FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-28-2008, 06:18 PM
Stefan Schleifer
 
Default Selfmade policy not getting enforced on Fedora9

Hey guys,

As you might guess, I've a problem with my SELinux-policy under Fedora
9.


I created a little test application 'demo' which reads some text from
stdin and writes it in a config file /etc/hackbar/config.txt.


Afterwarts, I developed a policy with types demo_t, demo_exec_t und
demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.
Everything's fine.


For testing purposes I changed /etc/hackbar/config.txt to type etc_t
which demo_exec_t shouldn't be able to access as there doesn't exist
an allow demo_exec_t r/w etc_t.



[stefan@localhost policy]$ ls -Z /usr/local/bin/demo
-rwsr-sr-x root root system_ubject_r:demo_exec_t:s0 /usr/local/
bin/demo

[stefan@localhost policy]$ ls -Z /etc/hackbar/config.txt
-rwxr-xr-x root root system_ubject_r:etc_t:s0 /etc/hackbar/
config.txt



Again I ran the application but it is still allowed to change that
file?!



[stefan@localhost policy]$ /usr/local/bin/demo
Enter text: foobar
Read from file: foobar


Regarding to standard UNIX permissions access should be granted as the
demo-app has suid set, but shouldn't SELinux permitt access anyway in
this case?


SELinux is in enforcing mode.


[stefan@localhost policy]$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted


I'm rather confused...

best regards,
Stefan
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-28-2008, 06:28 PM
Eric Paris
 
Default Selfmade policy not getting enforced on Fedora9

On Wed, 2008-05-28 at 20:18 +0200, Stefan Schleifer wrote:
> Hey guys,
>
> As you might guess, I've a problem with my SELinux-policy under Fedora
> 9.
>
> I created a little test application 'demo' which reads some text from
> stdin and writes it in a config file /etc/hackbar/config.txt.
>
> Afterwarts, I developed a policy with types demo_t, demo_exec_t und
> demo_etc_t and allowed demo_exec_to to read/write demo_etc_t.
> Everything's fine.
>
> For testing purposes I changed /etc/hackbar/config.txt to type etc_t
> which demo_exec_t shouldn't be able to access as there doesn't exist
> an allow demo_exec_t r/w etc_t.
>
>
> [stefan@localhost policy]$ ls -Z /usr/local/bin/demo
> -rwsr-sr-x root root system_ubject_r:demo_exec_t:s0 /usr/local/
> bin/demo
> [stefan@localhost policy]$ ls -Z /etc/hackbar/config.txt
> -rwxr-xr-x root root system_ubject_r:etc_t:s0 /etc/hackbar/
> config.txt
>
>
> Again I ran the application but it is still allowed to change that
> file?!
>
>
> [stefan@localhost policy]$ /usr/local/bin/demo
> Enter text: foobar
> Read from file: foobar
>
>
> Regarding to standard UNIX permissions access should be granted as the
> demo-app has suid set, but shouldn't SELinux permitt access anyway in
> this case?
>
> SELinux is in enforcing mode.
>
>
> [stefan@localhost policy]$ /usr/sbin/sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 22
> Policy from config file: targeted
>
>
> I'm rather confused...

Are you sure you have the right transition rule from whatever you shell
runs as ?unconfined_t? to demo_t if you run a demo_exec_t binary? What
to you see from ps -efZ | grep demo while your program is running??

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org