[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: package review?



Michael Thomas wrote:
Daniel J Walsh wrote:
Michael Thomas wrote:

A few packages (game server daemons) that I maintain in Fedora Extras
would benefit from having a selinux security policy available.  But
since I'm new to writing selinux policies, I was hoping that someone
from f-s-l could take a peek at what I did and let me know if I've done
things correctly and in the 'recommended' way.

I've already tested the policy on FC5 to make sure that it works and
produces no 'avc denied' messages:

http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm

I wasn't sure exactly which networking rules I would need.  Most of the
ones there were generated by policygentool.  I also couldn't figure out
why some of the rules at the end of crossfire.te were necessary.

Thanks in advance!

--Mike
------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please attach the te, fc and if files.

They are in the src.rpm, but I realize that's not the easiest way to
pass them around.  Here are direct links:

http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.te

I would not define crossfire_static_data_t, unless this is data you do not want other confined domains from reading. You can just let it use usr_t and give the application the ability to read usr_t.
files_read_usr_files(crossfire_t)

I do not like adding additional file_contexts unless the domain needs to write. Up until now, I think you are better off leaving read only files with the default context. (This might change as we move to more RBAC support).

allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to that port


allow crossfire_t bin_t:file getattr;
allow crossfire_t bin_t:dir search;
Should use corecmd_getattr_bin_files(crossfire_t)
corecmd_search_bin(crossfire_t)



allow crossfire_t proc_t:dir search;
allow crossfire_t sysctl_t:dir search;
allow crossfire_t sysctl_kernel_t:dir search;
allow crossfire_t sysctl_kernel_t:file read;
Should use
kernel_read_kernel_sysctls(crossfire_t)

allow crossfire_t devpts_t:chr_file {read write};
Probably want to dontaudit
term_dontaudit_use_generic_ptys(crossfire_t)



allow crossfire_t proc_t:file {getattr read};
Shoudl use
kernel_read_system_state(crossfire_t)


If you are generating these additional AVC rules using audit2allow. use -R to attempt to find the reference policy macros to use.

macros are available in /usr/share/selinux/devel/include directory.

--Mike
------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]