Selinux > Hipl
Frank Murphy (Frankly3D)
frankly3d at gmail.com
Sat Dec 5 10:06:27 UTC 2009
On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--
> And once we (that is you :) ) have a correct policy,
Does this look ok?
audit2allow -M myhipd01 < /var/log/audit/audit.log
module myhipd01 1.0;
require {
type unconfined_t;
type ifconfig_t;
type unconfined_java_t;
type chrome_sandbox_t;
type root_t;
type admin_home_t;
type null_device_t;
type iptables_t;
type abrt_t;
type initrc_t;
type ftp_port_t;
type var_lock_t;
type xauth_t;
type device_t;
type setroubleshootd_t;
type wine_t;
type rpm_var_cache_t;
type rpcd_t;
type system_mail_t;
type plymouthd_t;
class capability sys_ptrace;
class netlink_ip6fw_socket { read write };
class process execmem;
class memprotect mmap_zero;
class netlink_firewall_socket { read write };
class chr_file unlink;
class netlink_xfrm_socket { read write };
class tcp_socket name_connect;
class file { read write };
class rawip_socket { read write };
class netlink_route_socket { read write };
class udp_socket { read write };
class dir { write remove_name create };
role system_r;
role unconfined_r;
}
#============= abrt_t ==============
allow abrt_t ftp_port_t:tcp_socket name_connect;
allow abrt_t rpm_var_cache_t:dir create;
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability sys_ptrace;
#============= ifconfig_t ==============
allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };
#============= iptables_t ==============
allow iptables_t initrc_t:netlink_firewall_socket { read write };
allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
allow iptables_t initrc_t:rawip_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
allow iptables_t var_lock_t:file { read write };
#============= plymouthd_t ==============
allow plymouthd_t device_t:dir { write remove_name };
allow plymouthd_t null_device_t:chr_file unlink;
#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;
#============= system_mail_t ==============
allow system_mail_t root_t:dir write;
#============= unconfined_t ==============
allow unconfined_t self:process execmem;
#============= wine_t ==============
allow wine_t self:memprotect mmap_zero;
#============= xauth_t ==============
allow xauth_t admin_home_t:file { write read };
#============= ROLES ==============
role system_r types unconfined_java_t;
role unconfined_r types rpcd_t;
--
Regards,
Frank Murphy
UTF_8 Encoded.
More information about the fedora-selinux-list
mailing list