Re: fedora-selinux-list Digest, Vol 13, Issue 16

Ryan Gall <rrcoot@xxxxxxxxxxx> · Wed, 16 Mar 2005 14:22:04 -0500

> > #Context for the driver configuration files
> > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t
> 
> you probably want this:
> 
> /etc/ndiswrapper(/.*)?  system_u:object_r:loadndis_content_t
> 
> so you can label all of the driver stuff tha'ts stored under that
> directory and it's subdirectories.  I don't think your pattern will
> match anything.
> 
Actually everything does get the correct labels here.  I guess it is
setting the label on the ndiswrapper directory and then all the child
directories and files are inheriting that context.

> > # Filename: loadndis.te
> 
> > #Rules for devices
> > allow loadndis_t device_t:dir { rw_dir_perms };
> > allow loadndis_t device_t:chr_file { read create unlink ioctl };
> > allow loadndis_t null_device_t:chr_file { rw_file_perms };
> > allow loadndis_t console_device_t:chr_file { rw_file_perms };
> 
> It would be better for the device node to have its own type, and type
> transition the chr_file, that way loadndis_t can only read very specific
> device nodes:
> 
> type loadndis_device_t, device_type, dev_fs;
> file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file)
> 
> Or if you really want to go least privilege, you could probably use
> these rules instead of the above file_type_auto_trans:
> 
> allow loadndis_t device_t:dir { search write add_name remove_name };
> allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl };
> type_transition loadndis_t device_t:chr_file loadndis_device_t;

Thanks for the tip.  I am assuming here that these transitions cause the
created device to be relabeled to the new loadndis_device_t, which would
then prevent it from messing around with other devices in device_t?

> 
> > #Capabilities
> > allow loadndis_t self:capability { sys_tty_config };
> > allow loadndis_t self:capability { mknod };
> 
> Just for readability, it would be best to merge these into one line.
> Just a little nitpick. :)

DOH!

> 
> > #Rules for proc filesystem
> > allow loadndis_t proc_t:dir { r_dir_perms };
> > allow loadndis_t proc_t:file { r_file_perms };
> 
> Another readability thing, you don't need the braces around r_dir_perms
> and r_file_perms, as these are macros, and they already provide braces.
> So the ones you have are redundant.

Thanks for the help Chris.
Ryan
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 