Aurelien Bompard wrote:
Stephen Smalley wrote:
policy_module(pureftpd, 1.0) is preferred syntax going forward.
If you use policy_module() macro, you'll get the kernel class and
permission requires as part of it, so you won't need to explicitly
specify them each time.
Yay ! Done that.
Does it truly need write access? The library always tries to open rw
first, then falls back to read-only if it cannot open rw, so even just
reading utmp will show up in avc messages as a rw attempt. Try just
allowing read, and dontaudit'ing the write permission.
That's right, it only needs read access. I've added:
init_read_utmp(ftpd_t)
init_dontaudit_write_utmp(ftpd_t)
to the module (picked from the policy sources)
Macros aka interfaces are preferred, as they preserve
modularity/encapsulation and thus make your module more portable to
other base policies.
OK. I'll use sysnet_use_ldap to allow LDAP access then.
I don't think you want to put it in /usr/share/selinux/targeted (as that
could conflict in the future with the policy package), but I would
suggest putting it under /usr/share/selinux/<packagename> or similar to
keep all policy modules under that selinux tree, unless that also
presents some kind of conflict problem?
Looks good to me, except I've placed it
in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
dirs being buried under a ton of packages dirs in the future.
I've been trying to take this sort of approach with a package I'm
developing. Two issues concern me at the moment:
1. I build the policy module from te/fc/if files during the package's
"build" script. I get output like this:
+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
make: Entering directory
`/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
Compiling targeted contagged module
/usr/bin/checkmodule: loading policy configuration from tmp/contagged.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 5) to
tmp/contagged.mod
Creating targeted contagged.pp policy package
make: Leaving directory
`/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
This suggests to me that the resulting contagged.pp module is specific
to the targeted policy (which I'm running on the host system), so it
would presumably not work with other policies. Is that right? So would
it be better to build and install the policy at package install time
rather than package build time? Or could there be separate modules for
each policy? If so, how would they be built?
2. A mock build fails, presumably because mock does not mount /selinux?
+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux'
/usr/share/selinux/devel/Makefile:14:
/usr/share/selinux/targeted/include/Makefile: No such file or directory
make: *** No rule to make target
`/usr/share/selinux/targeted/include/Makefile'. Stop.
make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux'
error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build)
This also suggests that install-time module building is needed, at least
for anything intending to go into Fedora Extras, where mock is used for
the buildsystem. I guess that would present a problem if the admin of
the system wanted to change to a different policy - the module would
have to be rebuilt somehow.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list