SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] From: Westerman, Mark <Mark.Westerman_at_csoconline.com> subject: SeLinux Question Date: Mon, 12 Feb 2001 12:58:10 -0600 This message: [ Message body ] Next message: Stephen Smalley: "Re: SeLinux Question" Previous message: Johnathon Day: "Re: Looking to help with a crypto design" Next in thread: Stephen Smalley: "Re: SeLinux Question" Reply: Stephen Smalley: "Re: SeLinux Question" Reply: Jen Salois: "Re: SeLinux Question" To all, I have been try to get selinux running on a Redhat 7 box. I have the kernel running in debug mode and i am try to get rid of the denied messages I am work on the /sbin/hwclock program. Thanks Mark Westerman mark.westerman@csoconline.com Here are the rules file: domains/system/hwclock.te ################################# # # Rules for the hwclock_t domain. # type hwclock_t, domain, privlog; type hwclock_exec_t, file_type, sysadmfile, exec_type; # Use capabilities. allow hwclock_t self:capability { sys_admin }; # Inherit and use descriptors from init. #allow hwclock_t init_t:fd inherit_fd_perms; # Use a pipe created by initrc_t. #allow hwclock_t initrc_t:pipe rw_file_perms; # Read and write ttys. allow hwclock_t tty_device_t:chr_file rw_file_perms; file: domains/system/initrc.te domain_auto_trans(initrc_t, hwclock_exec_t, hwclock_t) file: file_context /sbin/hwclock system_u:object_r:hwclock_exec_t ls --scontext /sbin/hwclock system_u:object_r:hwclock_exec_t /sbin/hwclock file: /var/log/messages security_compute_sid: invalid context system_u:system_r:hwclock_t for scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:hwclock_exec_t tclass=process -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Stephen Smalley <sds_at_tislabs.com> subject: Re: SeLinux Question Date: Mon, 12 Feb 2001 14:13:09 -0500 (EST) This message: [ Message body ] Next message: Jen Salois: "Re: SeLinux Question" Previous message: Westerman, Mark: "SeLinux Question" In reply to: Westerman, Mark: "SeLinux Question" Next in thread: Jen Salois: "Re: SeLinux Question" You need to add the hwclock_t type to the definition of the system_r role in policy/rbac. By the way, we are currently preparing an updated release based on the 2.4.1 kernel. The old 2.2 patch will also be updated in the new release for 2.2.18. -- Stephen D. Smalley, NAI Labs sds@tislabs.com On Mon, 12 Feb 2001, Westerman, Mark wrote: > To all, > > I have been try to get selinux running on a Redhat 7 box. I have the > kernel running in debug mode and i am try to get rid of the denied messages > > I am work on the /sbin/hwclock program. > > Thanks > Mark Westerman > mark.westerman@csoconline.com > > > > Here are the rules > > > file: domains/system/hwclock.te > ################################# > # > # Rules for the hwclock_t domain. > # > type hwclock_t, domain, privlog; > type hwclock_exec_t, file_type, sysadmfile, exec_type; > > # Use capabilities. > allow hwclock_t self:capability { sys_admin }; > > # Inherit and use descriptors from init. > #allow hwclock_t init_t:fd inherit_fd_perms; > > # Use a pipe created by initrc_t. > #allow hwclock_t initrc_t:pipe rw_file_perms; > > # Read and write ttys. > allow hwclock_t tty_device_t:chr_file rw_file_perms; > > > file: domains/system/initrc.te > > domain_auto_trans(initrc_t, hwclock_exec_t, hwclock_t) > > > file: file_context > /sbin/hwclock system_u:object_r:hwclock_exec_t > > > ls --scontext /sbin/hwclock > > system_u:object_r:hwclock_exec_t /sbin/hwclock > > > file: /var/log/messages > > security_compute_sid: invalid context system_u:system_r:hwclock_t > for scontext=system_u:system_r:initrc_t > tcontext=system_u:object_r:hwclock_exec_t tclass=process > > > -- > You have received this message because you are subscribed to the selinux list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Jen Salois <jsalois_at_mitre.org> subject: Re: SeLinux Question Date: Mon, 12 Feb 2001 14:40:50 +0000 This message: [ Message body ] Next message: Westerman, Mark: "hwclock" Previous message: Stephen Smalley: "Re: SeLinux Question" In reply to: Westerman, Mark: "SeLinux Question" Mark, I am assuming that hwclock is getting started from an init script, since I see the transition of initrc_t to the hwclock_t. Well when the hwclock is started by an init script it is also inheriting the role from initrc. The role this operates under is system_r. Also the error message is saying there is no hwclock_t associated with the system_r role. What you need to do is have a role transition in the policy also. You do a role transition in the rbac file. It is in the form of role_transition current_role program_type new_role; Hope that helps. Thanks Jen > To all, > > I have been try to get selinux running on a Redhat 7 box. I have the > kernel running in debug mode and i am try to get rid of the denied messages > > I am work on the /sbin/hwclock program. > > Thanks > Mark Westerman > mark.westerman@csoconline.com > > Here are the rules > > file: domains/system/hwclock.te > ################################# > # > # Rules for the hwclock_t domain. > # > type hwclock_t, domain, privlog; > type hwclock_exec_t, file_type, sysadmfile, exec_type; > > # Use capabilities. > allow hwclock_t self:capability { sys_admin }; > > # Inherit and use descriptors from init. > #allow hwclock_t init_t:fd inherit_fd_perms; > > # Use a pipe created by initrc_t. > #allow hwclock_t initrc_t:pipe rw_file_perms; > > # Read and write ttys. > allow hwclock_t tty_device_t:chr_file rw_file_perms; > > file: domains/system/initrc.te > > domain_auto_trans(initrc_t, hwclock_exec_t, hwclock_t) > > file: file_context > /sbin/hwclock system_u:object_r:hwclock_exec_t > > ls --scontext /sbin/hwclock > > system_u:object_r:hwclock_exec_t /sbin/hwclock > > file: /var/log/messages > > security_compute_sid: invalid context system_u:system_r:hwclock_t > for scontext=system_u:system_r:initrc_t > tcontext=system_u:object_r:hwclock_exec_t tclass=process > > -- > You have received this message because you are subscribed to the selinux list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom