-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2010 07:46 PM, Dominick Grift wrote:
On 12/05/2010 04:44 PM, Jorge Fábregas wrote:
> On Saturday 04 December 2010 16:41:39 Dominick Grift wrote:
>> So you could define a file type transition:
>>
>> if unconfined_t creates a file in directories with type etc_t, then
>> transition from type etc_t to some specified type (net_conf_t in your
>> example)
>>
>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
> Hello again!
> I would like to try this out (files created with unconfined_t, under /etc/, to
> have a label of net_conf_t). My only experience with inserting custom-policy
> modules is with the "allow rules" suggested by audit2allow. Other than
that I
> have never done anything else policy-wise so bear with me :)
> I tried this:
You should remove the ; on the filetrans line
mkdir mytest; cd mytest;
echo "policy_module(mytest, 1.0.0)" > mytest.te;
echo "gen_require(\` type unconfined_t, etc_t, net_conf_t; ')" >>
mytest.te;
echo"# allow unconfined_t to create files with type net_conf_t in etc_t
directories. So unconfined_t should be able to traverse etc_t
directories (search) and to add entries to the parent etc_t directories.
this is all provided in the manage_files_pattern" >> mytest.te;
echo "manage_files_pattern(unconfined_t, etc_t, net_conf_t)" >>
mytest.te;
echo "Now we must tell selinux to transition the type of the file
whoops this
lines needs to be commented.
created by unconfined_t in etc_t directories from the default etc_t
type
to the specified net_conf_t type." >> mytest.te;
echo "filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)" >>
mytest.te;
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
touch /etc/test
ls -alZ /etc/test
rm /etc/test
sudo semodule -r mytest.pp
We use already defined patterns in above example instead of raw policy
that is the policy that the kernel understands.
patterns, interfaces, permission sets, templates are all m4 macro-ish
things that aim to make policy development easier and more maintainable.
You can find the patterns we used above in the file below:
/usr/share/selinux/devel/include/support/file_patterns.spt
There is also a interface provided in the sysnetwork module that
basically wraps the filetrans pattern up for us:
#######################################
## <summary>
## Create files in /etc with the type used for
## the network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_etc_filetrans_config',`
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1, net_conf_t, file)
')
So instead of using the filetrans_pattern in above example we could
simply call this:
sysnet_etc_filetrans_config(unconfined_t)
The above interface uses another macro that is defined in the files
module. Youll see that often.
The manage_files_pattern i used in my example can be replaced by:
sysnet_manage_config(unconfined_t
which is also defined in the sysnet module for us to use:
#######################################
## <summary>
## Create, read, write, and delete network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_manage_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
You can find these provided interfaces here in the *.if files youll find
in the below directories:
/usr/share/selinux/devel/include
> ------------------------------ cut here ---------------------------
> module localtran 1.0;
> require {
> type unconfined_t;
> type etc_t;
> type net_conf_t;
> class file {write};
> }
> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file);
> ------------------------------ cut here ---------------------------
> and then tried "checmodule -M -m localtran.te -o localtran.pp" but I get
> syntax errors with token "filetrans_pattern". I did some googling and
noticed
> the use of "files_type" and "manage_files" before
filetrans_pattern (tried it but
> didn't work). I'm not sure if I need those and also the class directive.
> I would like to try this first and eventually get more sophisticated with your
> other suggestions.. Of course, this is just for learning purposes (not that I
> need unconfined_t to create files in /etc with net_conf_t ).
> Regards,
> Jorge
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkz74zoACgkQMlxVo39jgT/aXQCffy0tO3OZAlM/0QTelHUO0GpK
rtEAn01oZlyX0lH0jq9XJ/4KGCgZitEB
=nQ4q
-----END PGP SIGNATURE-----