On Mon, Dec 14, 2009 at 04:50:15PM -0800, David Highley wrote: > "David Highley wrote:" > > > > "Dominick Grift wrote:" > > > > > > > > > --===============1862406356== > > > Content-Type: multipart/signed; micalg=pgp-sha1; > > > protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" > > > Content-Disposition: inline > > > > > > > > > --AhhlLboLdkugWU4S > > > Content-Type: text/plain; charset=us-ascii > > > Content-Disposition: inline > > > Content-Transfer-Encoding: quoted-printable > > > > > > On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote: > > > > "Dominick Grift wrote:" > > > > >=20 > > > > >=20 > > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D > > > > > Content-Type: multipart/signed; micalg=3Dpgp-sha1; > > > > > protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm" > > > > > Content-Disposition: inline > > > > >=20 > > > > >=20 > > > > > --uAKRQypu60I7Lcqm > > > > > Content-Type: text/plain; charset=3Dutf-8 > > > > > Content-Disposition: inline > > > > > Content-Transfer-Encoding: quoted-printable > > > > >=20 > > > > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote: > > > > > > James Carter wrote: > > > > > > >Dan's example used Refpolicy interfaces. Interfaces are very useful= > > > and > > > > > > >provide a better layer of abstraction, but they are just m4 macros, > > > > > > >which have always been used in SELinux policy. > > > > > > > > > > > > > >Interfaces should be used as much as possible, but it is not true th= > > > at > > > > > > >you can't mix the old and new ways. > > > > > >=3D20 > > > > > > Mixing the plain rules and the m4 macros didn't work when I tried it = > > > - bu=3D > > > > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right. Is there a Ref= > > > policy tut=3D > > > > > orial anywhere? > > > > >=20 > > > > > I spend a little time today writing about the policy structure in Fedor= > > > a. M=3D > > > > > aybe it can help you or others: > > > > >=20 > > > > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_= > > > Fedo=3D > > > > > ra_12.pdf > > > >=20 > > > >=20 > > > > Still have not mastered this one yet. Here is the policy file created by > > > > grep of /var/log/audit/audit.log file piped to audit2allow: > > > >=20 > > > > module mysshdfilter 1.0; > > > >=20 > > > > require { > > > > type var_run_t; > > > > type iptables_exec_t; > > > > type bin_t; > > > > type sshd_t; > > > > type iptables_t; > > > > class lnk_file read; > > > > class file { read getattr open execute execute_no_trans }; > > > > class fifo_file { read write ioctl getattr }; > > > > } > > > >=20 > > > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D= > > > =3D=3D=3D=3D=3D=3D=3D > > > > allow iptables_t bin_t:lnk_file read; > > > > allow iptables_t self:fifo_file { read write ioctl getattr }; > > > > > > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te > > > echo "optional_policy(\`" >> newiptables.te > > > echo "gen_require(\'" >> newiptables.te > > > echo "type iptables_t;" >> newiptables.te > > > echo "')" >> newiptables.te > > > echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te > > > echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te > > > echo "')" >> newiptables.te > > > > > > make -f /usr/share/selinux/devel/Makefile newiptables.pp > > Running the make for the above file ended up in an infinit loop > outputing: > myiptables.te:2: Warning: deprecated use of module name () as first > parameter of optional_policy() block. Theres a syntax error or two: > > > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te echo "policy_module(newiptables, 1.0.0)" > newiptables.te > > > echo "gen_require(\'" >> newiptables.te echo "gen_require(\`" >> newiptables.te > > > > sudo semodule -i newiptables.pp > > > > > > >=20 > > > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D= > > > =3D=3D=3D=3D=3D=3D > > > > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans }; > > > > > > echo "policy_module(newsshd, 1.0.0)" > newsshd.te > > > echo "optional_policy(\`" >> newsshd.te > > > echo "gen_require(\`" >> newsshd.te > > > echo "type sshd_t;" >> newsshd.te > > > echo "')" >> newsshd.te > > > echo "iptables_domtrans(sshd_t)" >> newsshd.te > > > echo "')" >> newsshd.te > > > > > > make -f /usr/share/selinux/devel/Makefile newsshd.pp > > > sudo semodule -i newsshd.pp > > > > > > > allow sshd_t var_run_t:file getattr; > > > > > > This one is a bit more complicated because i dont know for sure what create= > > > d it (in what context runs sshdfilter?) > > > >=20 > > > > I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp, > > and newsshd.pp; changes are needed? > > > > <trimmed audit log entries> > > > > > >=20 > > > > > >=3D20 > > > > > >=3D20 > > > > > > Moray. > > > > > > "To err is human. To purr, feline" > > > > > >=3D20 > > > > > >=3D20 > > > > > > -- > > > > > > fedora-selinux-list mailing list > > > > > > fedora-selinux-list@xxxxxxxxxx > > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > >=20 > > > > > --uAKRQypu60I7Lcqm > > > > > Content-Type: application/pgp-signature > > > > > Content-Disposition: inline > > > > >=20 > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: GnuPG v1.4.10 (GNU/Linux) > > > > >=20 > > > > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf > > > > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F > > > > > =3DtNuu > > > > > -----END PGP SIGNATURE----- > > > > >=20 > > > > > --uAKRQypu60I7Lcqm-- > > > > >=20 > > > > >=20 > > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D > > > > > Content-Type: text/plain; charset=3D"us-ascii" > > > > > MIME-Version: 1.0 > > > > > Content-Transfer-Encoding: 7bit > > > > > Content-Disposition: inline > > > > >=20 > > > > > -- > > > > > fedora-selinux-list mailing list > > > > > fedora-selinux-list@xxxxxxxxxx > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D-- > > > > >=20 > > > >=20 > > > > -- > > > > fedora-selinux-list mailing list > > > > fedora-selinux-list@xxxxxxxxxx > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > --AhhlLboLdkugWU4S > > > Content-Type: application/pgp-signature > > > Content-Disposition: inline > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.4.10 (GNU/Linux) > > > > > > iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK > > > 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst > > > =b5GU > > > -----END PGP SIGNATURE----- > > > > > > --AhhlLboLdkugWU4S-- > > > > > > > > > --===============1862406356== > > > Content-Type: text/plain; charset="us-ascii" > > > MIME-Version: 1.0 > > > Content-Transfer-Encoding: 7bit > > > Content-Disposition: inline > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > --===============1862406356==-- > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpD6ccO2qSHx.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list