[redhat-lspp] Got up at 5 AM, and thought I would try to write a new role

Daniel J Walsh dwalsh at redhat.com
Fri Jun 16 19:57:28 UTC 2006 

I wanted to try to create an auditadm_r.

I was surprised how easy it was.   Had to trim down the 
base_user_template, and add a couple of apache interfaces,
but basically ended up with the following.  Tried it out on an MLS 
machine and it seems to work pretty well.  I even
have it defined as a loadable module. Comments below.  One problem is we 
need an easier way of handling
/etc/selinux/mls/contexts/default_type.  Had to add httpdadm_r:httpdadm_t.

semanage users -m -R httpdadm_r SELINUXUSER

policy_module(httpdadm,1.0.0)

########################################
#
# Declarations
#
gen_require(`
        role staff_r;
        type staff_devpts_t, staff_tty_device_t, staff_t;
')


define(`role_change',`
        allow $1_r $2_r;
        type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
        type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
        # avoid annoying messages on terminal hangup
        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
#####  Need to figure out a way make role_change a callable function.  
Perhaps just define staff_role_change and user_role_change

minimal_user_template(httpdadm)
####  Needed to strip down base_user_template.  Do not want to create 
homedirs and eliminate all of the optional policy.  Talked to Chris 
about breaking
####  base_user_template into a series of templates.
role_change(staff,httpdadm)
#### Would prefer staff_role_change (httpadm)

files_read_usr_files(httpdadm_t)
#### Probably should be defined in one of the base_user_templates, since 
this is pretty much required if you have a shell.

apache_manage_all_content(httpdadm_t)
apache_manage_log(httpdadm_t)
apache_manage_config(httpdadm_t)


##### Problems, I can't easily modify the running service.  IE I would 
figure the auditadmin would want to be able to start/stop/signal the 
service. 
##### But we do not have an easy way of doing only one service, and not 
all the rest.  Might have to add the ability to run su/sudo so if you 
newrole
##### first it will work.

More information about the redhat-lspp mailing list