A lot of AVC messages running "make install" from the kernel source dir.
Aleksey Nogin
aleksey at nogin.org
Thu Apr 15 02:17:14 UTC 2004
On 14.04.2004 18:16, Daniel J Walsh wrote:
> In certain cases it is helpful to just run these avc messages through
> audit2allow
I guess so, although for many of these things, the right solution is not
to allow the access, but change something else (e.g. grub- should be
marked correctly).
> All these messages basically came down to a couple of rules that have
> been added to the laste policy.
Thanks!
> A couple of tricks you might want to try
>
> audit2allow -l -i /var/log/messages
> Will output all rules for messages since the last time you ran a make load.
Ah, that's very useful, thanks, I did not know about these audit2allow
options.
> You have written your first policy.
Far from the first one ;-)
BTW, do you think any of the following is worth adding to the default
policy (or is already there)?
--- My local te ---
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
# run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
# Allow staff to mess with removable devices
allow staff_t removable_device_t:blk_file { getattr read ioctl lock };
# Allow utemper to write to /tmp/.xses-*
allow utempter_t staff_tmp_t:file { getattr write };
# VNC v4 module in X server
type vnc_port_t, port_type;
allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
# For some reason, putting portcon here is a syntax error and it has to
# go into net_contexts :-(
# portcon tcp 5900 system_u:object_r:vnc_port_t
# Allow strace debugging for staff
allow staff_t {staff_mozilla_t staff_xauth_t}:process { ptrace };
--- My local fc ---
# Workaround for bug 117685
/home/nogin -l aleksey:object_r:staff_home_t
# /dev/cdrom is a removable device. Is there a better way to say this?
/dev/hdc -b system_u:object_r:removable_device_t
/home/aleksey/\.gnupg/idea aleksey:object_r:shlib_t
# The hibernation script (downloaded from
# http://prdownloads.sourceforge.net/swsusp/suspend.sh?download )
/usr/local/sbin/hibernate system_u:object_r:initrc_exec_t
# This is where my Java installation lives
/usr/local/j2re.*/bin(/.*)? system_u:object_r:bin_t
/usr/local/j2re.*/lib(64)?/i386(/.*)? system_u:object_r:lib_t
# Is there a better way to say that random users should be able
# to dump files here?
/opt/downloads system_u:object_r:tmp_t
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the fedora-selinux-list
mailing list