Re: Several policy questions
On Tue, 2009-03-10 at 18:26 -0700, Brian Ginn wrote:
I have an application that consists of four different programs that
all talk to each other via TCP socketsā¦ Similar to the diagram:
+---------+
+-------| ServerA |------+
| +---------+ |
| | |
+----------------+ | +---------+
| UserApp Client |---|-----| ServerB |
+----------------+ | +---------+
| | |
| | |
| +--------+ |
+-------| Logger |------+
+--------+
The ServerA, ServerB, and Logger all run from xinetd.
The "UserApp Client" is the only program directly executed via the
user.
All programs read from a common settings file in /etc.
With Fedora Core 9, I've used the polgengui to create initial policies
for the four programs.
Then since they share the settings file, I edited the definitions so
that configuration file is not specific to any one of the programs.
They all need to share port information, so I added require
{ myservera_port_t; myserverb_port_t; mylogger_port_t } statements to
each .te file.
That seems to work on FC9, but on RedHat EL 5.2, when attempting to
load myservera, it complains:
/usr/sbin/semodule -i myservera.pp
libsepol.print_missing_requirements: myservera's global requirements
were not met: type/attribute myserverb_port_t
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
Attempting to load myserverB first ends up with the same complaint
about the serverA's port_t being undefined.
I had kept the .te files for the four programs separateā¦ but this
message makes me think that maybe I need to combine them. Is that
necessary? Or is there a way to pre-define the ports before the
"require from somewhere else" statement?
You could maybe declare your ports in a separate port module. Or you
could integrate your modules to the main selinux-policy packages.
For my four programs, should I have four distinct policy_module
statements?
Is it possible to have multiple policy_module statements in the
same .te file?
Also, I seem to be having domain transfer problems.
I added this following code to each .te file:
domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t )
This would also require: role unconfined_r types myapp_t;
However please consider that the unconfined domain is designed to be
unrestricted. (it should not domain transition to unconfined domains)
One would use the confined user domains (if available)
allow unconfined_t myapp_t:fd use;
allow myapp_t unconfined_t:fifo_file rw_file_perms;
allow myapp_t unconfined_t:process sigchld;
however, each process still runs as follows:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4
00:00:00 myapp
unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00
myserverb
unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00
mylogger
initd_daemons are declared this way:
inetd_tcp_service_domain(myserverb_t, myserverb_exec_t)
role system_r types myserverb_t;
This also takes care of domain transition
For the inetd daemons, is this something I should try to fix, or is
unconfined_u:system_r:inetd_child_t "secure enough"?
Any suggestions for getting the myapp domain transferred?
Thanks,
Brian
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list