Aleksey Nogin wrote:
On 14.04.2004 18:16, Daniel J Walsh wrote:
In certain cases it is helpful to just run these avc messages through
audit2allow
I guess so, although for many of these things, the right solution is
not to allow the access, but change something else (e.g. grub- should
be marked correctly).
All these messages basically came down to a couple of rules that have
been added to the laste policy.
Thanks!
A couple of tricks you might want to try
audit2allow -l -i /var/log/messages
Will output all rules for messages since the last time you ran a make
load.
Ah, that's very useful, thanks, I did not know about these audit2allow
options.
You have written your first policy.
Far from the first one ;-)
Not really meant at you, It was more meant at anyone else that wants to
try their hand at writing policy.
BTW, do you think any of the following is worth adding to the default
policy (or is already there)?
--- My local te ---
# Allow hotplug (including /sbin/ifup-local) to start/stop services
and # run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
Added
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
Added
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
I will add this and see what security people say.
# Allow staff to mess with removable devices
allow staff_t removable_device_t:blk_file { getattr read ioctl lock };
This is already in there for handling floppies.
# Allow utemper to write to /tmp/.xses-*
allow utempter_t staff_tmp_t:file { getattr write };
Added
# VNC v4 module in X server
type vnc_port_t, port_type;
allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
# For some reason, putting portcon here is a syntax error and it has to
# go into net_contexts :-(
# portcon tcp 5900 system_u:object_r:vnc_port_t
Added
# Allow strace debugging for staff
allow staff_t {staff_mozilla_t staff_xauth_t}:process { ptrace };
--- My local fc ---
# Workaround for bug 117685
/home/nogin -l aleksey:object_r:staff_home_t
# /dev/cdrom is a removable device. Is there a better way to say this?
/dev/hdc -b system_u:object_r:removable_device_t
I don't know. We have though about this, but what happens when you have
more then one cdrom?
/home/aleksey/\.gnupg/idea aleksey:object_r:shlib_t
# The hibernation script (downloaded from
# http://prdownloads.sourceforge.net/swsusp/suspend.sh?download )
/usr/local/sbin/hibernate system_u:object_r:initrc_exec_t
# This is where my Java installation lives
/usr/local/j2re.*/bin(/.*)? system_u:object_r:bin_t
/usr/local/j2re.*/lib(64)?/i386(/.*)? system_u:object_r:lib_t
# Is there a better way to say that random users should be able
# to dump files here?
/opt/downloads system_u:object_r:tmp_t
That is the way I do it.
