SELinux policy for ndiswrapper

Christopher J. PeBenito cpebenito at tresys.com
Tue Mar 15 18:54:57 UTC 2005 

On Tue, 2005-03-15 at 12:04 -0600, rrcoot at verizon.net wrote:
> I wrote a policy to get ndiswrapper running in my FC3 strict policy
> SELinux system. This is the first policy I have created. I would
> greatly appreciate any pointers or feedback anyone would like to
[cut]
> # Filename: loadndis.fc

> #Context for the driver configuration files
> /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t

you probably want this:

/etc/ndiswrapper(/.*)?  system_u:object_r:loadndis_content_t

so you can label all of the driver stuff tha'ts stored under that
directory and it's subdirectories.  I don't think your pattern will
match anything.

> # Filename: loadndis.te

> #Rules for devices
> allow loadndis_t device_t:dir { rw_dir_perms };
> allow loadndis_t device_t:chr_file { read create unlink ioctl };
> allow loadndis_t null_device_t:chr_file { rw_file_perms };
> allow loadndis_t console_device_t:chr_file { rw_file_perms };

It would be better for the device node to have its own type, and type
transition the chr_file, that way loadndis_t can only read very specific
device nodes:

type loadndis_device_t, device_type, dev_fs;
file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file)

Or if you really want to go least privilege, you could probably use
these rules instead of the above file_type_auto_trans:

allow loadndis_t device_t:dir { search write add_name remove_name };
allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl };
type_transition loadndis_t device_t:chr_file loadndis_device_t;

> #Capabilities
> allow loadndis_t self:capability { sys_tty_config };
> allow loadndis_t self:capability { mknod };

Just for readability, it would be best to merge these into one line.
Just a little nitpick. :)

> #Rules for proc filesystem
> allow loadndis_t proc_t:dir { r_dir_perms };
> allow loadndis_t proc_t:file { r_file_perms };

Another readability thing, you don't need the braces around r_dir_perms
and r_file_perms, as these are macros, and they already provide braces.
So the ones you have are redundant.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the fedora-selinux-list mailing list