Michael Thomas wrote:
I would not define crossfire_static_data_t, unless this is data you do not want other confined domains from reading. You can just let it use usr_t and give the application the ability to read usr_t.Daniel J Walsh wrote:Michael Thomas wrote:A few packages (game server daemons) that I maintain in Fedora Extras would benefit from having a selinux security policy available. But since I'm new to writing selinux policies, I was hoping that someone from f-s-l could take a peek at what I did and let me know if I've done things correctly and in the 'recommended' way. I've already tested the policy on FC5 to make sure that it works and produces no 'avc denied' messages: http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm I wasn't sure exactly which networking rules I would need. Most of the ones there were generated by policygentool. I also couldn't figure out why some of the rules at the end of crossfire.te were necessary. Thanks in advance! --Mike-------------------------------------------------------------------------- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-listPlease attach the te, fc and if files.They are in the src.rpm, but I realize that's not the easiest way to pass them around. Here are direct links: http://www.kobold.org/~wart/fedora/crossfire.fchttp://www.kobold.org/~wart/fedora/crossfire.ifhttp://www.kobold.org/~wart/fedora/crossfire.te
files_read_usr_files(crossfire_t)I do not like adding additional file_contexts unless the domain needs to write. Up until now, I think you are better off leaving read only files with the default context. (This might change as we move to more RBAC support).
allow crossfire_t port_t:udp_socket send_msg; allow crossfire_t port_t:tcp_socket name_bind; You need to define a port for this socket and only allow name_bind to that port allow crossfire_t bin_t:file getattr; allow crossfire_t bin_t:dir search;Should use corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)
allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)
allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)
If you are generating these additional AVC rules using audit2allow. use -R to attempt to find the reference policy
macros to use.
macros are available in /usr/share/selinux/devel/include directory.
--Mike-------------------------------------------------------------------------- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
