Policy Review

[Dominick Grift]

On Fri, 2014-01-10 at 11:13 -0500, David Hampton wrote:

> /var/run/fwknop(/.*)?		--
> gen_context(system_u:object_r:fwknopd_var_run_t,s0)

> #
> # Create (/var)/run/fwknop directory, and manage files within that
> # directory.
> #
> files_create_var_run_dirs(fwknopd_t)
> files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
> manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)

The above does not add up:

The file context specification states: label all "single
files" /var/run/fwknop and below type fwknopd_var_run_t

That means that the /var/run/fwknop directory will be reset to var_run_t
if you run restorecon on it (assuming it was created with type
fwknpd_var_run_t as part of your policy governs).

The related rules you added also do not add up because your file
transition rule states: make fwknopd_t create directories in var_run_t
directories with type fwknopd_var_run_t.

Obviously that conflicts with the file context specification which
states that fwknopd_var_run_t only applies to files

Not to mention that fwknopd_t is not allowed to create directories with
type fwknopd_var_run_t (only files)

fwknopd_t is allowed to create var_run_t directories instead but that
conflicts with the filetrans rule

So i would probably change the above to this instead:

/var/run/fwknop(/.*)?
gen_context(system_u:object_r:fwknopd_var_run_t,s0)

manage_dirs_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)

Also do not forget to remove the permissive statement when before you
deploy this solution