All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: implementation of conditional policies
@ 2007-04-02 10:51 JanuGerman
  2007-04-02 12:51 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: JanuGerman @ 2007-04-02 10:51 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SELinux List

Hi,

Sorry for this inconvenience. Unfortunately, the problem is still not solved. I relabeled the file /etc/medicalpolicy to 

root:object_r:testfile_t and removed it from the home directory of the root.

the configuration of the refpolicy are:

--myapp.fc
/etc/medicalpolicy  -- gen_context(root:object_r:testfile_t)
and
--myapp.te
policy_module(myapp,1.0)
# Private type declarations
require {
        attribute domain;        
}
#type user_home_t;
#type bin_t;
#type myapp_t;
type testfile_t;
files_type(testfile_t);
bool test false;
if (test) {
    allow domain testfile_t:file {read};
    }


As you mentioned, about the use of strict policy and targeted policy, but when i change the option in the /etc/selinuc/config to strict, to see a chance to get effect of it, at the restart, kernel panics and says selinux is in enforcing mode.....kernel panics....

Perhaps the sources of strict policy are not installed?. Or this kind of policy is not enforced, in the targeted mode of operation of SELinux. any Idea?

Thanks,
JG
----- Original Message ----
From: Stephen Smalley <sds@tycho.nsa.gov>
To: JanuGerman <doublemalam@yahoo.co.uk>
Sent: Friday, 30 March, 2007 1:15:49 PM
Subject: Re: implementation of conditional policies


On Thu, 2007-03-29 at 19:09 +0100, JanuGerman wrote:
> Hi Stephen,
> 
> if you can kindly answer my question. I have the book
> SELinux by example, but beside one chapter, there is
> less help available on the conditional policies.
> Although, i unset the boolean variable, but, every
> program in the /bin can access the test file.
> 
> 
> The context assoicated with the file is:
> root:object_r:user_home_t 

...which is naturally going to be accessible by unconfined_t (or by
user_t, if using strict).

> where as context assoicated with the "vi" is:
> system_u:object_r:bin_t
> 
> The policy is as follows: 
> policy_module(myapp,1.0)
> 
> # Private type declarations
> require {
>         attribute domain;
>         
> }
> 
> type testfile_t;
> #type myapp_t;
> #file_type(testfile_t);

You need to declare testfile_t as a files_type() if you are going to set
it on a file.  

> bool test false;
> 
> 
> if (test) {
>     allow domain testfile_t:file {read};

But you said the file was labeled user_home_t, not testfile_t, above,
and regardless, unconfined_t under targeted policy can do everything.

-- 
Stephen Smalley
National Security Agency




	
	
		
___________________________________________________________ 
New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: implementation of conditional policies
  2007-04-02 10:51 implementation of conditional policies JanuGerman
@ 2007-04-02 12:51 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2007-04-02 12:51 UTC (permalink / raw)
  To: JanuGerman; +Cc: SELinux List

On Mon, 2007-04-02 at 10:51 +0000, JanuGerman wrote:
> Hi,
> 
> Sorry for this inconvenience. Unfortunately, the problem is still not solved. I relabeled the file /etc/medicalpolicy to 
> 
> root:object_r:testfile_t and removed it from the home directory of the root.
> 
> the configuration of the refpolicy are:
> 
> --myapp.fc
> /etc/medicalpolicy  -- gen_context(root:object_r:testfile_t)
> and
> --myapp.te
> policy_module(myapp,1.0)
> # Private type declarations
> require {
>         attribute domain;        
> }
> #type user_home_t;
> #type bin_t;
> #type myapp_t;
> type testfile_t;
> files_type(testfile_t);
> bool test false;
> if (test) {
>     allow domain testfile_t:file {read};
>     }
> 
> 
> As you mentioned, about the use of strict policy and targeted policy, but when i change the option in the /etc/selinuc/config to strict, to see a chance to get effect of it, at the restart, kernel panics and says selinux is in enforcing mode.....kernel panics....
> 
> Perhaps the sources of strict policy are not installed?. Or this kind of policy is not enforced, in the targeted mode of operation of SELinux. any Idea?

Under targeted policy, the unconfined_t domain can access all file
types, so putting that testfile_t type on the file only limits the
ability of confined domains (like httpd_t) to access it; it doesn't
affect anything running in unconfined_t.

To convert to strict policy, you have to install it, e.g.
	yum install selinux-policy-strict
then set /etc/selinux/config to refer to it.  On the initial conversion,
I'd recommend booting with "enforcing=0 single" and running fixfiles
relabel to make sure your filesystem is properly labeled for the strict
policy.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-04-02 12:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-04-02 10:51 implementation of conditional policies JanuGerman
2007-04-02 12:51 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.