Miroslav thanks for the answer. So if i understand correctly the
transition from systemd_mailiify_t to systemd_mailify_exec_t happens
only once once and i dont have to allow systemd_mailify_exec_t access to
anything right? And since i want to allow systemd_mailify_t to open and
read systemd journal i would allow it like that?
systemd_mailify_t var_log_t:file {read open};
And is my updated policy correct?
systemd-mailify.te
#############################
policy_module(systemd_mailify, 1.0)
type systemd_mailify_t;
type systemd_mailify_exec_t;
type systemd_unit_file_t;
type systemd_mailify_conf_t;
type systemd_mailify_var_run_t;
type var_log_t;
class tcp_socket name_connect;
class file {read open};
init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms;
allow systemd_mailify_t var_log_t:file {open read};
manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t,systemd_mailify_var_run_t)
files_config_file(systemd_mailify_conf_t);
files_pid_file(systemd_mailify_var_run_t);
files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file
}); auth_use_nsswitch(systemd_mailify_t);
logging_send_syslog_msg(systemd_mailify_t);
sysnet_dns_name_resolve(systemd_mailify_t);
corenet_tcp_connect_smtp_port(systemd_mailify_t)
corenet_tcp_sendrecv_all_if(systemd_mailify_t);
corenet_tcp_sendrecv_all_nodes(systemd_mailify_t);
corenet_all_recvfrom_unlabeled(systemd_mailify_t);
domain_use_interactive_fds(systemd_mailify_t);
On 06/01/2015 12:33 PM, Miroslav Grepl wrote:
> On 05/29/2015 10:43 PM, George Karakougioumtzis wrote:
>> As i manage a small vps i wrote a simple daemon in python to read the
>> journal and email me anytime a service fails. The source code is located
>> at https://github.com/gkarakou/systemd-mailify.
>>
>> As i currently have too many problems with selinux enforcing in my
>> desktop and i wouldn't make tests on the live system i kindly request
>> someone to review my selinux policy module. All the app is doing is
>> reading systemd-journal and name connects on smtp ports. It reads its
>> configuration from a file in etc (/etc/systemd-mailify.conf) and has a
>> dedicated service file. The executable is located in /usr/bin and a pid
>> file is written under /run.
>> Here are the relevant parts.
>>
>> systemd-mailify.te
>> #############################
>> policy_module(systemd_mailify, 1.0)
>>
>> type systemd_mailify_t;
>> type systemd_mailify_exec_t;
>> type systemd_unit_file_t;
>> type systemd_mailify_conf_t;
>> type systemd_mailify_var_run_t;
>> class tcp_socket name_connect;
>>
>> init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
>>
>> allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms;
>> allow systemd_mailify_t systemd_mailify_conf_t : lnk_file { getattr read };
>> manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t,
>> systemd_mailify_var_run_t)
>>
>> files_config_file(systemd_mailify_conf_t);
>> files_pid_file(systemd_mailify_var_run_t);
>> files_read_etc_files(systemd_mailify_conf_t);
>> files_search_etc(systemd_mailify_conf_t);
> systemd_mailify_conf_t is object type which does not access to any
> objects. You want to allow domain types to access it (you have already
> correct rules above).
>
>> files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file });
>>
>> auth_use_nsswitch(systemd_mailify_t);
>> logging_send_syslog_msg(systemd_mailify_t);
>> miscfiles_read_localization(systemd_mailify_t);
>> sysnet_dns_name_resolve(systemd_mailify_t);
>> allow systemd_mailify_exec_t smtp_port_t:tcp_socket name_connect;
> systemd_mailify_exec_t is again object type for executable. You want to have
> corenet_tcp_connect_smtp_port(systemd_mailify_t)
>
>> corenet_tcp_sendrecv_all_if(systemd_mailify_exec_t);
>> corenet_tcp_sendrecv_all_nodes(systemd_mailify_exec_t);
>> corenet_tcp_sendrecv_all_ports(systemd_mailify_exec_t);
>> corenet_all_recvfrom_unlabeled(systemd_mailify_exec_t);
>> domain_use_interactive_fds(systemd_mailify_exec_t);
> The same here, you use object type instead of subject (domain) type.
>
>
>> #######################
>>
>> systemd-mailify.fc
>> #######################
>> /usr/bin/systemd-mailify.py --
>> gen_context(system_u:object_r:systemd_mailify_exec_t,s0)
>> /etc/systemd-mailify.conf
>> gen_context(system_u:object_r:systemd_mailify_conf_t,s0)
>> /usr/lib/systemd/system/systemd-mailify.service
>> gen_context(system_u:object_r:systemd_unit_file_t,s0)
>> /run/systemd-mailify.pid
>> gen_context(system_u:object_r:systemd_mailify_var_run_t,s0)
>>
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
