On Thu, 2010-07-15 at 12:10 +0200, giovanni testing wrote:
> Hi,
>
> I've fixed it (thanks to "/sbin/ausearch -i | grep nano | grep avc"),
> and the allow lines needed are:
>
> allow MyPolicy_t bin_t:file entrypoint;
This is fine for testing purposes, but for real use, you only want
MyPolicy to have entrypoint permission to MyPolicy_exec_t, i.e. the
MyPolicy_t domain can only be entered by executing a program labeled
MyPolicy_exec_t. This can be done using the domain_entry_file()
interface.
> allow MyPolicy_t usr_t:file { read open };
>
> I think that the second one is not appropiated, because MyPolicy now
> can access to every "usr_t" file (but is only needed to access to
> "/usr/share/terminfo/x/xterm").
>
> To fix that, I'm thinking in a solution that I don't know if is
> possible: label the file "/usr/share/terminfo/x/xterm" with "xterm_t"
> instead of "usr_t", but maybe it can block other applications to use
> "/usr/share/terminfo/x/xterm", so the "xterm_t" needs to be equivalent
> to "usr_t". To do it I'm thinking to use an alias, but if is
> bidirectional it will be insecure again. As these lines can seem a bit
> confusing, there is a little scheme:
>
> I need:
> - "MyPolicy_t" can use "xterm_t"
> - "MyPolicy_t" cannot "usr_t"
> - Other policies continue being able to use
> "/usr/share/terminfo/x/xterm" while they allow use "usr_t" and they
> have not specified to allow "xterm_t".
>
> So accessing to "usr_t" needs to be able to access to "xterm_t", but
> accessing to "xterm_t" not needs to be able to access to "usr_t" (this
> is what I say that it not needs to be bidirectional). Maybe it can be
> done that way (putting the following lines instead the two before):
>
> allow MyPolicy_t bin_t:file entrypoint;
> allow usr_t xterm_t:file manage_file_perms;
> allow MyPolicy_t xterm_t:file { read open };
I would suggest introducing a generic terminfo_t type or similar for all
of the files under /usr/share/terminfo, and then allowing most or all
domains to read that type. That would need to be upstreamed to the main
policy as it modifies the type of a base system file.
The second allow rule is not what you want, as it doesn't mean anything
(no process runs in usr_t). You could however do:
allow domain terminfo_t:file read_file_perms;
--
Stephen Smalley
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
