Michael Thomas wrote:
Daniel J Walsh wrote:
Michael Thomas wrote:
They are in the src.rpm, but I realize that's not the easiest way to
pass them around. Here are direct links:
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.te
I would not define crossfire_static_data_t, unless this is data you do
not want other confined domains from reading. You can just let it use
usr_t and give the application the ability to read usr_t.
files_read_usr_files(crossfire_t)
I do not like adding additional file_contexts unless the domain needs to
write. Up until now, I think you are better off leaving
read only files with the default context. (This might change as we
move to more RBAC support).
But this would also give the application read access to all of usr_t.
If I put on my paranoia hat, then I'd want to make sure the application
has limited read access as well as write access.
That is fine, but most likely there is nothing secret in /usr that has a
usr_t context, so you are adding
complexity for little gain in security.
allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to
that port
Ok. If the server admin changes the application's port (not likely),
then they would need to update the policy as well, right?
Users can modify ports using "semanage port" so that is not a problem.
allow crossfire_t bin_t:file getattr;
allow crossfire_t bin_t:dir search;
Should use corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)
Ok. I still need to track down why the application is trying to search
here.
It is probably looking for itself?
allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)
Ok. Does this mean I can remove the require { type sysctl_t; }; from
the .te file? Or does the kernel_read_kernel_sysctls() not perform this
require{}?
Yes the macros have all the appropriate requires in them.
allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)
This will disallow the action, but not generate the avc denied messages,
right?
Yes
allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)
Ok.
If you are generating these additional AVC rules using audit2allow. use
-R to attempt to find the reference policy macros to use.
Ah, I didn't know that one.
Thanks for the help,
--Mike
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
