|
On 04/03/2014 03:01 AM, William Brown
wrote:
There is no need to have own private type for /etc/tayga if it is read-only.Hi, I'm submitting a package for tayga to fedora. I would like the SELinux policy attached to this reviewed. https://bugzilla.redhat.com/show_bug.cgi?id=1028206 Policy attached. It has comments around parts I have queries and concerns about. Note that tayga will attempt to call /usr/sbin/ip, which is why the cmd transitions are in the policy. Is net_admin caused by tayga? I believe it is caused by ifconfig. Is there a unit file? I attached reviewed policy files. |
/usr/sbin/tayga -- gen_context(system_u:object_r:tayga_exec_t,s0) /var/run/tayga.* -- gen_context(system_u:object_r:tayga_var_run_t,s0) /var/db/tayga(/.*)? gen_context(system_u:object_r:tayga_db_t,s0)
policy_module(tayga, 1.0.0)
########################################
#
# Declarations
#
type tayga_t;
type tayga_exec_t;
init_daemon_domain(tayga_t, tayga_exec_t)
type tayga_var_run_t;
files_pid_file(tayga_var_run_t)
type tayga_db_t;
files_type(tayga_var_db_t)
########################################
#
# tayga local policy
#
allow tayga_t self:tun_socket { create_socket_perms relabelfrom relabelto };
manage_files_pattern(tayga_t, tayga_var_run_t, tayga_var_run_t)
files_pid_filetrans(tayga_t, tayga_var_run_t, file)
manage_dirs_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)
manage_files_pattern(tayga_t, tayga_var_db_t, tayga_var_db_t)
kernel_read_system_state(tayga_t)
corecmd_exec_shell(tayga_t)
corenet_rw_tun_tap_dev(tayga_t)
dev_read_rand(tayga_t)
dev_read_urand(tayga_t)
auth_use_nsswitch(tayga_t)
sysnet_domtrans_ifconfig(tayga_t)
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
