Requesting feedback on providing containment of sslh
James Hogarth
james.hogarth at gmail.com
Thu Apr 30 18:50:53 UTC 2015
On 30 April 2015 at 12:35, Miroslav Grepl <mgrepl at redhat.com> wrote:
>
>>
> It looks good. Just I see
>
> /var/run/sslh(/.*)?
> gen_context(system_u:object_r:sslh_var_run_t,s0)
>
> but I don't see rules for it. Also you should provide also sslh.if
> policy file.
>
Ah I based this on the tor service for certain syntax ... I've not
done any selinux policy writing with the new macros - only on EL5
during ex429
Since the tor te didn't have rules for this I assumed a macro picked
it up to allow sysvinit based systems to write the pid...
I'll amend and include appropriate rules there as well.
On the EPEL side does policy get backported or should I update my EPEL
package with the compiling of the pp in %build and include installing
it in %install/%post?
> I don't see a reason for
>
> /usr/lib/systemd/system/sslh@*.* --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
>
> which is covered by the previous decl.
>
That was my eyes glossing over the regex (I plan to include systemd
templated versions in a future release).
> If you provide also sslh.if we can review it at all and send possible
> patches.
>
I'll put together an appropriate if to go along with these - the fc/te
initial feedback request was just to make sure the main policy looked
good and was consistent with current practices.
> Thank you.
>
Thanks for your time and feedback
More information about the selinux
mailing list