1 |
Good afternoon (and this time is it afternoon, not 2 AM ;D). |
2 |
|
3 |
I success to solve my problem so I post the answer. |
4 |
|
5 |
1° take care of the domain of slapd : if launched with sysadm_r role, |
6 |
the process is well started and get the slapd_t domain. If launched with |
7 |
staff_r (the default one, at least in my case), it get the domain |
8 |
staff_r. I made the mistake during some tests ... |
9 |
|
10 |
2° the policy : |
11 |
|
12 |
module gbd_slapd_attach 1.0 ; |
13 |
|
14 |
require{ |
15 |
type slapd_t; |
16 |
type sysadm_t; |
17 |
class process {signal ptrace transition noatsecure rlimitinh |
18 |
siginh getsched setsched getsession getpgid setpgid getcap setcap |
19 |
sigchld getattr}; |
20 |
} |
21 |
|
22 |
allow slapd_t sysadm_t:process {getattr sigchld signal}; |
23 |
allow sysadm_t slapd_t:process {ptrace getsched setsched |
24 |
getsession getpgid setpgid getcap setcap }; |
25 |
|
26 |
|
27 |
Best regards, |
28 |
Julien Thomas |
29 |
|
30 |
PS: this policy is used in a non-professional context and may thus be |
31 |
reinforced in environment professional ones ;D |
32 |
|
33 |
julien.thomas@××××××××××××××××.eu a écrit : |
34 |
> Good afternoon. |
35 |
> |
36 |
> I would like to be able to trace the slapd daemon (slapd_t type) with |
37 |
> gdb, and more |
38 |
> precisely to interact with it. |
39 |
> |
40 |
> However, when i perform the attach command of gdb, I get a |
41 |
> ptrace: Permission denied. with no avc log ... |
42 |
> |
43 |
> I added the following authorization but it seems to be not enough. |
44 |
> the process gdb and slapd have to the following types : |
45 |
> |
46 |
> system_u:system_r:slapd_t 5930 ? Ssl 0:00 |
47 |
> /usr/lib/openldap/slapd |
48 |
> root:sysadm_r:sysadm_t 5818 pts/0 S+ 0:00 gdb |
49 |
> |
50 |
> ---- additional SELinux module |
51 |
> module gbd_attach 1.0 ; |
52 |
> |
53 |
> require{ |
54 |
> type slapd_t; |
55 |
> type sysadm_t; |
56 |
> class file {execute getattr read} ; |
57 |
> class process {signal ptrace transition noatsecure rlimitinh |
58 |
> siginh getsched |
59 |
> setsched getsession getpgid setpgid getcap setcap}; |
60 |
> } |
61 |
> |
62 |
> allow slapd_t sysadm_t:process {signal ptrace}; |
63 |
> allow sysadm_t slapd_t:process {noatsecure rlimitinh siginh transition |
64 |
> getsched setsched getsession getpgid setpgid getcap setcap |
65 |
> }; |
66 |
> |
67 |
> Thanks. |
68 |
> |
69 |
> Best regards, |
70 |
> Julien Thomas |
71 |
> |
72 |
> |
73 |
|
74 |
|
75 |
-- |
76 |
My RSA public key for email authentication is available at |
77 |
http://perso.telecom-bretagne.eu/julienthomas/technical_informations/ |
78 |
and on the PGP server http://subkeys.pgp.net (id 0x43E623F5) |
79 |
|
80 |
My (google) calendars (for meeting arrangement) |
81 |
Thesis : |
82 |
http://www.google.com/calendar/embed?src=d3te2j26l4g7qah12a9q4vpiu4%40group.calendar.google.com&ctz=Europe/Paris |
83 |
|
84 |
Personnal (only disponibility) : |
85 |
http://www.google.com/calendar/embed?src=julien.thomas.1%40gmail.com&ctz=Europe/Paris |