Michael Thomas wrote:
Daniel J Walsh wrote:
> Michael Thomas wrote:
>
>
>> A few packages (game server daemons) that I maintain in Fedora Extras
>> would benefit from having a selinux security policy available. But
>> since I'm new to writing selinux policies, I was hoping that someone
>> from f-s-l could take a peek at what I did and let me know if I've done
>> things correctly and in the 'recommended' way.
>>
>> I've already tested the policy on FC5 to make sure that it works and
>> produces no 'avc denied' messages:
>>
>>
http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
>>
>> I wasn't sure exactly which networking rules I would need. Most of the
>> ones there were generated by policygentool. I also couldn't figure out
>> why some of the rules at the end of crossfire.te were necessary.
>>
>> Thanks in advance!
>>
>> --Mike
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> Please attach the te, fc and if files.
>
They are in the src.rpm, but I realize that's not the easiest way to
pass them around. Here are direct links:
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.te
I would not define crossfire_static_data_t, unless this is data you do
not want other confined domains from reading. You can just let it use
usr_t and give the application the ability to read usr_t.
files_read_usr_files(crossfire_t)
I do not like adding additional file_contexts unless the domain needs to
write. Up until now, I think you are better off leaving
read only files with the default context. (This might change as we
move to more RBAC support).
allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to that port
allow crossfire_t bin_t:file getattr;
allow crossfire_t bin_t:dir search;
Should use
corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)
allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)
allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)
If you are generating these additional AVC rules using audit2allow. use -R to attempt to
find the reference policy
macros to use.
macros are available in /usr/share/selinux/devel/include directory.
--Mike
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list