On 05/29/2015 10:43 PM, George Karakougioumtzis wrote: > As i manage a small vps i wrote a simple daemon in python to read the > journal and email me anytime a service fails. The source code is located > at https://github.com/gkarakou/systemd-mailify. > > As i currently have too many problems with selinux enforcing in my > desktop and i wouldn't make tests on the live system i kindly request > someone to review my selinux policy module. All the app is doing is > reading systemd-journal and name connects on smtp ports. It reads its > configuration from a file in etc (/etc/systemd-mailify.conf) and has a > dedicated service file. The executable is located in /usr/bin and a pid > file is written under /run. > Here are the relevant parts. > > systemd-mailify.te > ############################# > policy_module(systemd_mailify, 1.0) > > type systemd_mailify_t; > type systemd_mailify_exec_t; > type systemd_unit_file_t; > type systemd_mailify_conf_t; > type systemd_mailify_var_run_t; > class tcp_socket name_connect; > > init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t) > > allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms; > allow systemd_mailify_t systemd_mailify_conf_t : lnk_file { getattr read }; > manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t, > systemd_mailify_var_run_t) > > files_config_file(systemd_mailify_conf_t); > files_pid_file(systemd_mailify_var_run_t); > files_read_etc_files(systemd_mailify_conf_t); > files_search_etc(systemd_mailify_conf_t); systemd_mailify_conf_t is object type which does not access to any objects. You want to allow domain types to access it (you have already correct rules above). > files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file }); > > auth_use_nsswitch(systemd_mailify_t); > logging_send_syslog_msg(systemd_mailify_t); > miscfiles_read_localization(systemd_mailify_t); > sysnet_dns_name_resolve(systemd_mailify_t); > allow systemd_mailify_exec_t smtp_port_t:tcp_socket name_connect; systemd_mailify_exec_t is again object type for executable. You want to have corenet_tcp_connect_smtp_port(systemd_mailify_t) > corenet_tcp_sendrecv_all_if(systemd_mailify_exec_t); > corenet_tcp_sendrecv_all_nodes(systemd_mailify_exec_t); > corenet_tcp_sendrecv_all_ports(systemd_mailify_exec_t); > corenet_all_recvfrom_unlabeled(systemd_mailify_exec_t); > domain_use_interactive_fds(systemd_mailify_exec_t); The same here, you use object type instead of subject (domain) type. > ####################### > > systemd-mailify.fc > ####################### > /usr/bin/systemd-mailify.py -- > gen_context(system_u:object_r:systemd_mailify_exec_t,s0) > /etc/systemd-mailify.conf > gen_context(system_u:object_r:systemd_mailify_conf_t,s0) > /usr/lib/systemd/system/systemd-mailify.service > gen_context(system_u:object_r:systemd_unit_file_t,s0) > /run/systemd-mailify.pid > gen_context(system_u:object_r:systemd_mailify_var_run_t,s0) > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
