I keep record of it :)<br><br>Thank you a lot !<br><br><div class="gmail_quote">2010/7/15 Stephen Smalley <span dir="ltr"><<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Thu, 2010-07-15 at 12:10 +0200, giovanni testing wrote:<br>
> Hi,<br>
><br>
> I've fixed it (thanks to "/sbin/ausearch -i | grep nano | grep avc"),<br>
> and the allow lines needed are:<br>
><br>
> allow MyPolicy_t bin_t:file entrypoint;<br>
<br>
</div>This is fine for testing purposes, but for real use, you only want<br>
MyPolicy to have entrypoint permission to MyPolicy_exec_t, i.e. the<br>
MyPolicy_t domain can only be entered by executing a program labeled<br>
MyPolicy_exec_t. This can be done using the domain_entry_file()<br>
interface.<br>
<div class="im"><br>
> allow MyPolicy_t usr_t:file { read open };<br>
><br>
> I think that the second one is not appropiated, because MyPolicy now<br>
> can access to every "usr_t" file (but is only needed to access to<br>
> "/usr/share/terminfo/x/xterm").<br>
><br>
> To fix that, I'm thinking in a solution that I don't know if is<br>
> possible: label the file "/usr/share/terminfo/x/xterm" with "xterm_t"<br>
> instead of "usr_t", but maybe it can block other applications to use<br>
> "/usr/share/terminfo/x/xterm", so the "xterm_t" needs to be equivalent<br>
> to "usr_t". To do it I'm thinking to use an alias, but if is<br>
> bidirectional it will be insecure again. As these lines can seem a bit<br>
> confusing, there is a little scheme:<br>
><br>
> I need:<br>
> - "MyPolicy_t" can use "xterm_t"<br>
> - "MyPolicy_t" cannot "usr_t"<br>
> - Other policies continue being able to use<br>
> "/usr/share/terminfo/x/xterm" while they allow use "usr_t" and they<br>
> have not specified to allow "xterm_t".<br>
><br>
> So accessing to "usr_t" needs to be able to access to "xterm_t", but<br>
> accessing to "xterm_t" not needs to be able to access to "usr_t" (this<br>
> is what I say that it not needs to be bidirectional). Maybe it can be<br>
> done that way (putting the following lines instead the two before):<br>
><br>
> allow MyPolicy_t bin_t:file entrypoint;<br>
> allow usr_t xterm_t:file manage_file_perms;<br>
> allow MyPolicy_t xterm_t:file { read open };<br>
<br>
</div>I would suggest introducing a generic terminfo_t type or similar for all<br>
of the files under /usr/share/terminfo, and then allowing most or all<br>
domains to read that type. That would need to be upstreamed to the main<br>
policy as it modifies the type of a base system file.<br>
<br>
The second allow rule is not what you want, as it doesn't mean anything<br>
(no process runs in usr_t). You could however do:<br>
allow domain terminfo_t:file read_file_perms;<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="h5">Stephen Smalley<br>
National Security Agency<br>
<br>
</div></div></blockquote></div><br>