Selinux > Hipl

Frank Murphy (Frankly3D) frankly3d at gmail.com
Sat Dec 5 10:06:27 UTC 2009 

On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--

> And once we (that is you :) ) have a correct policy,

Does this look ok?

audit2allow -M myhipd01 < /var/log/audit/audit.log

module myhipd01 1.0;

require {
	type unconfined_t;
	type ifconfig_t;
	type unconfined_java_t;
	type chrome_sandbox_t;
	type root_t;
	type admin_home_t;
	type null_device_t;
	type iptables_t;
	type abrt_t;
	type initrc_t;
	type ftp_port_t;
	type var_lock_t;
	type xauth_t;
	type device_t;
	type setroubleshootd_t;
	type wine_t;
	type rpm_var_cache_t;
	type rpcd_t;
	type system_mail_t;
	type plymouthd_t;
	class capability sys_ptrace;
	class netlink_ip6fw_socket { read write };
	class process execmem;
	class memprotect mmap_zero;
	class netlink_firewall_socket { read write };
	class chr_file unlink;
	class netlink_xfrm_socket { read write };
	class tcp_socket name_connect;
	class file { read write };
	class rawip_socket { read write };
	class netlink_route_socket { read write };
	class udp_socket { read write };
	class dir { write remove_name create };
	role system_r;
	role unconfined_r;
}

#============= abrt_t ==============
allow abrt_t ftp_port_t:tcp_socket name_connect;
allow abrt_t rpm_var_cache_t:dir create;

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability sys_ptrace;

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };

#============= iptables_t ==============
allow iptables_t initrc_t:netlink_firewall_socket { read write };
allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
allow iptables_t initrc_t:rawip_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
allow iptables_t var_lock_t:file { read write };

#============= plymouthd_t ==============
allow plymouthd_t device_t:dir { write remove_name };
allow plymouthd_t null_device_t:chr_file unlink;

#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;

#============= system_mail_t ==============
allow system_mail_t root_t:dir write;

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

#============= wine_t ==============
allow wine_t self:memprotect mmap_zero;

#============= xauth_t ==============
allow xauth_t admin_home_t:file { write read };
#============= ROLES ==============
role system_r types unconfined_java_t;
role unconfined_r types rpcd_t;

-- 
Regards,

Frank Murphy
UTF_8 Encoded.

More information about the fedora-selinux-list mailing list