package review?

Daniel J Walsh dwalsh at redhat.com
Fri Jul 21 15:14:42 UTC 2006 

Michael Thomas wrote:
> Daniel J Walsh wrote:
>   
>> Michael Thomas wrote:
>>     
>>> They are in the src.rpm, but I realize that's not the easiest way to
>>> pass them around.  Here are direct links:
>>>
>>> http://www.kobold.org/~wart/fedora/crossfire.fc
>>>   http://www.kobold.org/~wart/fedora/crossfire.if
>>> http://www.kobold.org/~wart/fedora/crossfire.te
>>>
>>>   
>>>       
>> I would not define crossfire_static_data_t, unless this is data you do
>> not want other confined domains from reading.  You can just let it use
>> usr_t and give the application the ability to read usr_t.
>> files_read_usr_files(crossfire_t)
>>     
>
>
>   
>> I do not like adding additional file_contexts unless the domain needs to
>> write.  Up until now, I think you are better off leaving
>> read  only files with the default context.  (This might change as we
>> move to more RBAC support).
>>     
>
> But this would also give the application read access to all of usr_t.
> If I put on my paranoia hat, then I'd want to make sure the application
> has limited read access as well as write access.
>
>   
That is fine, but most likely there is nothing secret in /usr that has a 
usr_t context, so you are adding
complexity for little gain in security.
>> allow crossfire_t port_t:udp_socket send_msg;
>> allow crossfire_t port_t:tcp_socket name_bind;
>> You need to define a port for this socket and only allow name_bind to
>> that port
>>     
>
> Ok.  If the server admin changes the application's port (not likely),
> then they would need to update the policy as well, right?
>
>   
Users can modify ports using "semanage port"  so that is not a problem.

>> allow crossfire_t bin_t:file getattr;
>> allow crossfire_t bin_t:dir search;
>> Should use corecmd_getattr_bin_files(crossfire_t)
>> corecmd_search_bin(crossfire_t)
>>     
>
> Ok.  I still need to track down why the application is trying to search
> here.
>   
It is probably looking for itself?
>   
>> allow crossfire_t proc_t:dir search;
>> allow crossfire_t sysctl_t:dir search;
>> allow crossfire_t sysctl_kernel_t:dir search;
>> allow crossfire_t sysctl_kernel_t:file read;
>> Should use
>> kernel_read_kernel_sysctls(crossfire_t)
>>     
>
> Ok.  Does this mean I can remove the require { type sysctl_t; }; from
> the .te file?  Or does the kernel_read_kernel_sysctls() not perform this
> require{}?
>
>   
Yes the macros have all the appropriate requires in them.
>> allow crossfire_t devpts_t:chr_file {read write};
>> Probably want to dontaudit
>> term_dontaudit_use_generic_ptys(crossfire_t)
>>     
>
> This will disallow the action, but not generate the avc denied messages,
> right?
>
>   
Yes
>> allow crossfire_t proc_t:file {getattr read};
>> Shoudl use
>> kernel_read_system_state(crossfire_t)
>>     
>
> Ok.
>
>   
>> If you are generating these additional AVC rules using audit2allow. use
>> -R to attempt to find the reference policy macros to use.
>>     
>
> Ah, I didn't know that one.
>
> Thanks for the help,
>
> --Mike
>   
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list