On Wed, 10 Mar 2004 19:19, Dax Kelson <dax@xxxxxxxxxxxx> wrote:
> I have made no custom changes to my box at this point.
OK.
> > I have attached a first cut at cpuspeed policy, it won't work but if you
> > try it out I'll get more information and be able to write more policy.
> > What is the full path name for this scaling_governor file?
>
> /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
>
> Tomorrow I'll see if I can try it out.
I guess we'll need something like:
allow cpuspeed_t sysfs_t:dir search;
allow cpuspeed_t sysfs_t:file rw_file_perms;
> > > scontext=system_u:system_r:dhcpc_t
> > > tcontext=system_u:object_r:ntpd_etc_t tclass=file
> > > audit(1078849148.797:0): avc: denied { getattr } for pid=1161
> > > exe=/bin/bash path=/tmp dev=hda8 ino=588673
> >
> > This is a problem. Is this standard functionality of the dhcp client or
> > have you written your own scripts?
>
> This is standard behavior on RHL8.0 and above if the DHCP server sends the
> 'time-server' options. I don't know off hand if it is RH specific or stock
> dhclient.
Regardless of whether it's RH specific or standard dhclient it's something
that has to be supported.
> > The problem we face is that the dhcp client as a standard function will
> > replace /etc/resolv.conf. The /etc/resolv.conf file is given the type
> > resolv_conf_t because so many programs want to re-write it.
> >
> > Now we can give the ntpd config file the same type. But in that case we
> > will probably want to rename it to net_conf_t or something.
> >
> > This is all conditional on this being standard functionality of the dhcp
> > client. If it's your customisation then you can just change ntpd.fc to
> > label the file as resolv_conf_t. Although I suspect that if this is a
> > customisation of yours it'll become a standard thing soon enough, it
> > sounds like a good idea!
>
> net_conf_t sounds good. I'd imagine we are going to encouter other cases
> besides resolv.conf and ntp.conf.
What else might we have?
net_conf_t doesn't seem ideal to me, but I can't think of anything better at
the moment.
Also one other thing to note is that /etc/yp.conf has the same type, this may
not be what we want.
> > > tclass=dir audit(1078849148.798:0): avc: denied { search } for
> > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673
> > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> > > tclass=dir audit(1078849148.798:0): avc: denied { write } for
> > > pid=1161 exe=/bin/bash name=tmp dev=hda8 ino=588673
> > > scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> > > tclass=dir audit(1078849148.798:0): avc: denied { add_name } for
> > > pid=1161 exe=/bin/bash name=sh-thd-1078853309
> >
> > What is this for? The following is the policy needed to address that.
> > If it's a standard thing then I'll put it in my policy tree.
> >
> > tmp_domain(dhcpc)
>
> I don't know, what's it doing? :)
>
> It is a standard thing as I've made no custom changes.
OK, I've added the tmp_domain() rule to my tree.
> > > audit(1078849246.286:0): avc: denied { create } for pid=4526
> > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> > > avc: denied { unix_read unix_write } for pid=4526
> > > exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> > > tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> > > avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0
> > > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> > > tclass=shm
> >
> > Any idea what this program is?
>
> Maybe it is firstboot.
I'll have to do some tests with that.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
