> #Context for the driver configuration files
> /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t
you probably want this:
/etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t
so you can label all of the driver stuff tha'ts stored under that
directory and it's subdirectories. I don't think your pattern will
match anything.
Actually everything does get the correct labels here. I guess it is
setting the label on the ndiswrapper directory and then all the child
directories and files are inheriting that context.
> # Filename: loadndis.te
> #Rules for devices
> allow loadndis_t device_t:dir { rw_dir_perms };
> allow loadndis_t device_t:chr_file { read create unlink ioctl };
> allow loadndis_t null_device_t:chr_file { rw_file_perms };
> allow loadndis_t console_device_t:chr_file { rw_file_perms };
It would be better for the device node to have its own type, and type
transition the chr_file, that way loadndis_t can only read very specific
device nodes:
type loadndis_device_t, device_type, dev_fs;
file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file)
Or if you really want to go least privilege, you could probably use
these rules instead of the above file_type_auto_trans:
allow loadndis_t device_t:dir { search write add_name remove_name };
allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl };
type_transition loadndis_t device_t:chr_file loadndis_device_t;
Thanks for the tip. I am assuming here that these transitions cause the
created device to be relabeled to the new loadndis_device_t, which would
then prevent it from messing around with other devices in device_t?
> #Capabilities
> allow loadndis_t self:capability { sys_tty_config };
> allow loadndis_t self:capability { mknod };
Just for readability, it would be best to merge these into one line.
Just a little nitpick. :)
DOH!
> #Rules for proc filesystem
> allow loadndis_t proc_t:dir { r_dir_perms };
> allow loadndis_t proc_t:file { r_file_perms };
Another readability thing, you don't need the braces around r_dir_perms
and r_file_perms, as these are macros, and they already provide braces.
So the ones you have are redundant.
Thanks for the help Chris.
Ryan
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150