Hi,
I am a newbee to selinux. I have enabled selinux in enforcing mode.
Based on the audit logs, I have run the audit2allow tool to generate the custome policy modules.
Here is the content of "te" file.. Please let me know if there are any security issues in the below module.
========================================================================
cat Custom_stage_watch.te
module Custom_stage_watch 1.0;
require {
type httpd_tmp_t;
type user_tmp_t;
type sshd_t;
type usr_t;
type user_home_dir_t;
type sendmail_t;
type httpd_t;
type certwatch_t;
type initrc_tmp_t;
type local_login_t;
type fixed_disk_device_t;
type logrotate_t;
type memory_device_t;
type var_t;
type nfs_t;
class blk_file read;
class dir { search read create write getattr rmdir remove_name open add_name };
class file { rename execute setattr read create execute_no_trans write getattr unlink open append };
class chr_file { read write };
}
#============= certwatch_t ==============
allow certwatch_t var_t:file { read getattr open };
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_tmp_exec'
allow httpd_t httpd_tmp_t:file execute;
#!!!! This avc can be allowed using one of the these booleans:
# httpd_use_nfs, httpd_enable_homedirs
allow httpd_t nfs_t:dir { search read create write getattr rmdir remove_name open add_name };
#!!!! This avc can be allowed using one of the these booleans:
# httpd_use_nfs, httpd_enable_homedirs
allow httpd_t nfs_t:file { rename create unlink open setattr };
#!!!! This avc can be allowed using one of the these booleans:
# httpd_read_user_content, httpd_enable_homedirs
allow httpd_t user_home_dir_t:dir getattr;
allow httpd_t user_tmp_t:dir read;
allow httpd_t usr_t:file { write execute create append execute_no_trans };
allow httpd_t var_t:file { read getattr open };
#============= local_login_t ==============
allow local_login_t initrc_tmp_t:file { read open };
#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# varnishlog_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, named_cache_t, acct_data_t, var_spool_t, var_lib_t, abrt_var_cache_t, var_log_t, mailman_log_t
allow logrotate_t usr_t:dir { write remove_name add_name };
allow logrotate_t usr_t:file { write rename create unlink setattr };
#============= sendmail_t ==============
allow sendmail_t fixed_disk_device_t:blk_file read;
allow sendmail_t memory_device_t:chr_file { read write };
#============= sshd_t ==============
allow sshd_t initrc_tmp_t:file { read getattr open };
===============================================================================================
Regards
Ramkumar Raghavan
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux