FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 05-14-2008, 03:12 PM
"Sciola, Dario"
 
Default Stuck in init_t

Title: Stuck in init_t







Classification: UNCLASSIFIED




Hi,




I've got a small application that I'm trying to get running as a service on and FC8 SELinux box. I've got an entry in my inittab file to kick start the app, but all my attempts at writing an appropriate policy leaves that app running in the init_t domain.



The inittab file entry is:




*cds:2345:respawn:/usr/bin/CDSserver -l -p 2732


*


ps -efZ (observing this as a 'root' user) gives:




system_u:system_r:init_t:s0 root 2663 1 0 10:01 ?* 00:00:00 /usr/bin/CDSserver -l -p 2732




My .te file contains:




** policy_module(cdsserver,1.0.3)




** ########################################


** #


** # Declarations


** #


** ########################################




** # Type declarations


** ###################




** # the target domain:


** type cds_t;




** # Entrypoint for exec


** type cds_exec_t;






** # domain type


** #domain_type(cds_t)




** # Mark cds_t as a domain and cds_exec_t as an entrypoint


** init_daemon_domain(cds_t, cds_exec_t)




** domain_entry_file(cds_t, cds_exec_t)




** allow cds_t selfrocess execmem;




** ...




My .fc file contains:




** /usr/bin/CDSserver --** gen_context(system_ubject_r:cds_exec_t,s0)






My .if file contains:




** interface(`cds_domtrans',`


******* gen_require(`


*************** type cds_t, cds_exec_t;


******* ')




******* domain_auto_trans($1,cds_exec_t,cds_t)


*


******* allow $1 cds_t:fd use;


******* allow cds_t $1:fd use;


******* allow cds_t $1:fifo_file rw_file_perms;


******* allow cds_t $1rocess sigchld;


** ')




I've also tried putting init_t as $1 in the domain_auto_trans()




Why isn't the process transitioning to cds_t? I've looked at a lot of sites and examples and can't seem to figure out my problem. The policy is the targeted FC8 policy. Module compiles and loads (semodule) fine.



# sestatus


SELinux status:**************** enabled


SELinuxfs mount:*************** /selinux


Current mode:****************** permissive


Mode from config file:********* permissive


Policy version:**************** 21


Policy from config file:******* targeted


*


Any ideas?






Dario Sciola




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-14-2008, 05:22 PM
Stephen Smalley
 
Default Stuck in init_t

On Wed, 2008-05-14 at 11:12 -0400, Sciola, Dario wrote:
> Classification: UNCLASSIFIED
>
> Hi,
>
> I've got a small application that I'm trying to get running as a
> service on and FC8 SELinux box. I've got an entry in my inittab file
> to kick start the app, but all my attempts at writing an appropriate
> policy leaves that app running in the init_t domain.

This kind of question likely belongs on selinux@tycho.nsa.gov, not here
- it isn't really Fedora-specific.

> The inittab file entry is:
>
> cds:2345:respawn:/usr/bin/CDSserver -l -p 2732
>
> ps -efZ (observing this as a 'root' user) gives:
>
> system_u:system_r:init_t:s0 root 2663 1 0 10:01 ?
> 00:00:00 /usr/bin/CDSserver -l -p 2732
>
> My .te file contains:
>
> policy_module(cdsserver,1.0.3)
>
> ########################################
> #
> # Declarations
> #
> ########################################
>
> # Type declarations
> ###################
>
> # the target domain:
> type cds_t;
>
> # Entrypoint for exec
> type cds_exec_t;
>
>
> # domain type
> #domain_type(cds_t)
>
> # Mark cds_t as a domain and cds_exec_t as an entrypoint
> init_daemon_domain(cds_t, cds_exec_t)

init_daemon_domain is for a normal daemon started by an /etc/rc.d
script, not for something directly started by /sbin/init.

You want init_domain() instead I think.

> domain_entry_file(cds_t, cds_exec_t)

This should be covered by the above.

> allow cds_t selfrocess execmem;

Better if you can avoid that.

> ...
>
> My .fc file contains:
>
> /usr/bin/CDSserver --
> gen_context(system_ubject_r:cds_exec_t,s0)
>
>
> My .if file contains:
>
> interface(`cds_domtrans',`
> gen_require(`
> type cds_t, cds_exec_t;
> ')
>
> domain_auto_trans($1,cds_exec_t,cds_t)
>
> allow $1 cds_t:fd use;
> allow cds_t $1:fd use;
> allow cds_t $1:fifo_file rw_file_perms;
> allow cds_t $1rocess sigchld;
> ')
>
> I've also tried putting init_t as $1 in the domain_auto_trans()

An .if file serves no purpose unless you have something that calls the
interfaces it defines. It just defines a set of interfaces for
other .te files to use.

> Why isn't the process transitioning to cds_t? I've looked at a lot of
> sites and examples and can't seem to figure out my problem. The policy
> is the targeted FC8 policy. Module compiles and loads (semodule) fine.
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 21
> Policy from config file: targeted
>
> Any ideas?
>
>
> Dario Sciola
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org