1 |
On Thu, 2007-03-22 at 00:08 +0000, Antoine Martin wrote: |
2 |
> Mike Edenfield wrote: |
3 |
> > 2. This one is specific to sudo. I added a couple of rules relating to |
4 |
> > sudo: |
5 |
> > |
6 |
> > allow sysadm_sudo_t self:netlink_route_socket r_netlink_socket_perms; |
7 |
> > allow sysadm_sudo_t pam_var_run_t:dir { getattr search write }; |
8 |
> > |
9 |
> > but I remember from looking through the older policy sources that sudo |
10 |
> > actually defines more than one $1_sudo_t type that all get the same |
11 |
> > rules. Is there a way in my local.te file to look up and apply my two |
12 |
> > transition rules to every defined *_sudo_t type, or will I need to |
13 |
> > specify each one individually? |
14 |
> /usr/share/selinux/strict/include/admin/sudo.if |
15 |
> |
16 |
> So you should be able to add it there. |
17 |
> I haven't figured out how to build from this location though, so I have |
18 |
> done like you did and kept my changes to local modules. And in any case |
19 |
> these changes would probably get lost on policy upgrade. |
20 |
|
21 |
No, these should be treated like the headers in /usr/include; you |
22 |
shouldn't be modifying them. Changes to these policy modules will only |
23 |
affect modules built from these headers, not to those modules that are |
24 |
already built. |
25 |
|
26 |
> Which brings another question, how do I get simple policy changes |
27 |
> merged? I've got a bunch of tweaks that I use here that other people |
28 |
> will want to use eventually, like mysql support for postfix - a bit like |
29 |
> the use flag: |
30 |
> |
31 |
> allow postfix_$1_t mysqld_t:unix_stream_socket connectto; |
32 |
> allow postfix_$1_t mysqld_var_run_t:dir search; |
33 |
> allow postfix_$1_t mysqld_var_run_t:sock_file write; |
34 |
|
35 |
Merged where? To the Gentoo policy? |
36 |
|
37 |
> Also, sorry to hijack the thread, but where can I enable |
38 |
> apache_read_user_content? |
39 |
|
40 |
Not sure what you mean by this. |
41 |
|
42 |
-- |
43 |
Chris PeBenito |
44 |
<pebenito@g.o> |
45 |
Developer, |
46 |
Hardened Gentoo Linux |
47 |
|
48 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
49 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |