| View previous topic :: View next topic |
| Author |
Message |
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
 Posted: Wed Jun 02, 2021 1:25 am Post subject: selinux custom domain cant transition |
 |
|
system info:
gentoo x86_64 recent version;
selinux mcs permissive mode;
------------------------------------------------------------------------------------------------------------------
custom selinux policy module:
trans.te
| Code: | ```
policy_module(trans, 1.0)
require {
type init_t;
}
type a_t;
type a_exec_t;
type_transition init_t a_exec_t : process a_t;
allow init_t a_exec_t : file { read getattr execute open } ;
allow a_t a_exec_t : file { entrypoint } ;
allow init_t a_t : process { transition } ;
``` |
1. execute env: selinux: mcs, permissive mode;
----- `id -Z`: `sysadm_u:sysadm_r:sysadm_t`;
----- root tty1, no graphic ( x11);
2. `make to trans.pp` sucees!
3. `semodule -i trans.pp` generate error message
| Code: | nerverallow check failed at /var/lib/selinu/mcs/tmp/module/400/base/cil:4072
(nerverallow domain base_typeattr6 (process (fork transision ......)))
<root>
allow at /var/lib/selinux/mcs/tmp/module/400/trans/cil:10
(allow init_t a_t (process (transision)))
|
-----------------------------------------------------------------------------------------------------------
what i have tried
1. change mcs to strict SELINUXTYPE, and same error message.
2. replace `init_t` source domain with a custom domain type (like xxx_t), result same error message;
3. execute same "trans.te" on fedora-34 (mls, enforcing mode), build and load module success.
----- execute env
----- ----- sudo su
----- ----- id -Z: unconfined_u:unconfined_r:unconfined_t
---------------------------------------------------------------------------------------------------------------
question
1. what does `nerverallow base_typeattr6...` means? why domain transition not work, do i miss somthing?
2. does it means selinux in gentoo is experimental, if someone goes to selinux should just use fedora ? |
|
| Back to top |
|
 |
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
| Posted: Wed Jun 02, 2021 5:30 am Post subject: |
|
|
anyone can help  ; |
|
| Back to top |
|
|
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
| Posted: Wed Jun 02, 2021 10:53 am Post subject: |
|
|
Not sure which version used, but this can give a hint
>> neverallow domain ~domain:process { transition dyntransition };
a_t type should be given domain attribute in .te file |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
