• 1

Unable to transit from httpd_t to cacl_t

I'm writing a module for my app, need httpd_t to execute my app which is set to type cacl_exec_t, and want the selinux to transit it to cacl_t. But the transition got denied, and when use audit2allow, it gave a rule:
allow httpd_t cacl_t:process transition;
but added it to the te file and ran "make load", got
neverallow violated by allow httpd_t cacl_t:process { transition };
I'm new to the SELinux module, still don't understand when it would get cacl_t domain when a cacl_exec_t command file is executed.

The following is in the .if file:
type cacl_t, cacl_exec_t;


The following is in the .te file:
module caclmod 1.0.0;

require {
type unconfined_t;
type usr_t;
type bin_t;
type httpd_t;
class file { open read execute getattr entrypoint };
class process transition;

type cacl_exec_t;
type cacl_t;

allow cacl_t cacl_exec_t:file entrypoint;
#allow httpd_t cacl_t:process transition;
type_transition httpd_t cacl_exec_t:process cacl_t;
allow unconfined_t cacl_exec_t:file { getattr open read execute };
allow httpd_t cacl_exec_t:file { getattr open read execute };
allow cacl_t usr_t:file { getattr open read execute };
allow cacl_t bin_t:file { getattr open read execute };
type_transition cacl_t usr_t:process usr_t;
type_transition usr_t cacl_exec_t:process cacl_t;
type_transition bin_t cacl_exec_t:process cacl_t;
type_transition unconfined_t cacl_exec_t:process cacl_t;

role system_r types cacl_t;
role system_r types bin_t;
role system_r types usr_t;
role system_r types unconfined_t;
role unconfined_r types cacl_t;
role unconfined_r types bin_t;
role unconfined_r types usr_t;
role unconfined_r types unconfined_t;

With the above, I got
type=AVC msg=audit(1416217869.038:770): avc: denied { transition } for pid=15335 comm="sh" path="/usr/local/secbin/caclb" dev=sda2 ino=421075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cacl_t:s0 tclass=process
type=SYSCALL msg=audit(1416217869.038:770): arch=c000003e syscall=59 success=no exit=-13 a0=17df330 a1=17df420 a2=17de150 a3=7fff6a675c50 items=0 ppid=8334 pid=15335 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

Thanks in advance for any help.

Edited at 2014-11-17 09:53 am (UTC)

  • 1

Log in