target policy 2.5.9-2 in fc7 prevent mono - selinux - Fedora mailing-lists

22 Mar 2007


      hi all,
in fc7 rawhide, with target policy 2.5.9-2, will prevent mono
from doing something.
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 
gid=500 inode=55866 item=0 items=1 mode=0100644 name="make-it-fail" 
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 
path="/proc/3185/make-it-fail" pid=3091 rdev=00:00 
scontext=user_u:system_r:mono_t:s0 sgid=500 
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file 
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 
gid=500 inode=55852 item=0 items=1 mode=0100600 name="mem" 
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 
path="/proc/3185/mem" pid=3091 rdev=00:00 
scontext=user_u:system_r:mono_t:s0 sgid=500 
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file 
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 
gid=500 inode=55864 item=0 items=1 mode=0100644 name="oom_adj" 
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 
path="/proc/3185/oom_adj" pid=3091 rdev=00:00 
scontext=user_u:system_r:mono_t:s0 sgid=500 
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file 
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 
egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 
gid=500 inode=55865 item=0 items=1 mode=0100644 name="loginuid" 
obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 
path="/proc/3185/loginuid" pid=3091 rdev=00:00 
scontext=user_u:system_r:mono_t:s0 sgid=500 
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file 
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
avc: denied { setattr } for comm="beagled" cwd="/home/yangshao" 
dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 
fsuid=500 gid=500 inode=160224 item=0 items=1 mode=0100644 
name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 
path="/proc/3117/oom_adj" pid=3091 rdev=00:00 
scontext=user_u:system_r:mono_t:s0 sgid=500 
subj=user_u:system_r:mono_t:s0 suid=500 tclass=file 
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
......
as i know, this problem happens from target policy 2.5.8-8.
i wrote a loadable module, after installing, such problems had not
happened again until now.
there is only a ".te" file in this module:
"
module mymono 1.0;
require {
         type unconfined_t;
         type mono_t;
         class file { write setattr };
}
#============= mono_t ==============
allow mono_t unconfined_t:file { write setattr };
"
can anyone can guide me if the '.te' file has something wrong.
i know, in reference policy, we should use interface, but i am
a newbie for selinux policy, i don't know how to begin writing
policy using interface?