I wanted to try to create an auditadm_r.
I was surprised how easy it was. Had to trim down the
base_user_template, and add a couple of apache interfaces,
but basically ended up with the following. Tried it out on an MLS
machine and it seems to work pretty well. I even
have it defined as a loadable module. Comments below. One problem is we
need an easier way of handling
/etc/selinux/mls/contexts/default_type. Had to add httpdadm_r:httpdadm_t.
semanage users -m -R httpdadm_r SELINUXUSER
policy_module(httpdadm,1.0.0)
########################################
#
# Declarations
#
gen_require(`
role staff_r;
type staff_devpts_t, staff_tty_device_t, staff_t;
')
define(`role_change',`
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
##### Need to figure out a way make role_change a callable function.
Perhaps just define staff_role_change and user_role_change
minimal_user_template(httpdadm)
#### Needed to strip down base_user_template. Do not want to create
homedirs and eliminate all of the optional policy. Talked to Chris
about breaking
#### base_user_template into a series of templates.
role_change(staff,httpdadm)
#### Would prefer staff_role_change (httpadm)
files_read_usr_files(httpdadm_t)
#### Probably should be defined in one of the base_user_templates, since
this is pretty much required if you have a shell.
apache_manage_all_content(httpdadm_t)
apache_manage_log(httpdadm_t)
apache_manage_config(httpdadm_t)
##### Problems, I can't easily modify the running service. IE I would
figure the auditadmin would want to be able to start/stop/signal the
service.
##### But we do not have an easy way of doing only one service, and not
all the rest. Might have to add the ability to run su/sudo so if you
newrole
##### first it will work.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
