Adoption to Ref-Policy sysadm_t

Philipp impregister at phru.at
Mon Mar 31 13:22:07 UTC 2014 

Hi all,

 

I am trying to adopt the reference policy in a way that the sysadm_t domain
isn't able to open SELinux configuration files or run any related binaries
like semange. My approach was to edit the sysadm.te file and uncomment the
related lines in there. Thus far, I haven't found the right entries:

 

I looked up with sesearch for the following lines:

 

sesearch --all -s sysadm_t -t selinux_config_t |

 

Output:

 

allow sysadm_t non_security_file_type : file { ioctl read write create
getattr setattr lock relabelfrom relabelto append unlink link rename open }
;

   allow sysadm_t non_security_file_type : dir { ioctl read write create
getattr setattr lock relabelfrom relabelto unlink link rename add_name
remove_name reparent search rmdir open } ;

   allow sysadm_t non_security_file_type : lnk_file { ioctl read write
create getattr setattr lock relabelfrom relabelto append unlink link rename
} ;

   allow sysadm_t non_security_file_type : chr_file { getattr relabelfrom
relabelto } ;

   allow sysadm_t non_security_file_type : blk_file { getattr relabelfrom
relabelto } ;

   allow sysadm_t non_security_file_type : sock_file { getattr relabelfrom
relabelto } ;

   allow sysadm_t non_security_file_type : fifo_file { getattr relabelfrom
relabelto } ;

   allow sysadm_t file_type : filesystem getattr ;

   allow sysadm_usertype file_type : filesystem getattr ;

   allow sysadm_t selinux_config_t : dir { getattr search open } ;

   allow sysadm_usertype selinux_config_t : file { ioctl read getattr lock
open } ;

   allow sysadm_usertype selinux_config_t : dir { ioctl read getattr lock
search open } ;

   allow sysadm_usertype selinux_config_t : lnk_file { read getattr } ;

 

 

I thought that there must be some entries corresponding the last few lines,
but as already mentioned I haven't found any in the
rpmbuild/SOURCES/serefpolicy-3.7.19/policy/modules/roles/sysadm* files.

 

What I am doing wrong or where do I have to change something?

 

Thank you in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140331/4b83caaf/attachment.html>

More information about the selinux mailing list