[refpolicy] refpolicy interface help

From: lvrabec@redhat.com (Lukas Vrabec)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] refpolicy interface help
Date: Mon, 14 Dec 2015 16:00:28 +0100	[thread overview]
Message-ID: <566ED98C.6010508@redhat.com> (raw)
In-Reply-To: <566ED240.8050009@yahoo.com>

On 12/14/2015 03:29 PM, Dan wrote:
> Yes I am basically using audit2allow like this:
>
> sudo ausearch -m avc -ts 20:18 | audit2allow -r
>
> As for the AVCs, here they are:
>
> allow emacs_t user_home_t:file { read write create unlink open lock };
> allow emacs_t config_home_t:file { read write getattr open };
> allow emacs_t ssh_exec_t:file execute
> allow emacs_t gpg_exec_t:file { execute getattr };
>
> I mean am I wrong to think that allowing emacs to write to any type that
> is labeled user_home_t, or should I just allow because it seems my
> interfaces aren't working with the transition. Basically what it comes
> down to is if I confine any application with selinux what rule,
> interface,macro do I need to use so I won't get any AVCs about that
> application writing to my user_home_t type. That is pretty much what I
> want to know. Thanks for helping me out.
Could you attach output of:
$ ls -aZ  | grep emacs

It should be something like:
$ ls -aZ  | grep emacs
            staff_u:object_r:emacs_home_t:s0 .emacs.d

if not, use command restorecon, like:
$ restorecon -R -v .emacs.d  # run in your homedir.

I believe .emacs.d has wrong SELinux context.

Could you also show AVC related to this rule:

allow emacs_t user_home_t:file { read write create unlink open lock };

Thank you.
>
> On 12/14/2015 06:55 AM, Lukas Vrabec wrote:
>>
>> On 12/13/2015 11:13 PM, Dan wrote:
>>> Yes, you are correct it is the same denial before I added the
>>> interfaces, so what do you mean re-create the AVC messages?
>> Could you attach how you exactly using "audit2allow" command and also
>> AVC messages?
>>> On 12/13/2015 08:28 AM, Lukas Vrabec wrote:
>>>> HI,
>>>>
>>>> On 12/13/2015 06:38 AM, Dan wrote:
>>>>> Hello all, I am confining the application emacs using the selinux
>>>>> refpolicy and I seem to be stuck on one little part. I get this one
>>>>> audit2allow rule that says allow emacs_t user_home_t:file { rename
>>>>> write
>>>>> create read open };
>>>>>
>>>>> Now my problem with that rule is that I don't want my application to
>>>>> write or create files with the user_home_t, so I decided to use an
>>>>> interface. The interfaces I used are these below:
>>>>>
>>>>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d")
>>>>>
>>>>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir
>>>>> lnk_file })
>>>>>
>>>>>
>>>>>
>>>>> But the problem is when I added these into my policy and when trying to
>>>>> to an audit2allow on the most recent time and date the denial was still
>>>>> there for some odd reason and I don't know what interface, macro, or
>>>>> whatever to use to get rid of the denial allow emacs_t user_home_t:file
>>>>> { rename write create read open }; Any help would be much appreciated.
>>>> If I understand this correctly, you are using audit2allow on the same
>>>> AVC msg, that you used before adding interface? If yes, this is correct
>>>> audit2allow behavior, because in AVC msg is target context user_home_t
>>>> not emacs_home_t. So you need to re-create AVC msgs.
>>>>
>>>> Regards,
>>>> Lukas Vrabec.
>>>>> Thanks.
>>>>> _______________________________________________
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.