A lot of AVC messages running "make install" from the kernel source dir.

Thu Apr 15 03:00:12 UTC 2004

Aleksey Nogin wrote:

> On 14.04.2004 18:16, Daniel J Walsh wrote:
>
>> In certain cases it is helpful to just run these avc messages through 
>> audit2allow
>
>
> I guess so, although for many of these things, the right solution is 
> not to allow the access, but change something else (e.g. grub- should 
> be marked correctly).
>
>> All these messages basically came down to a couple of rules that have 
>> been added to the laste policy.
>
>
> Thanks!
>
>> A couple of tricks you might want to try
>>
>> audit2allow -l -i /var/log/messages
>> Will output all rules for messages since the last time you ran a make 
>> load.
>
>
> Ah, that's very useful, thanks, I did not know about these audit2allow 
> options.
>
>> You have written your first policy.
>
>
> Far from the first one ;-)
>
Not really meant at you,  It was more meant at anyone else that wants to 
try their hand at writing policy.

> BTW, do you think any of the following is worth adding to the default 
> policy (or is already there)?
>
> --- My local te ---
>
> # Allow hotplug (including /sbin/ifup-local) to start/stop services 
> and # run sendmail -q
> domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
> domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
>
Added

> # Same for apm/acpid scripts
> domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
> domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
>
Added

> # Allow syslog to a terminal
> allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
>
I will add this and see what security people say.

> # Allow staff to mess with removable devices
> allow staff_t removable_device_t:blk_file { getattr read ioctl lock };
>
This is already in there for handling floppies.

> # Allow utemper to write to /tmp/.xses-*
> allow utempter_t staff_tmp_t:file { getattr write };
>
Added

> # VNC v4 module in X server
> type vnc_port_t, port_type;
> allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
> # For some reason, putting portcon here is a syntax error and it has to
> # go into net_contexts :-(
> # portcon tcp 5900  system_u:object_r:vnc_port_t
>
Added

> # Allow strace debugging for staff
> allow staff_t {staff_mozilla_t staff_xauth_t}:process { ptrace };
>
> --- My local fc ---
>
> # Workaround for bug 117685
> /home/nogin         -l      aleksey:object_r:staff_home_t
>
> # /dev/cdrom is a removable device. Is there a better way to say this?
> /dev/hdc             -b     system_u:object_r:removable_device_t
>
I don't know.  We have though about this, but what happens when you have 
more then one cdrom?

> /home/aleksey/\.gnupg/idea   aleksey:object_r:shlib_t
>
> # The hibernation script (downloaded from
> # http://prdownloads.sourceforge.net/swsusp/suspend.sh?download )
> /usr/local/sbin/hibernate  system_u:object_r:initrc_exec_t
>
> # This is where my Java installation lives
> /usr/local/j2re.*/bin(/.*)?              system_u:object_r:bin_t
> /usr/local/j2re.*/lib(64)?/i386(/.*)?        system_u:object_r:lib_t
>
> # Is there a better way to say that random users should be able
> # to dump files here?
> /opt/downloads              system_u:object_r:tmp_t
>
That is the way I do it.