Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Chris PeBenito <pebenito@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Re: "Out of the box" SELinux policy questions...
Date: Sun, 25 Mar 2007 21:06:50
Message-Id: 1174856586.6944.41.camel@gorn.pebenito.net
In Reply to: Re: [gentoo-hardened] Re: "Out of the box" SELinux policy questions... by Antoine Martin
1 On Thu, 2007-03-22 at 00:08 +0000, Antoine Martin wrote:
2 > Mike Edenfield wrote:
3 > > 2. This one is specific to sudo. I added a couple of rules relating to
4 > > sudo:
5 > >
6 > > allow sysadm_sudo_t self:netlink_route_socket r_netlink_socket_perms;
7 > > allow sysadm_sudo_t pam_var_run_t:dir { getattr search write };
8 > >
9 > > but I remember from looking through the older policy sources that sudo
10 > > actually defines more than one $1_sudo_t type that all get the same
11 > > rules. Is there a way in my local.te file to look up and apply my two
12 > > transition rules to every defined *_sudo_t type, or will I need to
13 > > specify each one individually?
14 > /usr/share/selinux/strict/include/admin/sudo.if
15 >
16 > So you should be able to add it there.
17 > I haven't figured out how to build from this location though, so I have
18 > done like you did and kept my changes to local modules. And in any case
19 > these changes would probably get lost on policy upgrade.
20
21 No, these should be treated like the headers in /usr/include; you
22 shouldn't be modifying them. Changes to these policy modules will only
23 affect modules built from these headers, not to those modules that are
24 already built.
25
26 > Which brings another question, how do I get simple policy changes
27 > merged? I've got a bunch of tweaks that I use here that other people
28 > will want to use eventually, like mysql support for postfix - a bit like
29 > the use flag:
30 >
31 > allow postfix_$1_t mysqld_t:unix_stream_socket connectto;
32 > allow postfix_$1_t mysqld_var_run_t:dir search;
33 > allow postfix_$1_t mysqld_var_run_t:sock_file write;
34
35 Merged where? To the Gentoo policy?
36
37 > Also, sorry to hijack the thread, but where can I enable
38 > apache_read_user_content?
39
40 Not sure what you mean by this.
41
42 --
43 Chris PeBenito
44 <pebenito@g.o>
45 Developer,
46 Hardened Gentoo Linux
47
48 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
49 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] Re: "Out of the box" SELinux policy questions... Antoine Martin <antoine@××××××××××.uk>
Report Message
Find on MARC Find on Google Groups