-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/10/2014 11:13 AM, David Hampton wrote:
Hi all,
I'm trying to (re)learn SELinux, and spent the last day or two writing a
policy for the fwknopd service, starting with a skeleton generated by
selinux-polgengui. I was hoping that someone here could take a look at it
and suggest anywhere I can make improvements to the policy. This is a
learning exercise for me, so any comments are welcome. Thanks.
David
========== fwknopd.fc ========= etc/fwknop(/.*)?
gen_context(system_u:object_r:fwknopd_etc_t,s0)
Missing /?
/usr/lib/systemd/system/fwknopd.service --
gen_context(system_u:object_r:fwknopd_unit_file_t,s0)
/usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0)
/var/run/fwknop(/.*)? --
gen_context(system_u:object_r:fwknopd_var_run_t,s0)
========== fwknopd.te =========
policy_module(fwknopd, 1.0.0)
######################################## # # Declarations #
type fwknopd_t; type fwknopd_exec_t; init_daemon_domain(fwknopd_t,
fwknopd_exec_t)
#permissive fwknopd_t;
type fwknopd_etc_t; files_config_file(fwknopd_etc_t)
type fwknopd_unit_file_t; systemd_unit_file(fwknopd_unit_file_t)
type fwknopd_var_run_t; files_pid_file(fwknopd_var_run_t)
type fwknopd_port_t; corenet_port(fwknopd_port_t)
######################################## # # fwknopd local policy # allow
fwknopd_t self:capability { setuid }; allow fwknopd_t self:process { fork
signal_perms }; allow fwknopd_t self:fifo_file rw_fifo_file_perms; allow
fwknopd_t self:unix_stream_socket create_stream_socket_perms;
# # Only need to read config files. # read_files_pattern(fwknopd_t,
fwknopd_etc_t, fwknopd_etc_t)
# # Create (/var)/run/fwknop directory, and manage files within that #
directory. # files_create_var_run_dirs(fwknopd_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
# # All client messages are read via pcap. Server only needs enough #
permission to create a TCP socket and bind to it, but not permission # to
read or write. It doesn't need any UDP permissions at all. #
kernel_read_network_state(fwknopd_t) allow fwknopd_t self:capability
net_raw; allow fwknopd_t self:packet_socket create_socket_perms; allow
fwknopd_t self:tcp_socket create_stream_socket_perms; allow fwknopd_t
fwknopd_port_t:tcp_socket name_bind;
# # Uses system() to exec other programs, mainly xiptables-multi and gpg #
family. # corecmd_exec_shell(fwknopd_t) # read /proc/meminfo # provides
access to generic files in /proc kernel_read_system_state(fwknopd_t)
iptables_domtrans(fwknopd_t)
# # GPG support # optional_policy(` gen_require(` type gpg_secret_t; ')
This is
not necessary. My goal when writing new policy is to never have a
gen_require block in a te file.
corecmd_exec_bin(fwknopd_t) gpg_domtrans(fwknopd_t)
# App stats /root/.gnupg before running
userdom_search_admin_dir(fwknopd_t) gpg_list_user_secrets(fwknopd_t) ')
# # Provided by selinux-polgengui # domain_use_interactive_fds(fwknopd_t)
auth_use_nsswitch(fwknopd_t) logging_send_syslog_msg(fwknopd_t)
miscfiles_read_localization(fwknopd_t)
============== end ============
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Looks good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlLQHbEACgkQrlYvE4MpobO/HACgiLcioLZYgDatzJiF/L8ZDypr
OCsAoNu8ZM12IaR9c8iYtAJNsf86dVZe
=tJcM
-----END PGP SIGNATURE-----