Ask Your Question

Why does my simple policy module for a script I created not only not run but I can't kill the process?

asked 2014-02-14 17:23:09 -0500

eliascaplan465 gravatar image

updated 2014-09-30 15:08:23 -0500

mether gravatar image

Here is what I have so far and the only selinux denial I got was a rule which I already allowed which is the file entrypoint rule:

policy_module(test, 1.0)

gen_require(` type unconfined_t; type fs_t; role unconfined_r; ')

type test_t; type test_exec_t;

type_transition unconfined_t test_exec_t:process test_t;

allow test_exec_t fs_t:filesystem associate; allow unconfined_t test_exec_t:file { getattr read open execute write }; allow unconfined_t test_t:process transition; allow unconfined_t test_exec_t:file relabelto; allow test_t test_exec_t:file entrypoint;

role unconfined_r types test_t;

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-02-15 01:43:35 -0500

domg gravatar image

updated 2014-02-15 04:07:57 -0500

The concept of "attributes" (together with the concept of "prevent by default")

attributes are like "tags" and can be used to group security identifiers. For example type attributes enable you to group types, role attributes enable you to group roles.

By grouping security identifiers you can write rules that apply to groups of security identifiers instead of the usual individual security identifiers.

The existing policy already relies heavily on a existing group of attributes.

Some of the more common type attributes are:



You can list all existing type attributes with the command seinfo -xa | less

The existing policy already has rules associated with those attributes. This effectively means that by just associating your new type with an existing type attribute, you actually add a whole bunch of rules to your new module.

The unconfined_t process cannot kill the test_t process because the test_t process is not associated with the domain attribute, and there is a rule in the existing policy that states that only processes can be killed if the type associated with the process is associated with the domain type attribute.

Here is that rule:

neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;

It says never allow "domain" and unlabeled_t to do anything to target processes unless the target processes are either associated with the domain type attribute or if they are associated with the unlabeled_t type.

So to work around this existing neverallow rule, either associate test_t with the domain type attribute or associate the process with the unlabeled_t type (the latter is not recommended for reason that are beyond the scope o the topic)

The disadvantage of using existing type attributes is that you lose a little bit of flexibility. Because by associating an existing attribute with your type you add all the rules associated with the attribute.

Anyhow, it takes a bit of getting used to the concept of attributes, together with the concept of "deny by default". Then there are also a couple other concepts that take getting used to.

But you should probably start by associating the existing domain type attribute with your test_t type, and by associating the existing file_type, plus exec_type attribute with your test_exec_t type (its not strictly a requirement but it is, i believe, the answer to your question):

gen_require(` attribute domain, file_type, exec_type; ')

typeattribute test_t domain;

typeattribute test_exec_t file_type;

typeattribute test_exec_t exec_type;

If you do seinfo -xa, you might ask what do all those attribute mean? You can use the sesearch command which is part of the setools-console package to query the policy for rules where a particular attribute, or where types, or roles associated with a particular attribute are a source or a target in a operation or interaction.

For example what does it mean for my type when i associate the domain type attribute with it?:

sesearch -ASCT -d -s domain # (almost) all allow and type transition TE rules where "domain" is the source

sesearch -ASCT -d -t domain # (almost) all allow and type transition TE rules ... (more)

edit flag offensive delete link more


Thanks a lot man. I've been watching your videos and they definitely are helping me understand SElinux a lot better.

eliascaplan465 gravatar imageeliascaplan465 ( 2014-02-15 14:29:18 -0500 )edit

Question Tools

1 follower


Asked: 2014-02-14 17:23:09 -0500

Seen: 103 times

Last updated: Feb 15 '14