1 |
Hi, |
2 |
|
3 |
I've written a policy for ez-ipupdate (DynDNS) and guess it is not so secure as |
4 |
I think ;-) Maybe I've opened a whole in the policy. |
5 |
Here are the files: |
6 |
|
7 |
file_contexts/program/ezipupdate.fc |
8 |
|
9 |
/usr/bin/ez-ipupdate -- system_u:object_r:ezipupdate_exec_t |
10 |
|
11 |
|
12 |
|
13 |
domains/program/ezipupdate.te |
14 |
|
15 |
type ezipupdate_exec_t, file_type; |
16 |
|
17 |
allow initrc_t ezipupdate_exec_t:file { execute execute_no_trans read }; |
18 |
allow initrc_t initrc_t:tcp_socket { connect create ioctl read write }; |
19 |
allow initrc_t var_run_t:file { read write }; |
20 |
allow initrc_t netif_t:netif { tcp_recv tcp_send udp_recv udp_send }; |
21 |
allow initrc_t node_t:node { tcp_recv tcp_send udp_recv udp_send }; |
22 |
allow initrc_t port_t:tcp_socket { recv_msg send_msg }; |
23 |
allow initrc_t port_t:udp_socket { recv_msg send_msg }; |
24 |
|
25 |
|
26 |
|
27 |
What are your thoughts about the "allow initrc_t ..."? I don't know if they are |
28 |
opening wholes in the system?! Maybe I should create a new type like |
29 |
initrc_ezipupdate_t or something else. |
30 |
What are your opinions about the policy? |
31 |
|
32 |
-Stefan |