[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Fedora 8 odds and sods

From: Paul Howarth <paul city-fan org>
To: Fedora SELinux support list <fedora-selinux-list redhat com>
Subject: Fedora 8 odds and sods
Date: Wed, 16 Jan 2008 16:46:07 +0000

Today I've done a bit of a clean-up of the local policy modules I've hadin use over the last couple of Fedora releases, removing bits that areno longer needed and consolidating the remaining ones into a single"localmisc" module. The results of this is:


policy_module(localmisc, 0.1.34)

require {
        attribute mailserver_delivery;
        type depmod_t;
        type httpd_t;
        type load_policy_t;
        type procmail_t;
        type procmail_tmp_t;
        type pptp_t;
        type restorecon_t;
        type sendmail_t;
        type setfiles_t;
        type soundd_port_t;
        type squid_t;
        type useradd_t;
        type var_t;
};

# ========================================
# Things that probably need to go upstream
# ========================================

# Milter sockets, why did this work before?
#allow sendmail_t initrc_t:unix_stream_socket { read write connectto };
init_stream_connect_script(mailserver_delivery)
init_rw_script_stream_sockets(mailserver_delivery)

# Allow misc command output to be sent to a pipe, needed for rpm scriptlets
# Probably not needed since Fedora 8
#unconfined_rw_pipes(depmod_t)
#unconfined_rw_pipes(load_policy_t)
#unconfined_rw_pipes(setfiles_t)
#unconfined_rw_pipes(useradd_t)

# Allow pptp to manage its own processes
allow pptp_t self:process signal;

# Allow sendmail to read procmail tempfiles for forwarding
# (would need a new interface in procmail.if to do this properly)
allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };

# Not sure what this is, needed when network is congested
allow sendmail_t self:process signull;

# ==============
# Local oddities
# ==============

# Allow restorecon to restore file contexts via the /var/www -> /srv/wwwsymlink

allow restorecon_t var_t:lnk_file read;

# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };

# Allow squid to connect to websites on port 8000 (defined in policy assoundd_port_t)

allow squid_t soundd_port_t:tcp_socket name_connect;

Not a lot left there, so I thought I'd post them here in their entiretyfor discussion and hopefully inclusion (at least in part) in a futurepolicy update.


Paul.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]