From: Paul Krumviede <pwk@acm.org>
To: selinux <selinux@tycho.nsa.gov>
Subject: use of ps in ipsec shutdown
Date: Fri, 30 Nov 2001 10:44:33 -0800 [thread overview]
Message-ID: <136698191.1007117073@localhost> (raw)
i've been experimenting with the freeswan-1.91 ipsec implementation
in some of the more recent selinux releases, including the latest 2.4.14
one, and, after making some changes to the supplied ipsec policy,
have come across something i don't yet know how to handle.
i noticed that the supplied policy left some processes in the
initrc_t domain, such as _plutorun and _plutoload. i also noticed
that the ipsec startup script invokes logger, and that whack,
running in the initrc_t domain, was being denied permission
to connect to the socket set up by pluto. so i labeled the
/usr/local/sbin/ipsec script, whack, _plutoload, _plutoread
and whack as ipsec_exec_t types, and allowed ipsec_t
to execute shells, bin_t and sbin_t things (the latter in part
because the default label of things in /usr/local/lib/ipsec
is sbin_t). this seems to have fixed all the things decribed
above (although i'm open to suggestions as to alternative
approaches).
i also noticed that _startklips wanted (limited) access
to /proc/sys/net/ipsec/icmp, so i gave some sysctl
access.
i later noticed a number of avc denials at shutdown
when ps, apparently run out of _realsetup, is attempting
to read some of the process information. for example, i see
avc: denied { getattr } for pid=2358 exe=/bin/ps path=/1 dev=00:03
ino=65538
scontext=system_u:system_r:ipsec_t
tcontext=system_u:system_r:init_t
tclass=dir
avc: denied { search } for pid=2358 exe=/bin/ps path=/1 dev=00:03
ino=65538
scontext=system_u:system_r:ipsec_t
tcontext=system_u:system_r:init_t
tclass=dir
avc: denied { read } for pid=2358 exe=/bin/ps path=/1/stat dev=00:03
ino=65547
scontext=system_u:system_r:ipsec_t
tcontext=system_u:system_r:init_t
tclass=file
and this repeats for a few other processes with different
tcontexts (e.g., kernel_t and pump_t). running ps (/bin/ps
and /usr/local/selinux/bin/ps) as a user from a shell doesn't
have this problem, and i don't understand the the difference.
before the changes mentioned above, this shutdown behavior
wasn't happening.
i'd appreciate suggestions as to how to address this behavior
at shutdown.
i'd be happy to share the changed/new policy files when i
have them working (or earlier if anybody so desires).
-paul
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2001-11-30 18:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-11-30 18:44 Paul Krumviede [this message]
2001-12-03 14:23 ` use of ps in ipsec shutdown Stephen Smalley
2001-12-03 15:40 ` Paul Krumviede
[not found] <72222DC86846D411ABD300A0C9EB08A101524252@csoc-mail-box.csoconli ne.com>
2001-11-30 20:39 ` Westerman, Mark
2001-11-30 21:06 ` Paul Krumviede
2001-12-03 14:26 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=136698191.1007117073@localhost \
--to=pwk@acm.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.