Hi all,
I'm trying to (re)learn SELinux, and spent the last day or two writing a
policy for the fwknopd service, starting with a skeleton generated by
selinux-polgengui. I was hoping that someone here could take a look at
it and suggest anywhere I can make improvements to the policy. This is
a learning exercise for me, so any comments are welcome. Thanks.
David
========== fwknopd.fc =========
etc/fwknop(/.*)? gen_context(system_u:object_r:fwknopd_etc_t,s0)
/usr/lib/systemd/system/fwknopd.service --
gen_context(system_u:object_r:fwknopd_unit_file_t,s0)
/usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0)
/var/run/fwknop(/.*)? --
gen_context(system_u:object_r:fwknopd_var_run_t,s0)
========== fwknopd.te =========
policy_module(fwknopd, 1.0.0)
########################################
#
# Declarations
#
type fwknopd_t;
type fwknopd_exec_t;
init_daemon_domain(fwknopd_t, fwknopd_exec_t)
#permissive fwknopd_t;
type fwknopd_etc_t;
files_config_file(fwknopd_etc_t)
type fwknopd_unit_file_t;
systemd_unit_file(fwknopd_unit_file_t)
type fwknopd_var_run_t;
files_pid_file(fwknopd_var_run_t)
type fwknopd_port_t;
corenet_port(fwknopd_port_t)
########################################
#
# fwknopd local policy
#
allow fwknopd_t self:capability { setuid };
allow fwknopd_t self:process { fork signal_perms };
allow fwknopd_t self:fifo_file rw_fifo_file_perms;
allow fwknopd_t self:unix_stream_socket create_stream_socket_perms;
#
# Only need to read config files.
#
read_files_pattern(fwknopd_t, fwknopd_etc_t, fwknopd_etc_t)
#
# Create (/var)/run/fwknop directory, and manage files within that
# directory.
#
files_create_var_run_dirs(fwknopd_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
#
# All client messages are read via pcap. Server only needs enough
# permission to create a TCP socket and bind to it, but not permission
# to read or write. It doesn't need any UDP permissions at all.
#
kernel_read_network_state(fwknopd_t)
allow fwknopd_t self:capability net_raw;
allow fwknopd_t self:packet_socket create_socket_perms;
allow fwknopd_t self:tcp_socket create_stream_socket_perms;
allow fwknopd_t fwknopd_port_t:tcp_socket name_bind;
#
# Uses system() to exec other programs, mainly xiptables-multi and gpg
# family.
#
corecmd_exec_shell(fwknopd_t)
# read /proc/meminfo
# provides access to generic files in /proc
kernel_read_system_state(fwknopd_t)
iptables_domtrans(fwknopd_t)
#
# GPG support
#
optional_policy(`
gen_require(`
type gpg_secret_t;
')
corecmd_exec_bin(fwknopd_t)
gpg_domtrans(fwknopd_t)
# App stats /root/.gnupg before running
userdom_search_admin_dir(fwknopd_t)
gpg_list_user_secrets(fwknopd_t)
')
#
# Provided by selinux-polgengui
#
domain_use_interactive_fds(fwknopd_t)
auth_use_nsswitch(fwknopd_t)
logging_send_syslog_msg(fwknopd_t)
miscfiles_read_localization(fwknopd_t)
============== end ============
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
