Discussion:
rbac-self-test patches
Matt Anderson
2007-05-16 23:52:02 UTC
Permalink
From running the rbac-self-test on different systems, and with a
slightly different procedure I ran into some issues. Thanks to help
from George and Klaus they were resolved. The main difference was I had
been ssh'ing into the system as a user and using su to become root.
This caused two problems; sysadm_devpts_t instead of sysadm_tty_t and my
SElinux user was staff_u instead of root. Here are the patches that I
needed in order to get things working for me.

-matt
George Wilson
2007-05-17 03:23:28 UTC
Permalink
Thanks very much, Matt, for both the patch and some review. I never
intended the unnecessary restriction and dropped the ball on fixing it.

Thanks,
George Wilson
IBM LTC Security Development



Matt Anderson
<***@hp.com>
Sent by: To
redhat-lspp-bounc redhat-***@redhat.com
***@redhat.com cc

Subject
05/16/07 18:52 [redhat-lspp] rbac-self-test
patches
From running the rbac-self-test on different systems, and with a
slightly different procedure I ran into some issues. Thanks to help
from George and Klaus they were resolved. The main difference was I had
been ssh'ing into the system as a user and using su to become root.
This caused two problems; sysadm_devpts_t instead of sysadm_tty_t and my
SElinux user was staff_u instead of root. Here are the patches that I
needed in order to get things working for me.

-matt
diff --git a/rbac-self-test/rbac-self-test b/rbac-self-test/rbac-self-test
index acdf59d..f01301c 100644
--- a/rbac-self-test/rbac-self-test
+++ b/rbac-self-test/rbac-self-test
@@ -74,13 +74,18 @@ class SelfTest:
self.program_name = os.path.basename(sys.argv[0])
self.read = False
self.write = True
- self.SystemHigh = 'SystemHigh'
- self.SystemLow = 'SystemLow'
self.expectSuccess = False
self.expectFailure = True
self.success = True
self.failure = False
self.failure_action_performed = False
+ self.SystemHigh = 'SystemHigh'
+ self.SystemLow = 'SystemLow'
+ self.aide_type = 'aide_t'
+ self.program_type = 'rbacselftest_t'
+ self.helperprogram_type = 'rbacselftesthelper_t'
+ self.selinux_user = selinux.getcon()[1].split(':')[0]
+ self.selinux_role = selinux.getcon()[1].split(':')[1]
return(None)

#
@@ -358,7 +363,8 @@ class SelfTest:

if rc == 0:
try:
- rc = self.runcon("root:sysadm_r:aide_t:SystemHigh",
'/usr/sbin/aide', '--init')
+ context = self.selinux_user + ':' + self.selinux_role +
':' + self.aide_type + ':' + self.SystemHigh
+ rc = self.runcon(context, '/usr/sbin/aide', '--init')
except OSError, (oserrno, strerror):
self.message_log('Cannot initialize AIDE database, errno =
' + str(oserrno) + ': ' + strerror)
rc = oserrno
@@ -397,7 +403,8 @@ class SelfTest:
rc = 0

try:
- rc = self.runcon("root:sysadm_r:aide_t:SystemHigh",
'/usr/sbin/aide', '--check')
+ context = self.selinux_user + ':' + self.selinux_role + ':' +
self.aide_type + ':' + self.SystemHigh
+ rc = self.runcon(context, '/usr/sbin/aide', '--check')
except OSError, (oserrno, strerror):
self.message_log('Cannot verify AIDE database, errno = ' +
str(oserrno) + ': ' + strerror)
rc = oserrno
@@ -450,8 +457,8 @@ class SelfTest:

rc = 0

- context1 = 'root:sysadm_r:rbacselftest_t:' + level1
- context2 = 'root:sysadm_r:rbacselftesthelper_t:' + level2
+ context1 = self.selinux_user + ':' + self.selinux_role + ':' +
self.program_type + ':' + level1
+ context2 = self.selinux_user + ':' + self.selinux_role + ':' +
self.helperprogram_type + ':' + level2

if write == True:
testopname = 'write'
diff --git a/rbac-self-test/policy/rbacselftest.te
b/rbac-self-test/policy/rbacselftest.te
index de77b1f..8ee7477 100644
--- a/rbac-self-test/policy/rbacselftest.te
+++ b/rbac-self-test/policy/rbacselftest.te
@@ -110,7 +110,7 @@ allow rbacselftest_t var_run_t:file { getattr setattr
create read write };

# and more
allow rbacselftest_t self:fd use;
-allow rbacselftest_t self:process { noatsecure rlimitinh siginh };
+allow rbacselftest_t self:process { noatsecure rlimitinh setexec siginh };
allow rbacselftest_t sysadm_devpts_t:chr_file write;
allow rbacselftest_t sysadm_tty_device_t:chr_file { read write };

@@ -140,9 +140,12 @@ allow rbacselftest_t rbacselftesthelper_t:process
transition;

allow rbacselftest_t rbacselftesthelper_t:process { noatsecure rlimitinh
siginh };
allow rbacselftesthelper_t local_login_t:fd use;
+allow rbacselftesthelper_t newrole_t:fd use;
allow rbacselftesthelper_t rbacselftest_t:process sigchld;
+allow rbacselftesthelper_t sysadm_devpts_t:chr_file { read write };
-allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write };
+allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write ioctl
getattr };
allow rbacselftesthelper_t rbacselftest_t:fd use;
+allow rbacselftesthelper_t rbacselftest_var_run_t:file { read write };

files_read_all_files(rbacselftesthelper_t)
libs_use_shared_libs(rbacselftesthelper_t)

Loading...