Lukas Vrabec:
Hi,
Could you attach raw AVCs and source policy files?
Thank you.
Of course.
The policy is "under development". It is mostly coming from running
in permissive mode with dontaudit rules disabled, and putting the
output through "audit2allow". I've started to clean it up a little;
much should be dontaudit:ed instead. But as I said, I've only
started.
To avoid spamming the list I placed the complete files at
ftp://ftp.uddeborg.se/pub/teamviewer-selinux
The pieces that I believe are interesting for the purpose of this
discussion are:
From teamviewer.te:
type teamviewerd_t;
type teamviewerd_exec_t;
init_daemon_domain(teamviewerd_t, teamviewerd_exec_t)
allow init_t self:process execmem;
allow teamviewerd_t self:process { execmem setsched };
From teamviewer.fc:
/opt/teamviewer/tv_bin/teamviewerd --
gen_context(system_u:object_r:teamviewerd_exec_t,s0)
Relevant AVC:s before I added the allow rules:
type=AVC msg=audit(1467890892.113:74507): avc: denied { execmem } for pid=26267
comm="teamviewerd" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
type=AVC msg=audit(1467890892.114:74508): avc: denied { execmem } for pid=26267
comm="teamviewerd" scontext=system_u:system_r:teamviewerd_t:s0
tcontext=system_u:system_r:teamviewerd_t:s0 tclass=process permissive=1