Daniel J Walsh wrote: > Michael Thomas wrote: >> They are in the src.rpm, but I realize that's not the easiest way to >> pass them around. Here are direct links: >> >> http://www.kobold.org/~wart/fedora/crossfire.fc >> http://www.kobold.org/~wart/fedora/crossfire.if >> http://www.kobold.org/~wart/fedora/crossfire.te >> >> > > I would not define crossfire_static_data_t, unless this is data you do > not want other confined domains from reading. You can just let it use > usr_t and give the application the ability to read usr_t. > files_read_usr_files(crossfire_t) > I do not like adding additional file_contexts unless the domain needs to > write. Up until now, I think you are better off leaving > read only files with the default context. (This might change as we > move to more RBAC support). But this would also give the application read access to all of usr_t. If I put on my paranoia hat, then I'd want to make sure the application has limited read access as well as write access. > allow crossfire_t port_t:udp_socket send_msg; > allow crossfire_t port_t:tcp_socket name_bind; > You need to define a port for this socket and only allow name_bind to > that port Ok. If the server admin changes the application's port (not likely), then they would need to update the policy as well, right? > allow crossfire_t bin_t:file getattr; > allow crossfire_t bin_t:dir search; > Should use corecmd_getattr_bin_files(crossfire_t) > corecmd_search_bin(crossfire_t) Ok. I still need to track down why the application is trying to search here. > allow crossfire_t proc_t:dir search; > allow crossfire_t sysctl_t:dir search; > allow crossfire_t sysctl_kernel_t:dir search; > allow crossfire_t sysctl_kernel_t:file read; > Should use > kernel_read_kernel_sysctls(crossfire_t) Ok. Does this mean I can remove the require { type sysctl_t; }; from the .te file? Or does the kernel_read_kernel_sysctls() not perform this require{}? > allow crossfire_t devpts_t:chr_file {read write}; > Probably want to dontaudit > term_dontaudit_use_generic_ptys(crossfire_t) This will disallow the action, but not generate the avc denied messages, right? > allow crossfire_t proc_t:file {getattr read}; > Shoudl use > kernel_read_system_state(crossfire_t) Ok. > If you are generating these additional AVC rules using audit2allow. use > -R to attempt to find the reference policy macros to use. Ah, I didn't know that one. Thanks for the help, --Mike
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
