package review?

Michael Thomas wart at kobold.org
Thu Jul 20 19:43:20 UTC 2006 

Daniel J Walsh wrote:
> Michael Thomas wrote:
>> They are in the src.rpm, but I realize that's not the easiest way to
>> pass them around.  Here are direct links:
>>
>> http://www.kobold.org/~wart/fedora/crossfire.fc
>>   http://www.kobold.org/~wart/fedora/crossfire.if
>> http://www.kobold.org/~wart/fedora/crossfire.te
>>
>>   
> 
> I would not define crossfire_static_data_t, unless this is data you do
> not want other confined domains from reading.  You can just let it use
> usr_t and give the application the ability to read usr_t.
> files_read_usr_files(crossfire_t)


> I do not like adding additional file_contexts unless the domain needs to
> write.  Up until now, I think you are better off leaving
> read  only files with the default context.  (This might change as we
> move to more RBAC support).

But this would also give the application read access to all of usr_t.
If I put on my paranoia hat, then I'd want to make sure the application
has limited read access as well as write access.

> allow crossfire_t port_t:udp_socket send_msg;
> allow crossfire_t port_t:tcp_socket name_bind;
> You need to define a port for this socket and only allow name_bind to
> that port

Ok.  If the server admin changes the application's port (not likely),
then they would need to update the policy as well, right?

> allow crossfire_t bin_t:file getattr;
> allow crossfire_t bin_t:dir search;
> Should use corecmd_getattr_bin_files(crossfire_t)
> corecmd_search_bin(crossfire_t)

Ok.  I still need to track down why the application is trying to search
here.

> allow crossfire_t proc_t:dir search;
> allow crossfire_t sysctl_t:dir search;
> allow crossfire_t sysctl_kernel_t:dir search;
> allow crossfire_t sysctl_kernel_t:file read;
> Should use
> kernel_read_kernel_sysctls(crossfire_t)

Ok.  Does this mean I can remove the require { type sysctl_t; }; from
the .te file?  Or does the kernel_read_kernel_sysctls() not perform this
require{}?

> allow crossfire_t devpts_t:chr_file {read write};
> Probably want to dontaudit
> term_dontaudit_use_generic_ptys(crossfire_t)

This will disallow the action, but not generate the avc denied messages,
right?

> allow crossfire_t proc_t:file {getattr read};
> Shoudl use
> kernel_read_system_state(crossfire_t)

Ok.

> If you are generating these additional AVC rules using audit2allow. use
> -R to attempt to find the reference policy macros to use.

Ah, I didn't know that one.

Thanks for the help,

--Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060720/62195084/attachment.bin>

More information about the fedora-selinux-list mailing list