98
Chapter 8. Customizing and Writing Policy
tcontext=system_u:system_r:syslogd_t tclass=capability
Jan 10 16:20:35 example kernel: audit(1009284205.210:0): \
avc:
denied
{ fsetid } for
pid=6109 exe=/sbin/syslog ng \
capability=4 scontext=system_u:system_r:syslogd_t \
tcontext=system_u:system_r:syslogd_t tclass=capability
...
Jan 10 16:20:35 example kernel: audit(1009284205.422:0): \
avc:
denied
{ search } for
pid=1411 exe=/bin/bash \
name=sbin dev=dm 0 ino=7356417 \
scontext=system_u:system_r:syslogd_t \
tcontext=system_u:object_r:sbin_t tclass=dir
Jan 10 16:20:35 example kernel: audit(1009284205.422:0): \
avc:
denied
{ getattr } for
pid=1411 exe=/bin/bash \
path=/bin/bash dev=dm 0 ino=1245248 \
scontext=system_u:system_r:syslogd_t \
tcontext=system_u:object_r:shell_exec_t tclass=file
Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \
avc:
denied
{ getattr } for
pid=1411 exe=/bin/bash \
path=/bin/rm dev=dm 0 ino=1245243 \
scontext=system_u:system_r:syslogd_t \
tcontext=system_u:object_r:bin_t tclass=file
Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \
avc:
denied
{ execute_no_trans } for
pid=1411 \
exe=/bin/bash path=/bin/rm dev=dm 0 ino=1245243 \
scontext=system_u:system_r:syslogd_t \
tcontext=system_u:object_r:bin_t tclass=file
Jan 10 16:20:35 example kernel: audit(1009284205.423:0): \
avc:
denied
{ read } for
pid=1411 exe=/bin/bash \
path=/bin/rm dev=dm 0 ino=1245243 \
scontext=system_u:system_r:syslogd_t \
tcontext=system_u:object_r:bin_t tclass=file
Running all of the audit messages through
audit2allow
generates a set of rules:
cd
/etc/selinux/targeted/src/policy/domains/misc/
audit2allow  i /var/log/messages  o ./local.te
cat local.te
allow syslogd_t bin_t:dir search;
allow syslogd_t bin_t:file { execute execute_no_trans getattr \
read };
allow syslogd_t bin_t:lnk_file read;
allow syslogd_t etc_runtime_t:file { getattr read };
allow syslogd_t proc_kmsg_t:file write;
allow syslogd_t proc_t:file { getattr read };
allow syslogd_t sbin_t:dir search;
allow syslogd_t shell_exec_t:file { execute execute_no_trans \
getattr read };
allow syslogd_t self:capability { chown fowner fsetid sys_admin };
allow syslogd_t usr_t:dir { add_name remove_name write };
allow syslogd_t usr_t:file { append create getattr read setattr \
unlink write };
Looking at the rules, you can see that there are two for execution permissions, and some other rules
that are associated by having the same object,
bin_t
. There is also a permission to search directories
of the type
sbin_t
, but no execution permissions.
From your reading of the available macros in
$SELINUX_SRC/macros/
, you know that
can_exec()
provides a common set of permissions for domains wishing to execute certain file types. This in 
cludes permissions that are likely to arise once the first set of basic rules are used. For example, after
audit2allow
generates a rule giving read permission to a process, the process often wants
getattr






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved