Questions on creating policy

David Highley <dhighley@xxxxxxxxxxxxxxxxxxxxxxx> · Mon, 19 Jul 2010 09:58:30 -0700 (PDT)

"dhighley wrote:"
>From dhighley Mon Jul 19 08:00:52 2010
Subject: Questions on creating policy
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date: Mon, 19 Jul 2010 08:00:52 -0700 (PDT)
X-Mailer: ELM [version 2.5 PL8]
Content-Length: 2001      

Where do I find the information about how to translate from something
like this:
module rsyslod 1.0;

require {
        type syslogd_t;
        type var_run_t;
        class fifo_file { read write };
}

#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };

and

module sshdfilter 1.0;

require {
        type syslogd_t;
        type var_run_t;
        class fifo_file { read write };
}

#============= syslogd_t ==============
allow syslogd_t var_run_t:fifo_file { read write };

Translation should be something like:
[root@redwood sshdfilter]# cat sshdfilter.fc
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t,
s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t,
s0)

[root@redwood sshdfilter]# cat sshdfilter.te
policy_module(sshdfilter, 1.0.0)

type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)

type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)

type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)

dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)

optional_policy(`
        iptables_domtrans(sshdfilter_t)
')

Dominick Grift helped with the above translations, but I would like to
know how to make the transformations.

In addition to the above question I would like to know if there is an
existing label type that I should use on a named pipe that would not
require policy modifications to be made to rsyslog. I'm working in the
context of getting the sshdfilter application packaged into a Fedora RPM
and using method of creating a named pipe for rsyslogd to write
information to that the sshdfilter can read. The location for the named
pipe may even be wrong when selinux labeling is considered,
/var/run/sshdfilter.fifo, but that seems to be where I see other named
pipes created.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux