With the MLS policy in enforcing mode, amtu -n fails because the syadm
role lacks networking privileges. Either the networking privileges can be
added to the sysadm role or amtu needs its own domain. Below I have
proposed a possible policy to have amtu execute in its own domain. I
relied heavily on policy generation tools and audit2allow, so I'd
appreciate all comments on appropriate style, preferable include macros,
preferred interfaces and the like.
diff -Naurp amtu.old/amtu.fc amtu/amtu.fc
--- amtu.old/amtu.fc 1969-12-31 18:00:00.000000000 -0600
+++ amtu/amtu.fc 2007-03-01 14:46:53.714656144 -0600
@@ -0,0 +1,7 @@
+# amtu executable will have:
+# label: system_u:object_r:amtu_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+
diff -Naurp amtu.old/amtu.te amtu/amtu.te
--- amtu.old/amtu.te 1969-12-31 18:00:00.000000000 -0600
+++ amtu/amtu.te 2007-03-01 14:47:04.243055584 -0600
@@ -0,0 +1,67 @@
+policy_module(amtu,1.0.23)
+
+########################################
+#
+# Declarations
+#
+gen_require(`
+ type sysadm_t;
+ role sysadm_r;
+ type sysadm_devpts_t;
+ type boot_t;
+ type etc_runtime_t;
+ type proc_t;
+')
+
+type amtu_t;
+type amtu_exec_t;
+domain_type(amtu_t)
+domain_entry_file(amtu_t, amtu_exec_t)
+role sysadm_r types amtu_t;
+domain_auto_trans(sysadm_t, amtu_exec_t, amtu_t)
+
+########################################
+#
+# amtu local policy
+#
+
+# Some common macros used by amtu
+files_read_etc_files(amtu_t)
+libs_use_ld_so(amtu_t)
+libs_use_shared_libs(amtu_t)
+
+# Specific allow rules required for amtu
+allow amtu_t self:capability { audit_write net_raw };
+allow amtu_t self:netlink_audit_socket { create nlmsg_relay read write };
+allow amtu_t self:packet_socket { bind create read write };
+allow amtu_t self:udp_socket { create ioctl };
+allow amtu_t sysadm_devpts_t:chr_file { read write getattr ioctl };
+allow amtu_t boot_t:dir { add_name getattr read remove_name search write };
+allow amtu_t boot_t:file { create getattr read unlink write };
+allow amtu_t etc_runtime_t:file { getattr read };
+allow amtu_t proc_t:file { getattr read };
+
+optional_policy(`
+ seutil_use_newrole_fds(amtu_t)
+');
+
+optional_policy(`
+ userdom_use_sysadm_fds(amtu_t)
+');
+
+optional_policy(`
+ userdom_sigchld_sysadm(amtu_t)
+');
+
+optional_policy(`
+ nscd_dontaudit_search_pid(amtu_t)
+');
+
+optional_policy(`
+ kernel_dontaudit_read_system_state(amtu_t)
+');
+
+optional_policy(`
+ term_dontaudit_search_ptys(amtu_t)
+');
+
Thank you,
Emily Ratliff
IBM Linux Technology Center
TCEM, Linux Quality, Support, and Security
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
