From: Cliffe <cliffe@ii.net>
To: selinux@tycho.nsa.gov
Subject: Help with SELinux policy for Usability Study
Date: Thu, 30 Jul 2009 11:50:40 +0800 [thread overview]
Message-ID: <4A711890.2030101@ii.net> (raw)
In-Reply-To: <200907300352.n6U3qvAC012682@tarius.tycho.ncsc.mil>
Dear SELinux Gurus,
I am a PhD candidate conducting research into the usability of security
mechanisms. I would really appreciate some help regarding the use of
SELinux. Let me know if this is not the right place to be asking these
types of questions.
I generated a policy for opera using polgengui. I then ran the generated
./opera.sh.
Although SELinux was still set to enforcing mode opera seemed to run
unconfined. The executable and process was labelled as expected
(unconfined_u:unconfined_r:opera_t). AVCs were generated, but not enforced.
I added to opera.te using
grep opera /var/log/audit/audit.log | audit2allow >> opera.te
and reran ./opera.sh
until no AVCs were generated.
Looking at opera.te I noticed the line “permissive opera_t”, and not
knowing exactly what this line does, I thought it may be placing this
domain into permissive mode (although the gui tools suggest otherwise).
Removing the line causes “/bin/sh: /usr/bin/opera: Permission denied”.
No AVCs are generated.
So I am not sure why opera seams to be unconfined, or if removing the
permissive line was on the right track. Any advice?
Also I tried creating a policy for kwrite. This time the created policy
seemed to be in effect as soon as I ran the kwrite.sh script. I set
setenforce 0 and added to kwrite.te (as above for opera) until no error
msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists with
“kwrite(2533): Couldn’t register name ‘”org.kate-editor.kwrite-2533’”
with DBUS – another process owns it already!”. When setenforce 0 it runs
without AVCs.
Again I am sure I am missing something simple and your advice will help
a lot.
I need to resolve this asap and will really appreciate any advice.
Soon I will be running a comparative study comparing a number of
security mechanisms and I need to sort this out.
Thank you,
Cliffe.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next parent reply other threads:[~2009-07-30 11:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200907300352.n6U3qvAC012682@tarius.tycho.ncsc.mil>
2009-07-30 3:50 ` Cliffe [this message]
2009-07-30 12:02 ` Help with SELinux policy for Usability Study Stephen Smalley
2009-07-30 14:24 ` Cliffe
2009-07-30 14:31 ` Cliffe
2009-07-30 14:44 ` Stephen Smalley
2009-07-30 17:30 ` Daniel J Walsh
2009-07-31 1:57 ` Cliffe
2009-07-31 12:40 ` Daniel J Walsh
2009-08-01 4:15 ` Cliffe
2009-07-30 17:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A711890.2030101@ii.net \
--to=cliffe@ii.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.