Selinux > Hipl
Justin P. Mattock
justinmattock at gmail.com
Sat Dec 5 10:09:02 UTC 2009
On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
> On 05/12/09 09:42, Manuel Wolfshant wrote:
> --snip--
>
>> And once we (that is you :) ) have a correct policy,
>
> Does this look ok?
>
> audit2allow -M myhipd01 < /var/log/audit/audit.log
>
> module myhipd01 1.0;
>
> require {
> type unconfined_t;
> type ifconfig_t;
> type unconfined_java_t;
> type chrome_sandbox_t;
> type root_t;
> type admin_home_t;
> type null_device_t;
> type iptables_t;
> type abrt_t;
> type initrc_t;
> type ftp_port_t;
> type var_lock_t;
> type xauth_t;
> type device_t;
> type setroubleshootd_t;
> type wine_t;
> type rpm_var_cache_t;
> type rpcd_t;
> type system_mail_t;
> type plymouthd_t;
> class capability sys_ptrace;
> class netlink_ip6fw_socket { read write };
> class process execmem;
> class memprotect mmap_zero;
> class netlink_firewall_socket { read write };
> class chr_file unlink;
> class netlink_xfrm_socket { read write };
> class tcp_socket name_connect;
> class file { read write };
> class rawip_socket { read write };
> class netlink_route_socket { read write };
> class udp_socket { read write };
> class dir { write remove_name create };
> role system_r;
> role unconfined_r;
> }
>
> #============= abrt_t ==============
> allow abrt_t ftp_port_t:tcp_socket name_connect;
> allow abrt_t rpm_var_cache_t:dir create;
>
> #============= chrome_sandbox_t ==============
> allow chrome_sandbox_t self:capability sys_ptrace;
>
> #============= ifconfig_t ==============
> allow ifconfig_t initrc_t:netlink_route_socket { read write };
> allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
> allow ifconfig_t initrc_t:udp_socket { read write };
> allow ifconfig_t var_lock_t:file { read write };
>
> #============= iptables_t ==============
> allow iptables_t initrc_t:netlink_firewall_socket { read write };
> allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
> allow iptables_t initrc_t:rawip_socket { read write };
> allow iptables_t initrc_t:udp_socket { read write };
> allow iptables_t var_lock_t:file { read write };
>
> #============= plymouthd_t ==============
> allow plymouthd_t device_t:dir { write remove_name };
> allow plymouthd_t null_device_t:chr_file unlink;
>
> #============= setroubleshootd_t ==============
> allow setroubleshootd_t device_t:file write;
>
> #============= system_mail_t ==============
> allow system_mail_t root_t:dir write;
>
> #============= unconfined_t ==============
> allow unconfined_t self:process execmem;
>
> #============= wine_t ==============
> allow wine_t self:memprotect mmap_zero;
>
> #============= xauth_t ==============
> allow xauth_t admin_home_t:file { write read };
> #============= ROLES ==============
> role system_r types unconfined_java_t;
> role unconfined_r types rpcd_t;
>
sure.. now install your binary!!
Justin P. Mattock
More information about the fedora-selinux-list
mailing list