SELinux Archive on lore.kernel.org
 help / color / Atom feed
* Failed to resolve typeattributeset statement
@ 2019-10-02 23:15 Ian Pilcher
  2019-10-02 23:19 ` Ian Pilcher
  0 siblings, 1 reply; 2+ messages in thread
From: Ian Pilcher @ 2019-10-02 23:15 UTC (permalink / raw)
  To: selinux

I've run into another issue while developing a policy for my service.
It needs to run systemctl (via sudo), and I hit this denial:

type=AVC msg=audit(1570051321.409:1773): avc:  denied  { getattr } for 
pid=3682 comm="sudo" path="/usr/bin/systemctl" dev="dm-0" ino=12586503 
scontext=system_u:system_r:denatc_sudo_t:s0 
tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 
permissive=0

I would have expected this to be simple.  Add the following to my
policy:

require {
	type systemctl_exec_t;
}

allow denatc_sudo_t systemctl_exec_t:file { getattr };

I am able to build a policy module (.pp file), but I am unable to load
it:

Failed to resolve typeattributeset statement at 
/etc/selinux/targeted/tmp/modules/400/denatc/cil:16
semodule:  Failed!

After figuring out how to generate the .cil file, I've determined that
line 16 is:

(typeattributeset cil_gen_require systemctl_exec_t)

This is obviously a showstopper, and Google isn't finding anything
useful.

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Failed to resolve typeattributeset statement
  2019-10-02 23:15 Failed to resolve typeattributeset statement Ian Pilcher
@ 2019-10-02 23:19 ` Ian Pilcher
  0 siblings, 0 replies; 2+ messages in thread
From: Ian Pilcher @ 2019-10-02 23:19 UTC (permalink / raw)
  To: selinux

On 10/2/19 6:15 PM, Ian Pilcher wrote:
> type=AVC msg=audit(1570051321.409:1773): avc:  denied  { getattr } for 
> pid=3682 comm="sudo" path="/usr/bin/systemctl" dev="dm-0" ino=12586503 
> scontext=system_u:system_r:denatc_sudo_t:s0 
> tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 
> permissive=0
> 
> I would have expected this to be simple.  Add the following to my
> policy:
> 
> require {
>      type systemctl_exec_t;
> }
> 
> allow denatc_sudo_t systemctl_exec_t:file { getattr };

And it is simple ... if one uses the correct type:

   systemd_systemctl_exec_t

Sorry for the noise!

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 23:15 Failed to resolve typeattributeset statement Ian Pilcher
2019-10-02 23:19 ` Ian Pilcher

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git