package review?
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 20 19:11:17 UTC 2006
Michael Thomas wrote:
> Daniel J Walsh wrote:
>
>> Michael Thomas wrote:
>>
>>
>>> A few packages (game server daemons) that I maintain in Fedora Extras
>>> would benefit from having a selinux security policy available. But
>>> since I'm new to writing selinux policies, I was hoping that someone
>>> from f-s-l could take a peek at what I did and let me know if I've done
>>> things correctly and in the 'recommended' way.
>>>
>>> I've already tested the policy on FC5 to make sure that it works and
>>> produces no 'avc denied' messages:
>>>
>>> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
>>>
>>> I wasn't sure exactly which networking rules I would need. Most of the
>>> ones there were generated by policygentool. I also couldn't figure out
>>> why some of the rules at the end of crossfire.te were necessary.
>>>
>>> Thanks in advance!
>>>
>>> --Mike
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>> Please attach the te, fc and if files.
>>
>
> They are in the src.rpm, but I realize that's not the easiest way to
> pass them around. Here are direct links:
>
> http://www.kobold.org/~wart/fedora/crossfire.fc
>
> http://www.kobold.org/~wart/fedora/crossfire.if
> http://www.kobold.org/~wart/fedora/crossfire.te
>
>
I would not define crossfire_static_data_t, unless this is data you do
not want other confined domains from reading. You can just let it use
usr_t and give the application the ability to read usr_t.
files_read_usr_files(crossfire_t)
I do not like adding additional file_contexts unless the domain needs to
write. Up until now, I think you are better off leaving
read only files with the default context. (This might change as we
move to more RBAC support).
allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to that port
allow crossfire_t bin_t:file getattr;
allow crossfire_t bin_t:dir search;
Should use
corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)
allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)
allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)
If you are generating these additional AVC rules using audit2allow. use -R to attempt to find the reference policy
macros to use.
macros are available in /usr/share/selinux/devel/include directory.
> --Mike
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list