From: justinmattock@gmail.com (Justin P. Mattock) Date: Tue, 02 Dec 2008 09:31:21 -0800 Subject: [refpolicy] new svn refpolicy difficuties: In-Reply-To: <1228223603.9691.19.camel@gorn> References: <1228112352.3841.13.camel@unix> <1228223603.9691.19.camel@gorn> Message-ID: <1228239081.3015.2.camel@unix> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2008-12-02 at 08:13 -0500, Christopher J. PeBenito wrote: > On Sun, 2008-11-30 at 22:19 -0800, Justin P. Mattock wrote: > > With the latest refpolicy, I'm > > able to have all of the allow rules > > during the boot process applied to the policy, > > but as soon as I add any of the allow rules > > after startx, with any role I'm denied > > with building the policy i.g. > > > > :ERROR 'type staff_dbusd_t is not within scope' at token ';' on line > > 2581459: > > > > I think this has to do with my policy/users > > file.(where can I find info on setting a prefix?) > > I suspect it is actually related to this: > > http://marc.info/?l=selinux&m=122477138927253&w=2 > > What changes have you made (if any) to the policy? Also the > policy/modules.conf and build.conf? > Attached you will find the allow rules that I added to the policy. hopefully it gives you a better idea of what I'm seeing. regards; -- Justin P. Mattock -------------- next part -------------- # monolithic policy compile, simple start system # open a aterm and use audit2allow -d to collect # allow rules. allow NetworkManager_t initrc_var_run_t:dir search; allow NetworkManager_t initrc_var_run_t:sock_file write; allow NetworkManager_t tmpfs_t:dir { write search add_name }; allow NetworkManager_t tmpfs_t:file { write create }; allow NetworkManager_t tmpfs_t:sock_file write; allow avahi_t initrc_var_run_t:dir search; allow avahi_t initrc_var_run_t:sock_file write; allow avahi_t tmpfs_t:dir { write search setattr create getattr add_name }; allow avahi_t tmpfs_t:file { read write create lock }; allow avahi_t tmpfs_t:sock_file { write create }; allow bluetooth_t tmpfs_t:dir search; allow crond_t tmpfs_t:dir { write search add_name }; allow crond_t tmpfs_t:file { read write create getattr lock }; allow crond_t tmpfs_t:sock_file write; allow dmesg_t file_t:chr_file { read write }; allow fsadm_t file_t:chr_file { read write ioctl }; allow getty_t tmpfs_t:dir search; allow hald_t initrc_var_run_t:dir { write remove_name add_name }; allow hald_t initrc_var_run_t:file { rename create unlink }; allow hald_t initrc_var_run_t:sock_file write; allow hald_t tmpfs_t:sock_file write; allow hald_t var_lib_t:file { read getattr }; allow hostname_t file_t:chr_file { read write }; allow insmod_t file_t:chr_file getattr; allow insmod_t tty_device_t:chr_file { read write }; allow iptables_t file_t:chr_file { read write }; allow iptables_t var_lib_t:file { read getattr }; allow klogd_t initrc_var_run_t:dir { write search add_name }; allow klogd_t initrc_var_run_t:fifo_file read; allow klogd_t initrc_var_run_t:file { read write create getattr lock }; allow klogd_t src_t:dir search; allow klogd_t tmpfs_t:dir search; allow klogd_t tmpfs_t:sock_file write; allow loadkeys_t file_t:chr_file { read write ioctl getattr }; allow loadkeys_t file_t:dir search; allow mount_t etc_t:file { write append }; allow mount_t file_t:chr_file { read write }; allow mount_t lib_t:dir mounton; allow restorecond_t file_t:chr_file { read write ioctl }; allow restorecond_t tmpfs_t:dir { write add_name }; allow restorecond_t tmpfs_t:file { write create }; allow restorecond_t tmpfs_t:sock_file write; allow setfiles_t file_t:chr_file { read write }; allow syslogd_t self:capability { setuid setgid }; allow syslogd_t tmpfs_t:dir { write search add_name }; allow syslogd_t tmpfs_t:file { read write create getattr lock }; allow syslogd_t tmpfs_t:sock_file { create setattr }; allow udev_t hald_t:unix_dgram_socket { read write }; allow udev_t tmpfs_t:dir { write remove_name search getattr add_name }; allow udev_t xserver_tmpfs_t:dir { write getattr search add_name }; allow xauth_t user_tmp_t:file { write unlink }; allow sysadm_t self:process { execstack execmem }; allow apmd_t hald_t:dbus send_msg; allow hald_t apmd_t:dbus send_msg; allow hwclock_t file_t:chr_file { read write }; allow ifconfig_t file_t:chr_file { read write }; allow initrc_t sysadm_t:dbus send_msg; allow loadkeys_t tmpfs_t:dir search; allow mount_t etc_t:dir mounton; allow mount_t initrc_var_run_t:dir mounton; allow sysadm_t initrc_t:dbus send_msg; allow udev_t xserver_tmpfs_t:chr_file { relabelfrom getattr }; allow insmod_t tmpfs_t:chr_file { read write getattr }; allow udev_t file_t:chr_file { read write }; allow udev_t tmpfs_t:chr_file { read write }; allow udev_t tmpfs_t:file { write getattr }; allow udev_t alsa_var_lib_t:dir { getattr search }; allow udev_t alsa_var_lib_t:file getattr; allow udev_t initrc_var_run_t:dir search; allow udev_t tmpfs_t:chr_file { relabelfrom getattr }; allow alsa_t tmpfs_t:dir search; allow hwclock_t tmpfs_t:dir search; allow insmod_t file_t:chr_file { read write }; # system_dbus_t has no issues, only somerole_dbus_t etc.. allow system_dbusd_t NetworkManager_exec_t:file { read execute execute_no_trans }; allow system_dbusd_t NetworkManager_log_t:file { getattr append }; allow system_dbusd_t NetworkManager_t:dbus send_msg; allow system_dbusd_t hald_t:dbus send_msg; allow system_dbusd_t initrc_var_run_t:dir { write search add_name }; allow system_dbusd_t initrc_var_run_t:file { write create getattr }; allow system_dbusd_t initrc_var_run_t:sock_file { write create setattr }; allow system_dbusd_t inotifyfs_t:dir getattr; allow system_dbusd_t lib_t:file execute_no_trans; allow system_dbusd_t proc_net_t:file read; allow system_dbusd_t self:capability { net_admin net_raw }; allow system_dbusd_t self:netlink_route_socket nlmsg_write; allow system_dbusd_t self:packet_socket { bind create ioctl }; allow system_dbusd_t tmpfs_t:dir search; allow system_dbusd_t tmpfs_t:sock_file write; allow system_dbusd_t var_lib_t:file read; allow system_dbusd_t var_log_t:dir search; # These below seem to give an error while compiling the policy # with checkpolicy. # # :ERROR 'type sysadm_dbusd_t is not within scope' at token ';' on line 2581450: # # allow sysadm_dbusd_t gconf_etc_t:dir { read search getattr }; # checkpolicy: error(s) encountered while parsing configuration # # if I comment out the first error, checkpolicy moves down to the next # and gives the same error. allow sysadm_dbusd_t gconf_etc_t:dir { read search getattr }; allow sysadm_dbusd_t gconf_etc_t:file { read getattr }; allow sysadm_dbusd_t gconf_home_t:dir { write search read remove_name getattr add_name }; allow sysadm_dbusd_t gconf_home_t:file { write getattr read create unlink append }; allow sysadm_dbusd_t initrc_var_run_t:dir search; allow sysadm_dbusd_t initrc_var_run_t:sock_file write; allow sysadm_dbusd_t lib_t:file execute_no_trans; allow sysadm_dbusd_t self:process getsched; allow sysadm_dbusd_t self:unix_stream_socket connectto; allow sysadm_dbusd_t session_dbusd_tmp_t:sock_file { write create }; allow sysadm_dbusd_t sysadm_t:dbus send_msg; allow sysadm_dbusd_t sysadm_t:unix_stream_socket connectto; allow sysadm_dbusd_t system_dbusd_t:dbus send_msg; allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow sysadm_dbusd_t tmpfs_t:dir search; allow sysadm_dbusd_t tmpfs_t:sock_file write; allow sysadm_dbusd_t user_home_t:file append; allow sysadm_dbusd_t user_tty_device_t:chr_file { read write }; allow sysadm_dbusd_t var_lib_t:file { read getattr }; allow sysadm_ssh_agent_t tmpfs_t:dir search; allow sysadm_ssh_agent_t user_home_t:file append; allow sysadm_sudo_t security_t:security compute_av; allow sysadm_sudo_t su_exec_t:file { read execute execute_no_trans }; allow sysadm_sudo_t tmpfs_t:dir { write search create add_name }; allow sysadm_sudo_t tmpfs_t:file { write create }; allow sysadm_sudo_t tmpfs_t:sock_file write; allow sysadm_sudo_t user_home_dir_t:dir search;