"dhighley wrote:"
From dhighley Mon Jul 19 08:00:52 2010
Subject: Questions on
creating policy
To: selinux(a)lists.fedoraproject.org
Date: Mon, 19 Jul 2010 08:00:52 -0700 (PDT)
X-Mailer: ELM [version 2.5 PL8]
Content-Length: 2001
Where do I find the information about how to translate from something
like this:
module rsyslod 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
and
module sshdfilter 1.0;
require {
type syslogd_t;
type var_run_t;
class fifo_file { read write };
}
#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };
Translation should be something like:
[root@redwood sshdfilter]# cat sshdfilter.fc
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t,
s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t,
s0)
[root@redwood sshdfilter]# cat sshdfilter.te
policy_module(sshdfilter, 1.0.0)
type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)
type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)
dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)
optional_policy(`
iptables_domtrans(sshdfilter_t)
')
Dominick Grift helped with the above translations, but I would like to
know how to make the transformations.
In addition to the above question I would like to know if there is an
existing label type that I should use on a named pipe that would not
require policy modifications to be made to rsyslog. I'm working in the
context of getting the sshdfilter application packaged into a Fedora RPM
and using method of creating a named pipe for rsyslogd to write
information to that the sshdfilter can read. The location for the named
pipe may even be wrong when selinux labeling is considered,
/var/run/sshdfilter.fifo, but that seems to be where I see other named
pipes created.