On Sat, Dec 05, 2009 at 02:09:02AM -0800, Justin P. Mattock wrote:
On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
>On 05/12/09 09:42, Manuel Wolfshant wrote:
>--snip--
>
>>And once we (that is you :) ) have a correct policy,
>
>Does this look ok?
>
>audit2allow -M myhipd01 < /var/log/audit/audit.log
>
>module myhipd01 1.0;
>
>require {
>type unconfined_t;
>type ifconfig_t;
>type unconfined_java_t;
>type chrome_sandbox_t;
>type root_t;
>type admin_home_t;
>type null_device_t;
>type iptables_t;
>type abrt_t;
>type initrc_t;
>type ftp_port_t;
>type var_lock_t;
>type xauth_t;
>type device_t;
>type setroubleshootd_t;
>type wine_t;
>type rpm_var_cache_t;
>type rpcd_t;
>type system_mail_t;
>type plymouthd_t;
>class capability sys_ptrace;
>class netlink_ip6fw_socket { read write };
>class process execmem;
>class memprotect mmap_zero;
>class netlink_firewall_socket { read write };
>class chr_file unlink;
>class netlink_xfrm_socket { read write };
>class tcp_socket name_connect;
>class file { read write };
>class rawip_socket { read write };
>class netlink_route_socket { read write };
>class udp_socket { read write };
>class dir { write remove_name create };
>role system_r;
>role unconfined_r;
>}
>
>#============= abrt_t ==============
>allow abrt_t ftp_port_t:tcp_socket name_connect;
>allow abrt_t rpm_var_cache_t:dir create;
probably bugs in abrt policy
>
>#============= chrome_sandbox_t ==============
>allow chrome_sandbox_t self:capability sys_ptrace;
>
probably bug in chrome policy
>#============= ifconfig_t ==============
>allow ifconfig_t initrc_t:netlink_route_socket { read write };
>allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
>allow ifconfig_t initrc_t:udp_socket { read write };
>allow ifconfig_t var_lock_t:file { read write };
>
>#============= iptables_t ==============
>allow iptables_t initrc_t:netlink_firewall_socket { read write };
>allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
>allow iptables_t initrc_t:rawip_socket { read write };
>allow iptables_t initrc_t:udp_socket { read write };
>allow iptables_t var_lock_t:file { read write };
whatever runs initrc_t needs policy imho: ps auxZ | grep initrc
>
>#============= plymouthd_t ==============
>allow plymouthd_t device_t:dir { write remove_name };
>allow plymouthd_t null_device_t:chr_file unlink;
>
>#============= setroubleshootd_t ==============
>allow setroubleshootd_t device_t:file write;
Looks like this file is mislabeled. ausearch -m avc -ts today | grep device_t | grep file
| grep avc | head -n 1
>
>#============= system_mail_t ==============
>allow system_mail_t root_t:dir write;
why is it writing to /
>
>#============= unconfined_t ==============
>allow unconfined_t self:process execmem;
allow_execmem boolean or label the executable of the execmem program execmem_exec_t;
>
>#============= wine_t ==============
>allow wine_t self:memprotect mmap_zero;
There is a boolean you can set for this. getsebool -a | grep mmap
>
>#============= xauth_t ==============
>allow xauth_t admin_home_t:file { write read };
>#============= ROLES ==============
>role system_r types unconfined_java_t;
Looks like this is what you get when you run user applications with system role
>role unconfined_r types rpcd_t;
If this is a daemon as the type suggests then it should not be run with unconfined role.
>
sure.. now install your binary!!
Justin P. Mattock
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list