Dear all,
This is a two-part question.
Part 1:
I have created multiple policies for various application, all type names begin with
'thales'. All the types specified are automatically assigned to the sysadm_t
domain, I can verify this by running the following command:
sesearch --allow -R -s sysadm_t -t thales
A couple of questions:
Why is this necessary?
Is this done during compilation? What policy creates these rules?
Why are these types not automatically assigned to the staff_t, or any other type for that
matter?
Part 2:
runcon -u system_u -r system_r -t initrc_t sh /path/to/executable
I need to simulate executing a script by the init system because that script usually gets
started during startup by a command defined in rc.local. Otherwise I need to keep
rebooting to test my policies. When I run the 'runcon' command while logged in as
root and while running with the sysadm_r role and sysadm_t type I get the following AVC
error:
----
time->Thu Jan 14 14:23:31 2016
type=PATH msg=audit(1452781411.076:7079): item=0 name="/bin/sh" inode=390152
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t
type=CWD msg=audit(1452781411.076:7079): cwd="/target/software"
type=SYSCALL msg=audit(1452781411.076:7079): arch=c000003e syscall=59 success=no exit=-13
a0=7fffbb439504 a1=7fffbb439740 a2=7fffbb439760 a3=352687dea0 items=1 ppid=21810 pid=22765
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=66
comm="runcon" exe="/usr/bin/runcon" subj=root:sysadm_r:sysadm_t
key=(null)
type=AVC msg=audit(1452781411.076:7079): avc: denied { transition } for pid=22765
comm="runcon" path="/bin/bash" dev=sda2 ino=390152
scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=process
When running in permissive mode the transition happens with no problems, when running in
enforcing mode I get a 'execvp: Permission denied' error message.
Is the sysadm_t not allowed to transition to initrc_t? How can I solve this issue? I need
this script to run under the initrc_t domain. And the script is in a folder only the
sysadm_t is allowed, because of the problem described in part 1.
Thanks in advance,
Jeroen
------------------------------------------------------------------------------------------------------------
Disclaimer:
If you are not the intended recipient of this email, please notify the sender and
delete it.
Any unauthorized copying, disclosure or distribution of this email or its
attachment(s) is forbidden.
Thales Nederland BV will not accept liability for any damage caused by this email or
its attachment(s).
Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
Commerce under number 06061578.
------------------------------------------------------------------------------------------------------------