From: lvrabec@redhat.com (Lukas Vrabec) Date: Mon, 14 Dec 2015 16:00:28 +0100 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566ED240.8050009@yahoo.com> References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com> <566DED98.4010907@yahoo.com> <566EAE27.6070009@redhat.com> <566ED240.8050009@yahoo.com> Message-ID: <566ED98C.6010508@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/14/2015 03:29 PM, Dan wrote: > Yes I am basically using audit2allow like this: > > sudo ausearch -m avc -ts 20:18 | audit2allow -r > > As for the AVCs, here they are: > > allow emacs_t user_home_t:file { read write create unlink open lock }; > allow emacs_t config_home_t:file { read write getattr open }; > allow emacs_t ssh_exec_t:file execute > allow emacs_t gpg_exec_t:file { execute getattr }; > > I mean am I wrong to think that allowing emacs to write to any type that > is labeled user_home_t, or should I just allow because it seems my > interfaces aren't working with the transition. Basically what it comes > down to is if I confine any application with selinux what rule, > interface,macro do I need to use so I won't get any AVCs about that > application writing to my user_home_t type. That is pretty much what I > want to know. Thanks for helping me out. Could you attach output of: $ ls -aZ | grep emacs It should be something like: $ ls -aZ | grep emacs staff_u:object_r:emacs_home_t:s0 .emacs.d if not, use command restorecon, like: $ restorecon -R -v .emacs.d # run in your homedir. I believe .emacs.d has wrong SELinux context. Could you also show AVC related to this rule: allow emacs_t user_home_t:file { read write create unlink open lock }; Thank you. > > On 12/14/2015 06:55 AM, Lukas Vrabec wrote: >> >> On 12/13/2015 11:13 PM, Dan wrote: >>> Yes, you are correct it is the same denial before I added the >>> interfaces, so what do you mean re-create the AVC messages? >> Could you attach how you exactly using "audit2allow" command and also >> AVC messages? >>> On 12/13/2015 08:28 AM, Lukas Vrabec wrote: >>>> HI, >>>> >>>> On 12/13/2015 06:38 AM, Dan wrote: >>>>> Hello all, I am confining the application emacs using the selinux >>>>> refpolicy and I seem to be stuck on one little part. I get this one >>>>> audit2allow rule that says allow emacs_t user_home_t:file { rename >>>>> write >>>>> create read open }; >>>>> >>>>> Now my problem with that rule is that I don't want my application to >>>>> write or create files with the user_home_t, so I decided to use an >>>>> interface. The interfaces I used are these below: >>>>> >>>>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") >>>>> >>>>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir >>>>> lnk_file }) >>>>> >>>>> >>>>> >>>>> But the problem is when I added these into my policy and when trying to >>>>> to an audit2allow on the most recent time and date the denial was still >>>>> there for some odd reason and I don't know what interface, macro, or >>>>> whatever to use to get rid of the denial allow emacs_t user_home_t:file >>>>> { rename write create read open }; Any help would be much appreciated. >>>> If I understand this correctly, you are using audit2allow on the same >>>> AVC msg, that you used before adding interface? If yes, this is correct >>>> audit2allow behavior, because in AVC msg is target context user_home_t >>>> not emacs_home_t. So you need to re-create AVC msgs. >>>> >>>> Regards, >>>> Lukas Vrabec. >>>>> Thanks. >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy -- Lukas Vrabec SELinux Solutions Red Hat, Inc.