[rhelv6-list] Modifications to the Base SELinux Policy
Damian Gerow
dgerow at afflictions.org
Thu Jun 13 12:50:55 UTC 2013
Matthias Saou wrote:
> > Is there a better way to override a port that's defined in the base
> > policy, or is providing a different base policy the way to go?
> >
> > (Changing the port for our software is a non-option at this point,
> > unfortunately.)
>
> What about a "mildly-ugly" solution of allowing access to ports of
> hplip_port_t type in your custom module? It does have the downside of
> allowing binding to a lot more ports than you need (I see 18), but
> that's probably not a major issue.
Gah. I meant to point that out as another option that we're considering,
but don't love. It's certainly easier than a custom base policy, but it
does minimally increase the access of our software to our host.
(Whether or not having access to those ports is a bad thing is a whole other
story, and can likely be mitigated with interface labels, or with the
introduction of a few other booleans to restrict what it can do with
hplip_port_t.)
Something else we've considered is pulling in a much later version of
refpolicy (20110726 looks like a viable candidate, without requiring
checkpolicy/libsepol updates), but I don't look forward to the patchwork
that may be required.
More information about the rhelv6-list
mailing list