "." in the
>> filename and rerunning sepolgen on the new file.
>>
>> Support on this mailing list rocks! Michael
>>
> Could you attach the policy that was generated with the . in the file
> name? Also what version of sepolgen were you using?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4uu3EACgkQrlYvE4MpobPdIQCg37LrYJdCJa 6mlalIINwXRMQg
> krwAmwa0hIugnwbXksiDThEvDG6CMLQG
> =Hyxr
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-26-2011, 02:05 PM
Daniel J Walsh
 
Default problems labeling files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/26/2011 09:53 AM, Michael Atighetchi wrote:
> Hi Daniel,
>
> I'm using sepolgen from policycoreutils-gui-2.0.85-28.fc14.x86_64.
>
> The policy file that I hand modified (and caused the labeling
> problems) was attached to the previous email.
>
> Note that sepolgen refuses to generate policies for files that have a
> "." in them, which seems like a pretty significant restriction.
>
> Here is the trace:
>
> [proxyuser@lime selinux]$ sepolgen -t 3
> /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
>
> Name must be alpha numberic with no spaces.
>
> sepolgen [ -m ] [ -t type ] [ executable | Name ] valid Types:
>
> 0 Standard Init Daemon 1 DBUS System Daemon 2
> Internet Services Daemon 3 User Application 4 Web
> Application/Script (CGI) 5 Minimal X Windows User Role 6
> Minimal Terminal User Role 7 User Role 8 Admin User Role
> 10 Root Admin User Role 11 Sandbox [proxyuser@lime
> selinux]$
>
> So long Michael
>
>
> On 7/26/2011 3:04 PM, Daniel J Walsh wrote: On 07/26/2011 06:38 AM,
> Michael Atighetchi wrote:
>>>> On 7/26/2011 12:29 PM, Dominick Grift wrote:
>>>>> On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
>>>>>> One thing I realized using sepolgen is that it reject
>>>>>> filenames that have "." in them. In the example below, I
>>>>>> was trying to label "runSeed.sh", so maybe the fact that it
>>>>>> has a "." in it broke the labeling ?
>>>>> Yes sometimes you need to escape dots
>>>>>
>>>>> the matchpathcon should expose that
>>>> Thanks a bunch - I got things working by removing the "." in
>>>> the filename and rerunning sepolgen on the new file.
>>>>
>>>> Support on this mailing list rocks! Michael
>>>>
> Could you attach the policy that was generated with the . in the
> file name? Also what version of sepolgen were you using?
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Try

sepolgen -n runseed -t 3
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

Usage command should mention this field


I will add a patch to output the following

# sepolgen -t 3
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh

Name must be alpha numberic with no spaces. Consider using option "-n
MODULENAME"

sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ]
valid Types:

0 Standard Init Daemon
1 DBUS System Daemon
2 Internet Services Daemon
3 User Application
4 Web Application/Script (CGI)
5 Minimal X Windows User Role
6 Minimal Terminal User Role
7 User Role
8 Admin User Role
10 Root Admin User Role
11 Sandbox

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4uyY0ACgkQrlYvE4MpobMpLACeLHFoFlli+c qlCzR8B+q6x8Et
s7IAoMIpRLiPNyoktg1yWe4FMW6GJ8Jn
=eOTQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org