Re: Optional policy block on some macros

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Guys,

sorry for the late reply.


> >>tunable_policy(`foreman_proxy_manage_dhcp', `
> >>   dhcpd_admin(foreman_proxy_t, system_r)
> >>   netutils_exec_ping(foreman_proxy_t)
> >>   netutils_domtrans_ping(foreman_proxy_t)
> >You would not have both of these within the same block.
> >netutils_domtrans_ping implies netutils_exec_ping.
> >You probably want this on all the time.

I see. Our domain spawns ping when verifying if a given IP address is
not live. My goal is to execute the ping in it's ping_t domain. So is my
understanding correct I only need to have:

  netutils_domtrans_ping(foreman_proxy_t)

> >What types does foreman have to manage under dhcpd?  We probably need to
> >add interfaces for this.

We do read its configuration (/etc/dhcp) and read leases files. To do
DHCP reservations, we call the omshell utility to do the changes. I see
that omshell has bin_t on RHEL6.

> You would need to re-write
> 
> dhcpd_admin()
> 
> interface. It's caused by
> 
> init_labeled_script_domtrans()
> 
> where we use
> 
> typeattribute $1 initrc_transition_domain;

Ok I will do this and rewrite it without the typeattribute then.

> Is this on RHEL7? You don't need to have it in RHEL7 because of
> systemd. We should probably re-write/fix this
> init_t/initrc_t/unconfined_services_t concept in Fedora22.

We support both RHEL6 and RHEL7. I am using the conditionals approach
instead of git branches because we have just small bits which are
different in 6/7.

I'd appreciate if you can file a BZ for that (I am not really sure how
to word this :-) so I can link it in my policy as a comment. In future,
we can start using the modified _admin interface.

> If you use RHEL6, you need to write own _admin() interface to make it
> working with tunable statement.

Will do.

DHCP is not the only issue I have. We manage several services: TFTP,
DHCP, DNS and Puppet.

Here is my draft version of the policy (this is really a first cut):

https://gist.github.com/lzap/20cafaabee43f7906d66#file-foreman-proxy-te-L167

>From the line 167 I had to comment TFTP, DNS and DHCP because I hit the
same errors. Can you help me identify what needs to be done in
Fedora or backpoted to RHEL7 so we can use those admin interfaces?

For the TFTP case, we only read/write the TFTP contents.

For the DNS case, we read configuration files, zone files and use rndc
utility to modify DNS entries (which already has an _exec_t type).

I've already described the DHCP case.

I'd appreciate any comments. I plan to send my result for review once it
is finished. Thanks.

-- 
Later,
 Lukas #lzap Zapletal
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux