package review?

Daniel J Walsh dwalsh at redhat.com
Thu Jul 20 19:11:17 UTC 2006


Michael Thomas wrote:
> Daniel J Walsh wrote:
>   
>> Michael Thomas wrote:
>>
>>     
>>> A few packages (game server daemons) that I maintain in Fedora Extras
>>> would benefit from having a selinux security policy available.  But
>>> since I'm new to writing selinux policies, I was hoping that someone
>>> from f-s-l could take a peek at what I did and let me know if I've done
>>> things correctly and in the 'recommended' way.
>>>
>>> I've already tested the policy on FC5 to make sure that it works and
>>> produces no 'avc denied' messages:
>>>
>>> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
>>>
>>> I wasn't sure exactly which networking rules I would need.  Most of the
>>> ones there were generated by policygentool.  I also couldn't figure out
>>> why some of the rules at the end of crossfire.te were necessary.
>>>
>>> Thanks in advance!
>>>
>>> --Mike
>>>  
>>> ------------------------------------------------------------------------
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>       
>> Please attach the te, fc and if files.
>>     
>
> They are in the src.rpm, but I realize that's not the easiest way to
> pass them around.  Here are direct links:
>
> http://www.kobold.org/~wart/fedora/crossfire.fc
>   
> http://www.kobold.org/~wart/fedora/crossfire.if
> http://www.kobold.org/~wart/fedora/crossfire.te
>
>   
I would not define crossfire_static_data_t, unless this is data you do 
not want other confined domains from reading.  You can just let it use 
usr_t and give the application the ability to read usr_t.
files_read_usr_files(crossfire_t)

I do not like adding additional file_contexts unless the domain needs to 
write.  Up until now, I think you are better off leaving
read  only files with the default context.  (This might change as we 
move to more RBAC support).

allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to that port


allow crossfire_t bin_t:file getattr;
allow crossfire_t bin_t:dir search;
Should use 
corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)



allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)

allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)



allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)


If you are generating these additional AVC rules using audit2allow. use -R to attempt to find the reference policy 
macros to use.

macros are available in /usr/share/selinux/devel/include directory.

> --Mike
>   
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list




More information about the fedora-selinux-list mailing list