A lot of AVC messages running "make install" from the kernel source dir.

Aleksey Nogin aleksey at nogin.org
Thu Apr 15 02:17:14 UTC 2004 

On 14.04.2004 18:16, Daniel J Walsh wrote:

> In certain cases it is helpful to just run these avc messages through 
> audit2allow

I guess so, although for many of these things, the right solution is not 
to allow the access, but change something else (e.g. grub- should be 
marked correctly).

> All these messages basically came down to a couple of rules that have 
> been added to the laste policy.

Thanks!

> A couple of tricks you might want to try
> 
> audit2allow -l -i /var/log/messages
> Will output all rules for messages since the last time you ran a make load.

Ah, that's very useful, thanks, I did not know about these audit2allow 
options.

> You have written your first policy.

Far from the first one ;-)

BTW, do you think any of the following is worth adding to the default 
policy (or is already there)?

--- My local te ---

# Allow hotplug (including /sbin/ifup-local) to start/stop services and 
# run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)

# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)

# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };

# Allow staff to mess with removable devices
allow staff_t removable_device_t:blk_file { getattr read ioctl lock };

# Allow utemper to write to /tmp/.xses-*
allow utempter_t staff_tmp_t:file { getattr write };

# VNC v4 module in X server
type vnc_port_t, port_type;
allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
# For some reason, putting portcon here is a syntax error and it has to
# go into net_contexts :-(
# portcon tcp 5900  system_u:object_r:vnc_port_t

# Allow strace debugging for staff
allow staff_t {staff_mozilla_t staff_xauth_t}:process { ptrace };

--- My local fc ---

# Workaround for bug 117685
/home/nogin         -l      aleksey:object_r:staff_home_t

# /dev/cdrom is a removable device. Is there a better way to say this?
/dev/hdc             -b     system_u:object_r:removable_device_t

/home/aleksey/\.gnupg/idea   aleksey:object_r:shlib_t

# The hibernation script (downloaded from
# http://prdownloads.sourceforge.net/swsusp/suspend.sh?download )
/usr/local/sbin/hibernate  system_u:object_r:initrc_exec_t

# This is where my Java installation lives
/usr/local/j2re.*/bin(/.*)?              system_u:object_r:bin_t
/usr/local/j2re.*/lib(64)?/i386(/.*)?        system_u:object_r:lib_t

# Is there a better way to say that random users should be able
# to dump files here?
/opt/downloads              system_u:object_r:tmp_t

-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

More information about the fedora-selinux-list mailing list