| 1 |
Hi, |
| 2 |
|
| 3 |
I've written a policy for ez-ipupdate (DynDNS) and guess it is not so secure as |
| 4 |
I think ;-) Maybe I've opened a whole in the policy. |
| 5 |
Here are the files: |
| 6 |
|
| 7 |
file_contexts/program/ezipupdate.fc |
| 8 |
|
| 9 |
/usr/bin/ez-ipupdate -- system_u:object_r:ezipupdate_exec_t |
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
domains/program/ezipupdate.te |
| 14 |
|
| 15 |
type ezipupdate_exec_t, file_type; |
| 16 |
|
| 17 |
allow initrc_t ezipupdate_exec_t:file { execute execute_no_trans read }; |
| 18 |
allow initrc_t initrc_t:tcp_socket { connect create ioctl read write }; |
| 19 |
allow initrc_t var_run_t:file { read write }; |
| 20 |
allow initrc_t netif_t:netif { tcp_recv tcp_send udp_recv udp_send }; |
| 21 |
allow initrc_t node_t:node { tcp_recv tcp_send udp_recv udp_send }; |
| 22 |
allow initrc_t port_t:tcp_socket { recv_msg send_msg }; |
| 23 |
allow initrc_t port_t:udp_socket { recv_msg send_msg }; |
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
What are your thoughts about the "allow initrc_t ..."? I don't know if they are |
| 28 |
opening wholes in the system?! Maybe I should create a new type like |
| 29 |
initrc_ezipupdate_t or something else. |
| 30 |
What are your opinions about the policy? |
| 31 |
|
| 32 |
-Stefan |
Archives