98


Chapter 8. Customizing and Writing Policy


tcontext=system_u:system_r:syslogd_t tclass=capability


Jan 10 16:20:35 example kernel: audit(1009284205.210:0): \


avc:


denied


{ fsetid } for


pid=6109 exe=/sbin/syslog ng \


capability=4 scontext=system_u:system_r:syslogd_t \


tcontext=system_u:system_r:syslogd_t tclass=capability


...


Jan 10 16:20:35 example kernel: audit(1009284205.422:0): \


avc:


denied


{ search } for


pid=1411 exe=/bin/bash \


name=sbin dev=dm 0 ino=7356417 \


scontext=system_u:system_r:syslogd_t \


tcontext=system_u:object_r:sbin_t tclass=dir


Jan 10 16:20:35 example kernel: audit(1009284205.422:0): \


avc:


denied


{ getattr } for


pid=1411 exe=/bin/bash \


path=/bin/bash dev=dm 0 ino=1245248 \


scontext=system_u:system_r:syslogd_t \


tcontext=system_u:object_r:shell_exec_t tclass=file


Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \


avc:


denied


{ getattr } for


pid=1411 exe=/bin/bash \


path=/bin/rm dev=dm 0 ino=1245243 \


scontext=system_u:system_r:syslogd_t \


tcontext=system_u:object_r:bin_t tclass=file


Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \


avc:


denied


{ execute_no_trans } for


pid=1411 \


exe=/bin/bash path=/bin/rm dev=dm 0 ino=1245243 \


scontext=system_u:system_r:syslogd_t \


tcontext=system_u:object_r:bin_t tclass=file


Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \


avc:


denied


{ read } for


pid=1411 exe=/bin/bash \


path=/bin/rm dev=dm 0 ino=1245243 \


scontext=system_u:system_r:syslogd_t \


tcontext=system_u:object_r:bin_t tclass=file


Running all of the audit messages through


audit2allow


generates a set of rules:


cd


/etc/selinux/targeted/src/policy/domains/misc/


audit2allow  i /var/log/messages  o ./local.te


cat local.te


allow syslogd_t bin_t:dir search;


allow syslogd_t bin_t:file { execute execute_no_trans getattr \


read };


allow syslogd_t bin_t:lnk_file read;


allow syslogd_t etc_runtime_t:file { getattr read };


allow syslogd_t proc_kmsg_t:file write;


allow syslogd_t proc_t:file { getattr read };


allow syslogd_t sbin_t:dir search;


allow syslogd_t shell_exec_t:file { execute execute_no_trans \


getattr read };


allow syslogd_t self:capability { chown fowner fsetid sys_admin };


allow syslogd_t usr_t:dir { add_name remove_name write };


allow syslogd_t usr_t:file { append create getattr read setattr \


unlink write };


Looking at the rules, you can see that there are two for execution permissions, and some other rules


that are associated by having the same object,


bin_t


. There is also a permission to search directories


of the type


sbin_t


, but no execution permissions.


From your reading of the available macros in


$SELINUX_SRC/macros/


, you know that


can_exec()


provides a common set of permissions for domains wishing to execute certain file types. This in 


cludes permissions that are likely to arise once the first set of basic rules are used. For example, after


audit2allow


generates a rule giving read permission to a process, the process often wants


getattr








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved