Creating and packaging a new policy module

Thu Aug 22 07:09:09 UTC 2013

On Thu, 2013-08-22 at 06:33 +0000, Juan Orti Alcaine wrote:
> El 2013-08-20 11:13, Dominick Grift escribió:
> > upstream will probably only accept it with the use of a 
> > dadvd_domtrans()
> > but for your solution for now you could do something like this:
> > 
> > optional_policy(`
> > gen_require(`
> > 	type radvd_exec_t, radvd_t;
> > ')
> > domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t)
> > ')
> > 
> 
> I have updated the policy, could you please take a look at it and give 
> me your oppinion?
> 

sysnet_read_config(gogoc_t) is duplicate since it is already called in
auth_use_nsswitch(gogoc_t)

allow radvd_t gogoc_var_run_t:file rw_file_perms; can be changed to:
allow radvd_t gogoc_var_run_t:file write_file_perms; since:
gogoc_read_pid_files(radvd_t) already allows radvd_t to read
gogoc_var_run_t files

Not sure but:
files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { file dir }) can probably be
changed to:
files_tmp_filetrans(gogoc_t, gogoc_tmp_t, dir) since the type transition
probably is only needed for the dir (the file is probably created inside
this dir)

allow gogoc_t radvd_etc_t:file manage_file_perms; if this file gets
created by gogoc_t, then this probably needs a file type transition rule
as well, since the config file is located in /etc/ so without a type
transition rule the file would be created with type etc_t instead of
type radvd_etc_t

allow gogoc_t gogoc_tmp_t:file manage_file_perms; this is a duplicate
rule and can be removed

allow gogoc_t gogoc_log_t:file manage_file_perms insufficient, and may
be improved:

create_files_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
allow gogoc_t gogoc_log_t:file { append_file_perms read_file_perms
setattr_file_perms };

This will remove the write permission which gogoc_t shouldnt need ( log
files should be opened for append only)

gogoc_t probably needs to be able to create log file which means it
needs to be able to write/add directory entries to parent
dir /var/log/gogoc

allow gogoc_t gogoc_var_lib_t:file manage_file_perms;
allow gogoc_t gogoc_var_lib_t:dir rw_dir_perms;
allow gogoc_t gogoc_var_run_t:file manage_file_perms;
allow gogoc_t gogoc_var_run_t:dir rw_dir_perms;
allow gogoc_t gogoc_etc_t:file read_file_perms;
allow gogoc_t gogoc_etc_t:dir list_dir_perms;

These can be improved a bit by user patterns instead:
example:
manage_files_pattern(gogoc_t, gogpc_var_lib_t, gogoc_var_lib_t)
manage_files_pattern(gogoc_t, gogpc_var_run_t, gogoc_var_run_t)
read_files_pattern(gogoc_t, gogpc_etc_t, gogoc_etc_t)

This might shave off some unneeded permissions as well

type gogoc_etc_t;
files_config_file(gogoc_etc_t)

I would probably name this type "gogoc_conf_t" instead since
"gogoc_etc_t" refers to a path instead of a property of a file ( nitpick
but in light of consistent and self-documenting policy better to get
used to the best choices)

allow gogoc_t self:unix_dgram_socket create_socket_perms; Duplicate
rule: allowed included with: logging_send_syslog_msg(gogoc_t)

allow gogoc_t self:udp_socket create_socket_perms; duplicate rule:
already incuded with 
auth_use_nsswitch(gogoc_t)

> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.te
> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.if
> http://pkgs.fedoraproject.org/cgit/gogoc.git/tree/gogoc.fc
> 
> Thank you,
> Juan.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux