1 |
Mike Edenfield wrote: |
2 |
> Chris PeBenito wrote: |
3 |
> |
4 |
>> It would be nice to find out more specifically what is going on with the |
5 |
>> other two denials, but I suspect that it will be ok to allow. I use |
6 |
>> dhcpcd on my server, but don't see this problem. |
7 |
> |
8 |
> Thanks for all your help so far. Over this weekend I upgraded to the |
9 |
> new, modular SELinux policy and applied the strict policy to my system. |
10 |
> This seems to have removed the majority of my audit messages, so I'm |
11 |
> guessing the 2005.1 policy files were just out of date. |
12 |
> |
13 |
> I do have a few questions about the new policy setup. |
14 |
> |
15 |
> 1. How can I see what policy rules are defined in a compiled policy |
16 |
> module? I need to add some rules to handle interactions between |
17 |
> multiple services but I want to make sure the labels are correct first, |
18 |
> and use the correct domain types. But without the policy sources I |
19 |
> haven't figured out how to see what rules are available. |
20 |
for strict: |
21 |
/usr/share/selinux/strict/ |
22 |
ie for services: |
23 |
/usr/share/selinux/strict/include/services/ |
24 |
|
25 |
> 2. This one is specific to sudo. I added a couple of rules relating to |
26 |
> sudo: |
27 |
> |
28 |
> allow sysadm_sudo_t self:netlink_route_socket r_netlink_socket_perms; |
29 |
> allow sysadm_sudo_t pam_var_run_t:dir { getattr search write }; |
30 |
> |
31 |
> but I remember from looking through the older policy sources that sudo |
32 |
> actually defines more than one $1_sudo_t type that all get the same |
33 |
> rules. Is there a way in my local.te file to look up and apply my two |
34 |
> transition rules to every defined *_sudo_t type, or will I need to |
35 |
> specify each one individually? |
36 |
/usr/share/selinux/strict/include/admin/sudo.if |
37 |
|
38 |
So you should be able to add it there. |
39 |
I haven't figured out how to build from this location though, so I have |
40 |
done like you did and kept my changes to local modules. And in any case |
41 |
these changes would probably get lost on policy upgrade. |
42 |
|
43 |
Which brings another question, how do I get simple policy changes |
44 |
merged? I've got a bunch of tweaks that I use here that other people |
45 |
will want to use eventually, like mysql support for postfix - a bit like |
46 |
the use flag: |
47 |
|
48 |
allow postfix_$1_t mysqld_t:unix_stream_socket connectto; |
49 |
allow postfix_$1_t mysqld_var_run_t:dir search; |
50 |
allow postfix_$1_t mysqld_var_run_t:sock_file write; |
51 |
|
52 |
Also, sorry to hijack the thread, but where can I enable |
53 |
apache_read_user_content? |
54 |
|
55 |
Antoine |
56 |
-- |
57 |
gentoo-hardened@g.o mailing list |