Re: Selinux > Hipl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--


And once we (that is you :) ) have a correct policy,


Does this look ok?

audit2allow -M myhipd01 < /var/log/audit/audit.log

module myhipd01 1.0;

require {
	type unconfined_t;
	type ifconfig_t;
	type unconfined_java_t;
	type chrome_sandbox_t;
	type root_t;
	type admin_home_t;
	type null_device_t;
	type iptables_t;
	type abrt_t;
	type initrc_t;
	type ftp_port_t;
	type var_lock_t;
	type xauth_t;
	type device_t;
	type setroubleshootd_t;
	type wine_t;
	type rpm_var_cache_t;
	type rpcd_t;
	type system_mail_t;
	type plymouthd_t;
	class capability sys_ptrace;
	class netlink_ip6fw_socket { read write };
	class process execmem;
	class memprotect mmap_zero;
	class netlink_firewall_socket { read write };
	class chr_file unlink;
	class netlink_xfrm_socket { read write };
	class tcp_socket name_connect;
	class file { read write };
	class rawip_socket { read write };
	class netlink_route_socket { read write };
	class udp_socket { read write };
	class dir { write remove_name create };
	role system_r;
	role unconfined_r;
}

#============= abrt_t ==============
allow abrt_t ftp_port_t:tcp_socket name_connect;
allow abrt_t rpm_var_cache_t:dir create;

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability sys_ptrace;

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };

#============= iptables_t ==============
allow iptables_t initrc_t:netlink_firewall_socket { read write };
allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
allow iptables_t initrc_t:rawip_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
allow iptables_t var_lock_t:file { read write };

#============= plymouthd_t ==============
allow plymouthd_t device_t:dir { write remove_name };
allow plymouthd_t null_device_t:chr_file unlink;

#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;

#============= system_mail_t ==============
allow system_mail_t root_t:dir write;

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

#============= wine_t ==============
allow wine_t self:memprotect mmap_zero;

#============= xauth_t ==============
allow xauth_t admin_home_t:file { write read };
#============= ROLES ==============
role system_r types unconfined_java_t;
role unconfined_r types rpcd_t;

--
Regards,

Frank Murphy
UTF_8 Encoded.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux