[refpolicy] new svn refpolicy difficuties:
Justin P. Mattock
justinmattock at gmail.com
Tue Dec 2 11:31:21 CST 2008
On Tue, 2008-12-02 at 08:13 -0500, Christopher J. PeBenito wrote:
> On Sun, 2008-11-30 at 22:19 -0800, Justin P. Mattock wrote:
> > With the latest refpolicy, I'm
> > able to have all of the allow rules
> > during the boot process applied to the policy,
> > but as soon as I add any of the allow rules
> > after startx, with any role I'm denied
> > with building the policy i.g.
> >
> > :ERROR 'type staff_dbusd_t is not within scope' at token ';' on line
> > 2581459:
> >
> > I think this has to do with my policy/users
> > file.(where can I find info on setting a prefix?)
>
> I suspect it is actually related to this:
>
> http://marc.info/?l=selinux&m=122477138927253&w=2
>
> What changes have you made (if any) to the policy? Also the
> policy/modules.conf and build.conf?
>
Attached you will find the allow rules
that I added to the policy.
hopefully it gives you a better idea of what
I'm seeing.
regards;
--
Justin P. Mattock <justinmattock at gmail.com>
-------------- next part --------------
# monolithic policy compile, simple start system
# open a aterm and use audit2allow -d to collect
# allow rules.
allow NetworkManager_t initrc_var_run_t:dir search;
allow NetworkManager_t initrc_var_run_t:sock_file write;
allow NetworkManager_t tmpfs_t:dir { write search add_name };
allow NetworkManager_t tmpfs_t:file { write create };
allow NetworkManager_t tmpfs_t:sock_file write;
allow avahi_t initrc_var_run_t:dir search;
allow avahi_t initrc_var_run_t:sock_file write;
allow avahi_t tmpfs_t:dir { write search setattr create getattr add_name };
allow avahi_t tmpfs_t:file { read write create lock };
allow avahi_t tmpfs_t:sock_file { write create };
allow bluetooth_t tmpfs_t:dir search;
allow crond_t tmpfs_t:dir { write search add_name };
allow crond_t tmpfs_t:file { read write create getattr lock };
allow crond_t tmpfs_t:sock_file write;
allow dmesg_t file_t:chr_file { read write };
allow fsadm_t file_t:chr_file { read write ioctl };
allow getty_t tmpfs_t:dir search;
allow hald_t initrc_var_run_t:dir { write remove_name add_name };
allow hald_t initrc_var_run_t:file { rename create unlink };
allow hald_t initrc_var_run_t:sock_file write;
allow hald_t tmpfs_t:sock_file write;
allow hald_t var_lib_t:file { read getattr };
allow hostname_t file_t:chr_file { read write };
allow insmod_t file_t:chr_file getattr;
allow insmod_t tty_device_t:chr_file { read write };
allow iptables_t file_t:chr_file { read write };
allow iptables_t var_lib_t:file { read getattr };
allow klogd_t initrc_var_run_t:dir { write search add_name };
allow klogd_t initrc_var_run_t:fifo_file read;
allow klogd_t initrc_var_run_t:file { read write create getattr lock };
allow klogd_t src_t:dir search;
allow klogd_t tmpfs_t:dir search;
allow klogd_t tmpfs_t:sock_file write;
allow loadkeys_t file_t:chr_file { read write ioctl getattr };
allow loadkeys_t file_t:dir search;
allow mount_t etc_t:file { write append };
allow mount_t file_t:chr_file { read write };
allow mount_t lib_t:dir mounton;
allow restorecond_t file_t:chr_file { read write ioctl };
allow restorecond_t tmpfs_t:dir { write add_name };
allow restorecond_t tmpfs_t:file { write create };
allow restorecond_t tmpfs_t:sock_file write;
allow setfiles_t file_t:chr_file { read write };
allow syslogd_t self:capability { setuid setgid };
allow syslogd_t tmpfs_t:dir { write search add_name };
allow syslogd_t tmpfs_t:file { read write create getattr lock };
allow syslogd_t tmpfs_t:sock_file { create setattr };
allow udev_t hald_t:unix_dgram_socket { read write };
allow udev_t tmpfs_t:dir { write remove_name search getattr add_name };
allow udev_t xserver_tmpfs_t:dir { write getattr search add_name };
allow xauth_t user_tmp_t:file { write unlink };
allow sysadm_t self:process { execstack execmem };
allow apmd_t hald_t:dbus send_msg;
allow hald_t apmd_t:dbus send_msg;
allow hwclock_t file_t:chr_file { read write };
allow ifconfig_t file_t:chr_file { read write };
allow initrc_t sysadm_t:dbus send_msg;
allow loadkeys_t tmpfs_t:dir search;
allow mount_t etc_t:dir mounton;
allow mount_t initrc_var_run_t:dir mounton;
allow sysadm_t initrc_t:dbus send_msg;
allow udev_t xserver_tmpfs_t:chr_file { relabelfrom getattr };
allow insmod_t tmpfs_t:chr_file { read write getattr };
allow udev_t file_t:chr_file { read write };
allow udev_t tmpfs_t:chr_file { read write };
allow udev_t tmpfs_t:file { write getattr };
allow udev_t alsa_var_lib_t:dir { getattr search };
allow udev_t alsa_var_lib_t:file getattr;
allow udev_t initrc_var_run_t:dir search;
allow udev_t tmpfs_t:chr_file { relabelfrom getattr };
allow alsa_t tmpfs_t:dir search;
allow hwclock_t tmpfs_t:dir search;
allow insmod_t file_t:chr_file { read write };
# system_dbus_t has no issues, only somerole_dbus_t etc..
allow system_dbusd_t NetworkManager_exec_t:file { read execute execute_no_trans };
allow system_dbusd_t NetworkManager_log_t:file { getattr append };
allow system_dbusd_t NetworkManager_t:dbus send_msg;
allow system_dbusd_t hald_t:dbus send_msg;
allow system_dbusd_t initrc_var_run_t:dir { write search add_name };
allow system_dbusd_t initrc_var_run_t:file { write create getattr };
allow system_dbusd_t initrc_var_run_t:sock_file { write create setattr };
allow system_dbusd_t inotifyfs_t:dir getattr;
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t proc_net_t:file read;
allow system_dbusd_t self:capability { net_admin net_raw };
allow system_dbusd_t self:netlink_route_socket nlmsg_write;
allow system_dbusd_t self:packet_socket { bind create ioctl };
allow system_dbusd_t tmpfs_t:dir search;
allow system_dbusd_t tmpfs_t:sock_file write;
allow system_dbusd_t var_lib_t:file read;
allow system_dbusd_t var_log_t:dir search;
# These below seem to give an error while compiling the policy
# with checkpolicy.
#
# :ERROR 'type sysadm_dbusd_t is not within scope' at token ';' on line 2581450:
#
# allow sysadm_dbusd_t gconf_etc_t:dir { read search getattr };
# checkpolicy: error(s) encountered while parsing configuration
#
# if I comment out the first error, checkpolicy moves down to the next
# and gives the same error.
allow sysadm_dbusd_t gconf_etc_t:dir { read search getattr };
allow sysadm_dbusd_t gconf_etc_t:file { read getattr };
allow sysadm_dbusd_t gconf_home_t:dir { write search read remove_name getattr add_name };
allow sysadm_dbusd_t gconf_home_t:file { write getattr read create unlink append };
allow sysadm_dbusd_t initrc_var_run_t:dir search;
allow sysadm_dbusd_t initrc_var_run_t:sock_file write;
allow sysadm_dbusd_t lib_t:file execute_no_trans;
allow sysadm_dbusd_t self:process getsched;
allow sysadm_dbusd_t self:unix_stream_socket connectto;
allow sysadm_dbusd_t session_dbusd_tmp_t:sock_file { write create };
allow sysadm_dbusd_t sysadm_t:dbus send_msg;
allow sysadm_dbusd_t sysadm_t:unix_stream_socket connectto;
allow sysadm_dbusd_t system_dbusd_t:dbus send_msg;
allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow sysadm_dbusd_t tmpfs_t:dir search;
allow sysadm_dbusd_t tmpfs_t:sock_file write;
allow sysadm_dbusd_t user_home_t:file append;
allow sysadm_dbusd_t user_tty_device_t:chr_file { read write };
allow sysadm_dbusd_t var_lib_t:file { read getattr };
allow sysadm_ssh_agent_t tmpfs_t:dir search;
allow sysadm_ssh_agent_t user_home_t:file append;
allow sysadm_sudo_t security_t:security compute_av;
allow sysadm_sudo_t su_exec_t:file { read execute execute_no_trans };
allow sysadm_sudo_t tmpfs_t:dir { write search create add_name };
allow sysadm_sudo_t tmpfs_t:file { write create };
allow sysadm_sudo_t tmpfs_t:sock_file write;
allow sysadm_sudo_t user_home_dir_t:dir search;
More information about the refpolicy
mailing list