I'd like to correct some of my statements:
> For the TFTP case, we only read/write the TFTP contents.
>
> For the DNS case, we read configuration files, zone files and use rndc
> utility to modify DNS entries (which already has an _exec_t type).
We use nsupdate utility instead of rndc, which is apparently bin_t.
> I've already described the DHCP case:
> We do read its configuration (/etc/dhcp) and read leases files. To do
> DHCP reservations, we call the omshell utility to do the changes. I see
> that omshell has bin_t on RHEL6.
So unfortunately I will need to write rules for nsupdate and omshell
from scratch as I am unable to find interfaces.
What is the best approach? Should I make a transition using a shell
wrapper into my very own domains (nsupdate_t, omshell_t) or should I
keep the foreman_proxy_t domain?
For the DHCP case, I've found out _admin interface is not necessary at
all. I was able to write something like:
tunable_policy(`foreman_proxy_manage_dhcp_isc', `
sysnet_read_dhcp_config(foreman_proxy_t)
sysnet_search_dhcp_state(foreman_proxy_t)
# omshell - XXX raise BZ to create omshell iface
corenet_tcp_connect_dhcpd_port(foreman_proxy_t)
corenet_udp_sendrecv_dhcpd_port(foreman_proxy_t)
allow foreman_proxy_t self:unix_dgram_socket { create connect };
')
I think I will need to drop one more rule to allow dhcp_state_t reading
(we do read lease files) but this should do it. I will take similar
approach for DNS case.
--
Later,
Lukas #lzap Zapletal
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
