Tayga policy review
William Brown
william at firstyear.id.au
Thu Apr 3 01:01:17 UTC 2014
Hi,
I'm submitting a package for tayga to fedora. I would like the SELinux
policy attached to this reviewed.
https://bugzilla.redhat.com/show_bug.cgi?id=1028206
Policy attached. It has comments around parts I have queries and
concerns about.
Note that tayga will attempt to call /usr/sbin/ip, which is why the cmd
transitions are in the policy.
--
William Brown <william at firstyear.id.au>
-------------- next part --------------
/usr/sbin/tayga -- gen_context(system_u:object_r:tayga_exec_t,s0)
/etc/tayga(/.*)? gen_context(system_u:object_r:tayga_etc_t,s0)
/var/run/tayga-(.*)\.pid -- gen_context(system_u:object_r:tayga_var_run_t,s0)
/var/db/tayga(/.*)? gen_context(system_u:object_r:tayga_var_db_t,s0)
-------------- next part --------------
policy_module(tayga, 1.0.0)
##########
# Definitions
#
type tayga_t;
type tayga_exec_t;
init_daemon_domain(tayga_t, tayga_exec_t)
type tayga_etc_t;
files_config_file(tayga_etc_t)
type tayga_var_run_t;
files_pid_file(tayga_var_run_t)
type tayga_var_db_t;
files_type(tayga_var_db_t)
########
# Rules
# Non interfaced rules that "seem" to be the norm ...
allow tayga_t self:capability net_admin;
application_domain(tayga_t, tayga_exec_t)
dev_read_rand( tayga_t )
# Why is this needed also?
gen_require(`
type urandom_device_t;
')
allow tayga_t urandom_device_t:chr_file { read open };
auth_use_nsswitch(tayga_t)
read_files_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
getattr_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
search_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
list_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
## Would be better if I could use ...
# read_dirs_pattern(tayga_t, tayga_etc_t, tayga_etc_t)
manage_files_pattern(tayga_t, tayga_var_run_t, tayga_var_run_t)
manage_dirs_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)
manage_files_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)
## Allow access to the tun
allow tayga_t self:tun_socket { create_socket_perms relabelfrom relabelto };
corenet_rw_tun_tap_dev(tayga_t)
## I'm not sure about these ...
kernel_read_system_state(tayga_t)
corecmd_shell_domtrans(tayga_t, tayga_t)
sysnet_domtrans_ifconfig( tayga_t )
# This rule may need appropriate interfaces
gen_require(`
type shell_exec_t;
')
allow tayga_t shell_exec_t:file execute_no_trans;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140403/fff250e4/attachment.sig>
More information about the selinux
mailing list