On 04/13/2013 10:07 PM, Michael Ludvig wrote:
Would that mean disabling (or making permissive) all "snmpd_t"? How do
I do this in RHEL6? I would rather find a way to run unrestricted
hpacucli from restricted snmpd_t though.
Hi,
there are files in the attachement defining policy module, which sets
the type transition from snmpd_t to new permissive type hpacacli_t
through /usr/sbin/hpacucli.
The usage is:
# ls test.te test.fc
test.fc test.te
# make -f /usr/share/selinux/devel/Makefile
...
# semodule -i test.pp
# restorecon -Rv /usr/sbin
Now you can run your settings and it should be apparent in AVCs that the
hpacucli script runs in its own context. Then you can add rules from
audit2allow output to the module and repeat the steps above to further
adjust the policy.
To remove the policymodule:
# semodule -r hpacucli
I hope it will help.
M.
/usr/sbin/hpacucli -- system_u:object_r:hpacucli_exec_t:s0
policy_module(hpacucli, 1.0)
require {
attribute domain;
attribute exec_type;
type snmpd_t;
}
# Define new domain type
type hpacucli_t;
typeattribute hpacucli_t domain;
domain_type(hpacucli_t);
# Define file context for exec file
type hpacucli_exec_t;
typeattribute hpacucli_exec_t exec_type;
# Define type transition from snmpd_t through hpacucli_exec_t to hpacucli_t
domain_auto_trans(snmpd_t, hpacucli_exec_t, hpacucli_t);
allow hpacucli_t hpacucli_exec_t:file entrypoint;
role system_r types hpacucli_t;
# Make hpacucli_t permissive domain
permissive hpacucli_t;
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
