Creating and packaging a new policy module
Juan Orti Alcaine
juan.orti at miceliux.com
Tue Aug 20 10:51:15 UTC 2013
El 2013-08-19 13:27, Dominick Grift escribió:
> On Sun, 2013-08-18 at 20:10 +0200, Juan Orti Alcaine wrote:
>> Hello, I'm the package mantainer of gogoc, and I'm creating my first
>> policy
>> module for it following the instructions of this draft in the wiki
>> [1].
>>
>> It says you must build your module for three policies: mls, scritct
>> and
>> targeted, but I don't see any strict policy, is this information still
>> correct? Must I build it also for minimum?
>
> Yes strict no longer exists, so remove any reference to it
And what about the minimum policy?
Also, I see some packages dropping their policies to
/usr/share/selinux/packages/ and others to
/usr/share/selinux/{targeted,mls}. What's better?
>
>>
>> Also I have doubts if the module will always live in the gogoc package
>> or it
>> will be migrated sometime to the main selinux-policy-targeted package.
>>
>> If you can take a look at the policy to find any possible error it
>> would be
>> great. It's already in the git repository of gogoc [2]
>>
>
> You policy should have no require{} in the .te file, everything should
> have an api that you can use instead
>
> Only type transition on what you need to type transition on, instead of
> everything (you type transition on everything)
>
> corecmd_bin_entry_type(gogoc_t) <- this doesnt make sense as you do not
> domain type transition on bin_t anywhere
>
> radvd_admin(gogoc_t, system_r) <- this one isnt appropriate here
>
> systemd_exec_systemctl(gogoc_t) <- why is this needed?
>
> allow gogoc_t radvd_exec_t:file { read execute open execute_no_trans };
> <-- depending on why gogoc runs dadvd you may want to run radvd with a
> domain transition instead. If it turns out that you should have ran
> radvd with a domain transition ,then it is encouraged you start over
> with your policy because, one should always take care of type
> transitions first before adding any other rules. because type
> transitions can greatly impact access your process needs
>
> There are duplicate rules in your policy
>
> For example:
> sysnet_dns_name_resolve(gogoc_t)
> and
> files_read_etc_files(gogoc_t)
>
> are already enclosed with:
> auth_use_nsswitch(gogoc_t)
>
> Theres probably a bit moreroom for improvement other than above but
> this
> is a start
Thank you for your comments, I'm newbie at policy writing.
What gogoc does is to negotiate the tunnel and execute a shell script to
configure the tun interface and launch the radvd with a custom config to
advertise the prefix in the net.
I'm rewriting the policy and have doubts about how to transition to the
radvd_t domain. I miss a interface like radvd_domtrans(gogoc_t), which I
think it's the way to do the transition, another way I'm thinking it's
adding a section require{ type radvd_exec_t;} and grant access to
execute and domain transition. Which api function should I use?
Regards,
Juan.
More information about the selinux
mailing list