On 14.04.2004 18:16, Daniel J Walsh wrote:
In certain cases it is helpful to just run these avc messages through audit2allow
I guess so, although for many of these things, the right solution is not to allow the access, but change something else (e.g. grub- should be marked correctly).
All these messages basically came down to a couple of rules that have been added to the laste policy.
Thanks!
A couple of tricks you might want to try
audit2allow -l -i /var/log/messages Will output all rules for messages since the last time you ran a make load.
Ah, that's very useful, thanks, I did not know about these audit2allow options.
You have written your first policy.
Far from the first one ;-)
BTW, do you think any of the following is worth adding to the default policy (or is already there)?
--- My local te ---
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
# Same for apm/acpid scripts domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
# Allow syslog to a terminal allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
# Allow staff to mess with removable devices allow staff_t removable_device_t:blk_file { getattr read ioctl lock };
# Allow utemper to write to /tmp/.xses-* allow utempter_t staff_tmp_t:file { getattr write };
# VNC v4 module in X server type vnc_port_t, port_type; allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; # For some reason, putting portcon here is a syntax error and it has to # go into net_contexts :-( # portcon tcp 5900 system_u:object_r:vnc_port_t
# Allow strace debugging for staff allow staff_t {staff_mozilla_t staff_xauth_t}:process { ptrace };
--- My local fc ---
# Workaround for bug 117685 /home/nogin -l aleksey:object_r:staff_home_t
# /dev/cdrom is a removable device. Is there a better way to say this? /dev/hdc -b system_u:object_r:removable_device_t
/home/aleksey/\.gnupg/idea aleksey:object_r:shlib_t
# The hibernation script (downloaded from # http://prdownloads.sourceforge.net/swsusp/suspend.sh?download ) /usr/local/sbin/hibernate system_u:object_r:initrc_exec_t
# This is where my Java installation lives /usr/local/j2re.*/bin(/.*)? system_u:object_r:bin_t /usr/local/j2re.*/lib(64)?/i386(/.*)? system_u:object_r:lib_t
# Is there a better way to say that random users should be able # to dump files here? /opt/downloads system_u:object_r:tmp_t
-- Aleksey Nogin
Home Page: http://nogin.org/ E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal) Office: Jorgensen 70, tel: (626) 395-2907