"Dominick Grift wrote:" > > > --===============1862406356== > Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" > Content-Disposition: inline > > > --AhhlLboLdkugWU4S > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote: > > "Dominick Grift wrote:" > > >=20 > > >=20 > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D > > > Content-Type: multipart/signed; micalg=3Dpgp-sha1; > > > protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm" > > > Content-Disposition: inline > > >=20 > > >=20 > > > --uAKRQypu60I7Lcqm > > > Content-Type: text/plain; charset=3Dutf-8 > > > Content-Disposition: inline > > > Content-Transfer-Encoding: quoted-printable > > >=20 > > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote: > > > > James Carter wrote: > > > > >Dan's example used Refpolicy interfaces. Interfaces are very useful= > and > > > > >provide a better layer of abstraction, but they are just m4 macros, > > > > >which have always been used in SELinux policy. > > > > > > > > > >Interfaces should be used as much as possible, but it is not true th= > at > > > > >you can't mix the old and new ways. > > > >=3D20 > > > > Mixing the plain rules and the m4 macros didn't work when I tried it = > - bu=3D > > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right. Is there a Ref= > policy tut=3D > > > orial anywhere? > > >=20 > > > I spend a little time today writing about the policy structure in Fedor= > a. M=3D > > > aybe it can help you or others: > > >=20 > > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_= > Fedo=3D > > > ra_12.pdf > >=20 > >=20 > > Still have not mastered this one yet. Here is the policy file created by > > grep of /var/log/audit/audit.log file piped to audit2allow: > >=20 > > module mysshdfilter 1.0; > >=20 > > require { > > type var_run_t; > > type iptables_exec_t; > > type bin_t; > > type sshd_t; > > type iptables_t; > > class lnk_file read; > > class file { read getattr open execute execute_no_trans }; > > class fifo_file { read write ioctl getattr }; > > } > >=20 > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D > > allow iptables_t bin_t:lnk_file read; > > allow iptables_t self:fifo_file { read write ioctl getattr }; > > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te > echo "optional_policy(\`" >> newiptables.te > echo "gen_require(\'" >> newiptables.te > echo "type iptables_t;" >> newiptables.te > echo "')" >> newiptables.te > echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te > echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te > echo "')" >> newiptables.te > > make -f /usr/share/selinux/devel/Makefile newiptables.pp > sudo semodule -i newiptables.pp > > >=20 > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D > > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans }; > > echo "policy_module(newsshd, 1.0.0)" > newsshd.te > echo "optional_policy(\`" >> newsshd.te > echo "gen_require(\`" >> newsshd.te > echo "type sshd_t;" >> newsshd.te > echo "')" >> newsshd.te > echo "iptables_domtrans(sshd_t)" >> newsshd.te > echo "')" >> newsshd.te > > make -f /usr/share/selinux/devel/Makefile newsshd.pp > sudo semodule -i newsshd.pp > > > allow sshd_t var_run_t:file getattr; > > This one is a bit more complicated because i dont know for sure what create= > d it (in what context runs sshdfilter?) > >=20 I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp, and newsshd.pp; changes are needed? <trimmed audit log entries> > >=20 > > > >=3D20 > > > >=3D20 > > > > Moray. > > > > "To err is human. To purr, feline" > > > >=3D20 > > > >=3D20 > > > > -- > > > > fedora-selinux-list mailing list > > > > fedora-selinux-list@xxxxxxxxxx > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > >=20 > > > --uAKRQypu60I7Lcqm > > > Content-Type: application/pgp-signature > > > Content-Disposition: inline > > >=20 > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.4.10 (GNU/Linux) > > >=20 > > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf > > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F > > > =3DtNuu > > > -----END PGP SIGNATURE----- > > >=20 > > > --uAKRQypu60I7Lcqm-- > > >=20 > > >=20 > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D > > > Content-Type: text/plain; charset=3D"us-ascii" > > > MIME-Version: 1.0 > > > Content-Transfer-Encoding: 7bit > > > Content-Disposition: inline > > >=20 > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D-- > > >=20 > >=20 > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > --AhhlLboLdkugWU4S > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK > 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst > =b5GU > -----END PGP SIGNATURE----- > > --AhhlLboLdkugWU4S-- > > > --===============1862406356== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > --===============1862406356==-- > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
