-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/10/2014 11:13 AM, David Hampton wrote:
> Hi all,
>
> I'm trying to (re)learn SELinux, and spent the last day or two writing a
> policy for the fwknopd service, starting with a skeleton generated by
> selinux-polgengui. I was hoping that someone here could take a look at it
> and suggest anywhere I can make improvements to the policy. This is a
> learning exercise for me, so any comments are welcome. Thanks.
>
> David
>
> ========== fwknopd.fc ========= etc/fwknop(/.*)?
> gen_context(system_u:object_r:fwknopd_etc_t,s0)
Missing /?
>
> /usr/lib/systemd/system/fwknopd.service --
> gen_context(system_u:object_r:fwknopd_unit_file_t,s0)
>
> /usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0)
>
> /var/run/fwknop(/.*)? --
> gen_context(system_u:object_r:fwknopd_var_run_t,s0)
>
> ========== fwknopd.te =========
>
> policy_module(fwknopd, 1.0.0)
>
> ######################################## # # Declarations #
>
> type fwknopd_t; type fwknopd_exec_t; init_daemon_domain(fwknopd_t,
> fwknopd_exec_t)
>
> #permissive fwknopd_t;
>
> type fwknopd_etc_t; files_config_file(fwknopd_etc_t)
>
> type fwknopd_unit_file_t; systemd_unit_file(fwknopd_unit_file_t)
>
> type fwknopd_var_run_t; files_pid_file(fwknopd_var_run_t)
>
> type fwknopd_port_t; corenet_port(fwknopd_port_t)
>
> ######################################## # # fwknopd local policy # allow
> fwknopd_t self:capability { setuid }; allow fwknopd_t self:process { fork
> signal_perms }; allow fwknopd_t self:fifo_file rw_fifo_file_perms; allow
> fwknopd_t self:unix_stream_socket create_stream_socket_perms;
>
> # # Only need to read config files. # read_files_pattern(fwknopd_t,
> fwknopd_etc_t, fwknopd_etc_t)
>
> # # Create (/var)/run/fwknop directory, and manage files within that #
> directory. # files_create_var_run_dirs(fwknopd_t)
> files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
> manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
>
> # # All client messages are read via pcap. Server only needs enough #
> permission to create a TCP socket and bind to it, but not permission # to
> read or write. It doesn't need any UDP permissions at all. #
> kernel_read_network_state(fwknopd_t) allow fwknopd_t self:capability
> net_raw; allow fwknopd_t self:packet_socket create_socket_perms; allow
> fwknopd_t self:tcp_socket create_stream_socket_perms; allow fwknopd_t
> fwknopd_port_t:tcp_socket name_bind;
>
> # # Uses system() to exec other programs, mainly xiptables-multi and gpg #
> family. # corecmd_exec_shell(fwknopd_t) # read /proc/meminfo # provides
> access to generic files in /proc kernel_read_system_state(fwknopd_t)
> iptables_domtrans(fwknopd_t)
>
> # # GPG support # optional_policy(` gen_require(` type gpg_secret_t; ')
This is not necessary. My goal when writing new policy is to never have a
gen_require block in a te file.
> corecmd_exec_bin(fwknopd_t) gpg_domtrans(fwknopd_t)
>
> # App stats /root/.gnupg before running
> userdom_search_admin_dir(fwknopd_t) gpg_list_user_secrets(fwknopd_t) ')
>
> # # Provided by selinux-polgengui # domain_use_interactive_fds(fwknopd_t)
> auth_use_nsswitch(fwknopd_t) logging_send_syslog_msg(fwknopd_t)
> miscfiles_read_localization(fwknopd_t)
>
> ============== end ============
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Looks good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLQHbEACgkQrlYvE4MpobO/HACgiLcioLZYgDatzJiF/L8ZDypr
OCsAoNu8ZM12IaR9c8iYtAJNsf86dVZe
=tJcM
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
