[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pipefs AVC



On 08/29/2010 05:00 PM, Mr Dash Four wrote:
> 
>> its a fifo_file on device pipefs with name/path: pipe:[11951]
>>
>> This type of internal communication is very common. We use the following
>> policy for this:
>>
>> allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;
>>   
> This worked, though I get the following AVC when starting the process:
> 
> type=AVC msg=audit(1283088703.670:16403): avc:  denied  { execmem } for 
> pid=1847 comm="voip_sandbox"
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=process
> type=SYSCALL msg=audit(1283088703.670:16403): arch=40000003 syscall=90
> per=400000 success=no exit=-13 a0=8e997d4 a1=bfc01000 a2=bfc00000
> a3=1ff000 items=0 ppid=1845 pid=1847 auid=0 uid=496 gid=496 euid=496
> suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> 
> Even though the 2 spawned processes are still in memory (though nothing
> works) when I try to terminate the application nothing happens and when
> I try to reboot I get this in the audit log:
> 
> type=AVC msg=audit(1283088703.670:16404): avc:  denied  { signal } for 
> pid=1847 comm="voip_sandbox"
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=process
> 
> Tried to add 'allow voip_sandbox_t self:process { execmem signal };' but
> that did not help one iota - I am getting the same avcs!
> 

writing policy requires testing. i usually do my testing in permissive
mode or with permissive domains.

basically in my initial policy i declare type for know object and
subjects, i make the types usable. Then i add file context
specifications so that the objects are labelled properly. in my initial
policy i also define the domain transitions.

Then i usually test in permissive mode. collect as many AVC denials as i
can and then translate them into human readable policy and extend the
policy module, rebuild, reload and start over again, test, collect,
extend, build, install etc.

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net