FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-24-2012, 03:29 PM
Nabeel Moidu
 
Default Domain transition not working

Hi*I've got an executable file script.sh*labeled xyz_exec_t. I've also defined a*domain xyz_t* and*added daemon_domain(xyz_t, xyz_exec_t) in the .te file. When compiled and inserted, the file context*labels seem to be enforced correctly. Normally the executable script.sh is invoked by the init scripts. As per the domain transition rule, I expect it show up xyz_t as its domain in ps -efZ . But the transition does not work as expected. The process runs as an unconfined domain.
*But when I add runcon in the line where the init script invokes the executable with the domain as xyz_t, the process runs in the proper context.*Once I remove the runcon and invoke the init script, the domain transition I applied in the custom module does not work out.
*Any suggestions ? *NB: The system is on permissive mode and this particular domain xyz_t has also been defined as a permissive domain. *Nabeel
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-24-2012, 04:16 PM
Moray Henderson
 
Default Domain transition not working

From: selinux-bounces@lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] On Behalf Of Nabeel
Moidu

Subject: Domain transition not working






*




Hi






*






I've got an executable file script.sh*labeled
xyz_exec_t. I've also defined a*domain xyz_t* and*added
daemon_domain(xyz_t, xyz_exec_t) in the .te file.








When compiled and inserted, the file context*labels
seem to be enforced correctly. Normally the executable script.sh is invoked by
the init scripts. As per the domain transition rule, I expect it show up xyz_t
as its domain in ps -efZ . But the transition does not work as expected. The
process runs as an unconfined domain.






*






But when I add runcon in the line where the init script
invokes the executable with the domain as xyz_t, the process runs in the proper
context.








*






Once I remove the runcon and invoke the init script, the
domain transition I applied in the custom module does not work out.






*






Any suggestions ?






*






NB: The system is on permissive mode and this particular
domain xyz_t has also been defined as a permissive domain.






*






Nabeel






*


It might help us to see the exact
rules that have been defined.* Hopefully this will show something up
(thanks Dominick!):


*


sesearch
--allow -t xyz_t | grep transition


*


If your executable is normally
run by init scripts, it will be coming from initrc_t, not unconfined_t, which
may make a difference.


*


*


Moray.


“To err is human; to purr,
feline.”







--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-25-2012, 10:08 AM
Miroslav Grepl
 
Default Domain transition not working

On 01/24/2012 04:29 PM, Nabeel Moidu wrote:

Hi
*
I've got an executable file script.sh*labeled xyz_exec_t.
I've also defined a*domain xyz_t* and*added daemon_domain(xyz_t,
xyz_exec_t) in the .te file.

Could you paste your definition of types?




When compiled and inserted, the file context*labels seem to
be enforced correctly. Normally the executable script.sh is
invoked by the init scripts.


How does your init script look ?



As per the domain transition rule, I expect it show up
xyz_t as its domain in ps -efZ . But the transition does not
work as expected. The process runs as an unconfined domain.
*
But when I add runcon in the line where the init script
invokes the executable with the domain as xyz_t, the process
runs in the proper context.

*
Once I remove the runcon and invoke the init script, the
domain transition I applied in the custom module does not work
out.
*
Any suggestions ?
*
NB: The system is on permissive mode and this particular
domain xyz_t has also been defined as a permissive domain.
*
Nabeel


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-25-2012, 04:08 PM
Daniel J Walsh
 
Default Domain transition not working

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2012 12:16 PM, Moray Henderson wrote:
> *From:*selinux-bounces@lists.fedoraproject.org
> [mailto:selinux-bounces@lists.fedoraproject.org] *On Behalf Of
> *Nabeel Moidu *Subject:* Domain transition not working
>
>
>
> Hi
>
>
>
> I've got an executable file script.sh labeled xyz_exec_t. I've
> also defined a domain xyz_t and added daemon_domain(xyz_t,
> xyz_exec_t) in the .te file.
>
> When compiled and inserted, the file context labels seem to be
> enforced correctly. Normally the executable script.sh is invoked by
> the init scripts. As per the domain transition rule, I expect it
> show up xyz_t as its domain in ps -efZ . But the transition does
> not work as expected. The process runs as an unconfined domain.
>
>
>
> But when I add runcon in the line where the init script invokes
> the executable with the domain as xyz_t, the process runs in the
> proper context.
>
>
>
> Once I remove the runcon and invoke the init script, the domain
> transition I applied in the custom module does not work out.
>
>
>
> Any suggestions ?
>
>
>
> NB: The system is on permissive mode and this particular domain
> xyz_t has also been defined as a permissive domain.
>
>
>
> Nabeel
>
>
>
> It might help us to see the exact rules that have been defined.
> Hopefully this will show something up (thanks Dominick!):
>
>
>
> sesearch --allow -t xyz_t | greptransition
>
>
>
> If your executable is normally run by init scripts, it will be
> coming from initrc_t, not unconfined_t, which may make a
> difference.
>
>
>
>
>
> Moray.
>
> “To err is human; to purr, feline.”
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Also make sure the script is on a file system that is not set nosuid.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4 NvgDfKfOwQ2fJ8
M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=
=fhMI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-01-2012, 08:02 AM
Nabeel Moidu
 
Default Domain transition not working

Moray, Dan, Miroslav
Thanks for your inputs. It's working now.
I did an sesearch and grep'd for the type_transition lines. Then checked the init scripts lables once more.*

What happened was startup script files in the init.d were symlinks and the file types on those were defaulting to etc_t. I removed them and copied the init scripts . Repeated restorecon and this time they were labeled correctly and the transition also worked fine.

Nabeel

On Wed, Jan 25, 2012 at 10:38 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 01/24/2012 12:16 PM, Moray Henderson wrote:

> *From:*selinux-bounces@lists.fedoraproject.org

> [mailto:selinux-bounces@lists.fedoraproject.org] *On Behalf Of

> *Nabeel Moidu *Subject:* Domain transition not working

>

>

>

> Hi

>

>

>

> I've got an executable file script.sh labeled xyz_exec_t. I've

> also defined a domain xyz_t *and added daemon_domain(xyz_t,

> xyz_exec_t) in the .te file.

>

> When compiled and inserted, the file context labels seem to be

> enforced correctly. Normally the executable script.sh is invoked by

> the init scripts. As per the domain transition rule, I expect it

> show up xyz_t as its domain in ps -efZ . But the transition does

> not work as expected. The process runs as an unconfined domain.

>

>

>

> But when I add runcon in the line where the init script invokes

> the executable with the domain as xyz_t, the process runs in the

> proper context.

>

>

>

> Once I remove the runcon and invoke the init script, the domain

> transition I applied in the custom module does not work out.

>

>

>

> Any suggestions ?

>

>

>

> NB: The system is on permissive mode and this particular domain

> xyz_t has also been defined as a permissive domain.

>

>

>

> Nabeel

>

>

>

> It might help us to see the exact rules that have been defined.

> Hopefully this will show something up (thanks Dominick!):

>

>

>

> sesearch --allow -t xyz_t | greptransition

>

>

>

> If your executable is normally run by init scripts, it will be

> coming from initrc_t, not unconfined_t, which may make a

> difference.

>

>

>

>

>

> Moray.

>

> “To err is human; to purr, feline.”

>

>

>

> -- selinux mailing list selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux





Also make sure the script is on a file system that is not set nosuid.





-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.11 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEUEARECAAYFAk8gNvMACgkQrlYvE4MpobNdQgCg3LwHrco+A4 NvgDfKfOwQ2fJ8

M9wAl3phiUBRHilCtuwU/2Nx+0KVWuw=

=fhMI

-----END PGP SIGNATURE-----



--
Thanks and Regards
Nabeel Moidu
Doha, Qatar


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org