FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 25
  1. #1
    Join Date
    Jan 2010
    Posts
    57

    Domain transition problem

    I'd like that my user (user_t) will have other type (mytype_t) when he executes my program which is sechmod_exec_t. How would looks like this policy?

    PS. Sorry for my english.

  2. #2
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    Quote Originally Posted by mlyczko
    I'd like that my user (user_t) will have other type (mytype_t) when he executes my program which is sechmod_exec_t. How would looks like this policy?

    PS. Sorry for my english.
    The most important rules would be:

    role user_r types mytype_t; # alllow the user_r role the mytype_t type (RBAC)
    domtrans_pattern(user_t, sechmod_exec_t, mytype_t) # domain transition pattern which has the rules required to specify a domain transition (TE)

    ---------- Post added at 12:56 AM ---------- Previous post was at 12:39 AM ----------

    Here is an example template for such a policy but with user role prefix.

    The mytype.te (type enforcement file)

    Code:
    policy_module(mytype, 1.0.0)
    
    ########################################
    #
    # Declarations
    #
    
    type sechmod_exec_t; # we define the type for the executable file here because it is not prefixed.
    The mytype.fc file (file context file)

    Code:
    /usr/bin/sechmod -- gen_context(system_u:object_r:sechmod_exec_t,s0)
    The mytype.if file (interface file)

    Code:
    ## <summary>Mytype is a program that ....</summary>
    
    #######################################
    ## <summary>
    ##	The role template for the mytype module.
    ## </summary>
    ## <param name="role_prefix">
    ##	<summary>
    ##	The prefix of the user role (e.g., user
    ##	is the prefix for user_r).
    ##	</summary>
    ## </param>
    ## <param name="user_role">
    ##	<summary>
    ##	The role associated with the user domain.
    ##	</summary>
    ## </param>
    ## <param name="user_domain">
    ##	<summary>
    ##	The type of the user domain.
    ##	</summary>
    ## </param>
    #
    template(`mytype_role_template',`
    	gen_require(`
    		type sechmod_exec_t; # we are borrowing this type from the mytype.te file.
    	')
    
    	########################################
    	#
    	# declarations
    	#
    
    	type $1_mytype_t; # we define our prefixed domain types.
    	application_domain($1_mytype_t, sechmod_exec_t) # we make the defined prefixed domain type and executable file type a usable application domain. 
    	ubac_constrained($1_mytype_t) # this is for user based access control compatibility
    
    	role $2 types $1_mytype_t; # we allow the specified role the defined prefixed domain.
    
    	########################################
    	#
    	# policy
    	#
    
    	allow $1_mytype_t self:fifo_file rw_fifo_file_perms; # internal communication is often done with fifo files)
     
    	domtrans_pattern($3, sechmod_exec_t, $1_mytype_t) # this actually specifies the domain transition
    
    	allow $3 $1_mytype_t:process { ptrace signal_perms }; # allow the calling user to send signals and ptrace the defined prefixed domain
    	ps_process_pattern($3, $1_mytype_t) # allow the calling user to stat the defined prefixed domain
    
    	miscfiles_read_localization($1_mytype_t) # allow the defined prefixed domain to read localization files (files with type local_t)
    ')
    The myuser.te file (type enforcement file) (custom loadable module to extend the existing user_t domain)

    Code:
    policy_module(myuser, 1.0.0)
    
    gen_require(`
            type user_t; # we borrow this type from the unprivuser module
            role user_r; # we borrow this role from the unprivuser module
    ')
    
    mytype_role_template(user, user_r, user_t) # we call the defined mytype_role_template for user_t
    Now when user_t runs sechmod_exec_t, user_t domain will transition to user_mytype_t domain.

    Then when you are done perfecting the mytype module you can for example copy the mytype.if file to /usr/share/selinux/devel/include/apps so that the compiler can find it in case you want other users to use this policy.

    For example if you later create a new user domain (for instance joe_t) then you can call the mytype_role_template for joe_t just like you did for user in myuser.te file. Then joe would be allowed to execute sechmod_exec_t type files as well, and when he does the joe_t domain will transition to joe_mytype_t)

    The prefixes help you to differentiate between the various user domains running the app. It allows you to specify different policy depending on who runs it and it helps seperate rules.

    for example joe is allowed to ps joe_mytype_t processes but not user_mytype_t processes.
    Last edited by domg472; 8th March 2011 at 02:23 PM.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  3. #3
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem

    How should looks like this policy with require block:

    Code:
    role user_r types mytype_t; # alllow the user_r role the mytype_t type (RBAC)
    domtrans_pattern(user_t, sechmod_exec_t, mytype_t) # domain transition pattern which has the rules required to specify a domain transition (TE)
    Last edited by mlyczko; 9th March 2011 at 10:13 AM.

  4. #4
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    Quote Originally Posted by mlyczko
    How should looks like this policy with require block:

    Code:
    role user_r types mytype_t; # alllow the user_r role the mytype_t type (RBAC)
    domtrans_pattern(user_t, sechmod_exec_t, mytype_t) # domain transition pattern which has the rules required to specify a domain transition (TE)
    That depends on where you define this but you will probably atleast need to include the user_r role and user_t type.

    gen_require(`
    role user_r;
    type user_t;
    ')

    The idea of requiring/including external types/roles is that if the type or role is not declared locally in the module and needs to be borrowed from elsewhere, that then you need to require/include them.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  5. #5
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem


  6. #6
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    Ok so any idea what is wrong? I explained above.

    You are creating a new module and are using types that are not declared in the module. The compiler blows up and tells you that it does not know the mytype_t type. That makes sense because you are using it in your module without actually including it.

    you need to require all types and roles that you are using that are not declared in this particular module file:

    user_r
    user_t
    mytype_t
    sechmod_exec_t

    i am assuming that you have declared the mytype_t and sechmod_exec_t types in another module.

    else it would look something like my example in my first reply...

    ---------- Post added at 02:53 AM ---------- Previous post was at 02:50 AM ----------

    The mytype.te (type enforcement file)

    Code:
    policy_module(mytype, 1.0.0)
    
    ########################################
    #
    # Declarations
    #
    
    type sechmod_exec_t; # we define the type for the executable file here because it is not prefixed.
    The mytype.fc file (file context file)

    Code:
    /usr/bin/sechmod -- gen_context(system_u:object_r:sechmod_exec_t,s0)
    The mytype.if file (interface file)

    Code:
    ## <summary>Mytype is a program that ....</summary>
    
    #######################################
    ## <summary>
    ##	The role template for the mytype module.
    ## </summary>
    ## <param name="role_prefix">
    ##	<summary>
    ##	The prefix of the user role (e.g., user
    ##	is the prefix for user_r).
    ##	</summary>
    ## </param>
    ## <param name="user_role">
    ##	<summary>
    ##	The role associated with the user domain.
    ##	</summary>
    ## </param>
    ## <param name="user_domain">
    ##	<summary>
    ##	The type of the user domain.
    ##	</summary>
    ## </param>
    #
    template(`mytype_role_template',`
    	gen_require(`
    		type sechmod_exec_t; # we are borrowing this type from the mytype.te file.
    	')
    
    	########################################
    	#
    	# declarations
    	#
    
    	type $1_mytype_t; # we define our prefixed domain types.
    	application_domain($1_mytype_t, sechmod_exec_t) # we make the defined prefixed domain type and executable file type a usable application domain. 
    	ubac_constrained($1_mytype_t) # this is for user based access control compatibility
    
    	role $2 types $1_mytype_t; # we allow the specified role the defined prefixed domain.
    
    	########################################
    	#
    	# policy
    	#
    
    	allow $1_mytype_t self:fifo_file rw_fifo_file_perms; # internal communication is often done with fifo files)
     
    	domtrans_pattern($3, sechmod_exec_t, $1_mytype_t) # this actually specifies the domain transition
    
    	allow $3 $1_mytype_t:process { ptrace signal_perms }; # allow the calling user to send signals and ptrace the defined prefixed domain
    	ps_process_pattern($3, $1_mytype_t) # allow the calling user to stat the defined prefixed domain
    
    	miscfiles_read_localization($1_mytype_t) # allow the defined prefixed domain to read localization files (files with type local_t)
    ')
    The myuser.te file (type enforcement file) (custom loadable module to extend the existing user_t domain)

    Code:
    policy_module(myuser, 1.0.0)
    
    gen_require(`
            type user_t; # we borrow this type from the unprivuser module
            role user_r; # we borrow this role from the unprivuser module
    ')
    
    mytype_role_template(user, user_r, user_t) # we call the defined mytype_role_template for user_t
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  7. #7
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem

    Last edited by mlyczko; 9th March 2011 at 12:01 PM.

  8. #8
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    You are using " old style " policy module declarations. Please use new style policy module declarations:

    policy_module(trans, 1.0.0)

    not:

    module trans 1.0;

    ---------- Post added at 03:07 AM ---------- Previous post was at 03:05 AM ----------

    Old style policy module declaration require that you also include any class and their used permissions. New style policy module declaration do not require that you include class/permissions only types, roles.

    ---------- Post added at 03:08 AM ---------- Previous post was at 03:07 AM ----------

    Why not just look at my example above and modify that to meet your requirements?
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  9. #9
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem

    Now i can compile myuser.te and transition.te, but i get error when i want to load both policies:
    http://screencast.com/t/zpyjSzRe7j

  10. #10
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    You have created a myuser_u selinux user and mapped the myuser_r role to this selinux user.
    However there is no such role. use the user_r role instead.

    ---------- Post added at 04:29 AM ---------- Previous post was at 04:26 AM ----------

    Also it appears that mytype_t does not exist. You seem to have never declared it.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  11. #11
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem

    I dont understand where is "myuser_u" and "myuser_r".

    I added "type mytype_t" and i can load transition.pp bur when i want to load myuser.pp i get:
    http://screencast.com/t/oyPM6zXaQK

    My policies:
    http://screencast.com/t/dgtNKG1MYpdz
    http://screencast.com/t/E2AgUFuZr

    What i need to change?

  12. #12
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    Your trans module conflicts with my example mytype module...

    semodule -r trans

    remove the trans module.

    if you just use the myuser module and the mytype module it should for the most part work...

    also see:

    semanage user -l | grep myuser
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  13. #13
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem


  14. #14
    Join Date
    May 2008
    Posts
    623

    Re: Domain transition problem

    So there you have it. Do you see what is going on?

    By installing my example myuser module you have to overwrite an old existing myuser module that you have installed.

    This causes the myuser_r role to be invalidated and then the myuser_u selinux user mapping is no longer valid.

    So you should remove the user mapping for myuser_u

    semanage user -d -L s0 -r s0 -R myuser_r -P user myuser_u

    and then install the new myuser module

    or rename the myuser policy module to myothernewuser policy module so that it will not try to replace the existing myuser policy module.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  15. #15
    Join Date
    Jan 2010
    Posts
    57

    Re: Domain transition problem

    Now i can load both policies.

    My both policies:
    http://screencast.com/t/qyH03wVs
    http://screencast.com/t/jb81zeced0O

    My program:
    http://screencast.com/t/Ar0bckeBe1Hf

    When i run my program (as bartek) in one terminal, i see in other terminal (as bartek):
    http://screencast.com/t/10Dez68F

    I thought i would see mytype_t or something like this?

Page 1 of 2 1 2 LastLast

Similar Threads

  1. rpmfusion transition
    By GoinEasy9 in forum Fedora 12 Alpha, Beta & Release Candidates
    Replies: 3
    Last Post: 15th November 2009, 07:44 PM
  2. Image Transition Effects
    By kwhiskers in forum Using Fedora
    Replies: 4
    Last Post: 18th December 2006, 02:38 AM
  3. Domain name Problem
    By mcyates in forum Using Fedora
    Replies: 7
    Last Post: 1st October 2006, 11:32 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •