Re: Policy tests failed

[Daniel Gil Mayol <daniel.gil-mayol@brunel.de>]

Hello, I still have some problems with the policy tests.

I am testing that a domain can execute files that are defined in the 
policy. For example, lets take tripwire. In the policy is defined that:

    can_exec($1_t, shell_exec_t);
    can_exec($1_t, bin_t);

That means that tripwire_t domain is allowed to execute files labeled 
with shell_exec_t and bin_t.

The test first relabel as shell_exec_t a copy that I made previously of 
/bin/ls (this copy is under my test directory):

    [root@cnsu PolicyTest]# chcon -u system_u -r object_r -t shell_exec_t ls

Then I try to execute ls (under the domain tripwire_t) over a file 
called '/policytest' defined as:

    -rw-r--r--  root     root     system_u:object_r:policy_test_t 
    policytest

where policy_test_t is:

    type policy_test_t, file_type;
    allow * policy_test_t:file getattr;

But this execution fail:

    [root@cnsu PolicyTest]# runcon -t tripwire_t ./ls /policytest
    execvp: Permission denied

The /var/log/messages shows this:

Nov  2 11:06:46 cnsu kernel: audit(1162465606.392:25664): avc:  denied  
{ entrypoint } for  pid=27705 comm="runcon" name="ls" dev=hda2 
ino=240308 scontext=root:system_r:tripwire_t 
tcontext=system_u:object_r:shell_exec_t tclass=file

The question is... should I define for all the services this file 
entrypoint or I am doing something wrong in my test?
I would like to avoid to write all these entrypoints.


Thanks for your help

Dani






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.