Re: Selinux > Hipl

["Justin P. Mattock" <justinmattock@xxxxxxxxx>]

On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
> On 05/12/09 09:42, Manuel Wolfshant wrote:
> --snip--
>
> > And once we (that is you :) ) have a correct policy,
>
> Does this look ok?
>
> audit2allow -M myhipd01 < /var/log/audit/audit.log
>
> module myhipd01 1.0;
>
> require {
> type unconfined_t;
> type ifconfig_t;
> type unconfined_java_t;
> type chrome_sandbox_t;
> type root_t;
> type admin_home_t;
> type null_device_t;
> type iptables_t;
> type abrt_t;
> type initrc_t;
> type ftp_port_t;
> type var_lock_t;
> type xauth_t;
> type device_t;
> type setroubleshootd_t;
> type wine_t;
> type rpm_var_cache_t;
> type rpcd_t;
> type system_mail_t;
> type plymouthd_t;
> class capability sys_ptrace;
> class netlink_ip6fw_socket { read write };
> class process execmem;
> class memprotect mmap_zero;
> class netlink_firewall_socket { read write };
> class chr_file unlink;
> class netlink_xfrm_socket { read write };
> class tcp_socket name_connect;
> class file { read write };
> class rawip_socket { read write };
> class netlink_route_socket { read write };
> class udp_socket { read write };
> class dir { write remove_name create };
> role system_r;
> role unconfined_r;
> }
>
> #============= abrt_t ==============
> allow abrt_t ftp_port_t:tcp_socket name_connect;
> allow abrt_t rpm_var_cache_t:dir create;
>
> #============= chrome_sandbox_t ==============
> allow chrome_sandbox_t self:capability sys_ptrace;
>
> #============= ifconfig_t ==============
> allow ifconfig_t initrc_t:netlink_route_socket { read write };
> allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
> allow ifconfig_t initrc_t:udp_socket { read write };
> allow ifconfig_t var_lock_t:file { read write };
>
> #============= iptables_t ==============
> allow iptables_t initrc_t:netlink_firewall_socket { read write };
> allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
> allow iptables_t initrc_t:rawip_socket { read write };
> allow iptables_t initrc_t:udp_socket { read write };
> allow iptables_t var_lock_t:file { read write };
>
> #============= plymouthd_t ==============
> allow plymouthd_t device_t:dir { write remove_name };
> allow plymouthd_t null_device_t:chr_file unlink;
>
> #============= setroubleshootd_t ==============
> allow setroubleshootd_t device_t:file write;
>
> #============= system_mail_t ==============
> allow system_mail_t root_t:dir write;
>
> #============= unconfined_t ==============
> allow unconfined_t self:process execmem;
>
> #============= wine_t ==============
> allow wine_t self:memprotect mmap_zero;
>
> #============= xauth_t ==============
> allow xauth_t admin_home_t:file { write read };
> #============= ROLES ==============
> role system_r types unconfined_java_t;
> role unconfined_r types rpcd_t;

sure.. now install your binary!!

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list