1 |
On Wed, 2007-03-21 at 13:38 -0400, Mike Edenfield wrote: |
2 |
> Chris PeBenito wrote: |
3 |
> |
4 |
> > It would be nice to find out more specifically what is going on with the |
5 |
> > other two denials, but I suspect that it will be ok to allow. I use |
6 |
> > dhcpcd on my server, but don't see this problem. |
7 |
> |
8 |
> Thanks for all your help so far. Over this weekend I upgraded to the |
9 |
> new, modular SELinux policy and applied the strict policy to my system. |
10 |
> This seems to have removed the majority of my audit messages, so I'm |
11 |
> guessing the 2005.1 policy files were just out of date. |
12 |
> |
13 |
> I do have a few questions about the new policy setup. |
14 |
> |
15 |
> 1. How can I see what policy rules are defined in a compiled policy |
16 |
> module? I need to add some rules to handle interactions between |
17 |
> multiple services but I want to make sure the labels are correct first, |
18 |
> and use the correct domain types. But without the policy sources I |
19 |
> haven't figured out how to see what rules are available. |
20 |
|
21 |
You can use app-admin/setools-3.1 's apol tool to open up a module |
22 |
(*.pp), but you must also have a base module (base.pp). Or you could |
23 |
use it to open of policy.21. If this still isn't sufficient, you'll |
24 |
still have to look the policy sources. |
25 |
|
26 |
However part of the reference policy is now the concept of interfaces |
27 |
which provide access to a module's access, for example, |
28 |
apache_read_log(foo_t) would give the domain foo_t the rules for reading |
29 |
the apache log. You can see a reference of interfaces from |
30 |
http://oss.tresys.com/docs/refpolicy/api/. Then you won't need to |
31 |
figure out what type the apache logs are, and what allow rules are |
32 |
needed to get the access. |
33 |
|
34 |
> 2. This one is specific to sudo. I added a couple of rules relating to |
35 |
> sudo: |
36 |
> |
37 |
> allow sysadm_sudo_t self:netlink_route_socket r_netlink_socket_perms; |
38 |
> allow sysadm_sudo_t pam_var_run_t:dir { getattr search write }; |
39 |
> |
40 |
> but I remember from looking through the older policy sources that sudo |
41 |
> actually defines more than one $1_sudo_t type that all get the same |
42 |
> rules. Is there a way in my local.te file to look up and apply my two |
43 |
> transition rules to every defined *_sudo_t type, or will I need to |
44 |
> specify each one individually? |
45 |
|
46 |
If your policy customizations module is called "local" you would want |
47 |
this: |
48 |
|
49 |
template(`local_per_role_template',` |
50 |
require { type $1_sudo_t, pam_var_run_t; } |
51 |
allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms; |
52 |
allow $1_sudo_t pam_var_run_t:dir { getattr search write }; |
53 |
') |
54 |
|
55 |
[modulename]_per_role_template is automatically invoked for each of the |
56 |
user roles (user,staff,sysadm), with the parameters: prefix, |
57 |
user_domain, role |
58 |
|
59 |
So for sysadm_r, the prefix is sysadm and the user_domain is sysadm_t. |
60 |
|
61 |
-- |
62 |
Chris PeBenito |
63 |
<pebenito@g.o> |
64 |
Developer, |
65 |
Hardened Gentoo Linux |
66 |
|
67 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
68 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |