Looks ok to me.
Joy
On Thu, 2007-03-01 at 15:48 -0600, Emily Ratliff wrote:
> With the MLS policy in enforcing mode, amtu -n fails because the syadm
> role lacks networking privileges. Either the networking privileges can be
> added to the sysadm role or amtu needs its own domain. Below I have
> proposed a possible policy to have amtu execute in its own domain. I
> relied heavily on policy generation tools and audit2allow, so I'd
> appreciate all comments on appropriate style, preferable include macros,
> preferred interfaces and the like.
>
>
> diff -Naurp amtu.old/amtu.fc amtu/amtu.fc
> --- amtu.old/amtu.fc 1969-12-31 18:00:00.000000000 -0600
> +++ amtu/amtu.fc 2007-03-01 14:46:53.714656144 -0600
> @@ -0,0 +1,7 @@
> +# amtu executable will have:
> +# label: system_u:object_r:amtu_exec_t
> +# MLS sensitivity: s0
> +# MCS categories: <none>
> +
> +/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
> +
> diff -Naurp amtu.old/amtu.te amtu/amtu.te
> --- amtu.old/amtu.te 1969-12-31 18:00:00.000000000 -0600
> +++ amtu/amtu.te 2007-03-01 14:47:04.243055584 -0600
> @@ -0,0 +1,67 @@
> +policy_module(amtu,1.0.23)
> +
> +########################################
> +#
> +# Declarations
> +#
> +gen_require(`
> + type sysadm_t;
> + role sysadm_r;
> + type sysadm_devpts_t;
> + type boot_t;
> + type etc_runtime_t;
> + type proc_t;
> +')
> +
> +type amtu_t;
> +type amtu_exec_t;
> +domain_type(amtu_t)
> +domain_entry_file(amtu_t, amtu_exec_t)
> +role sysadm_r types amtu_t;
> +domain_auto_trans(sysadm_t, amtu_exec_t, amtu_t)
> +
> +########################################
> +#
> +# amtu local policy
> +#
> +
> +# Some common macros used by amtu
> +files_read_etc_files(amtu_t)
> +libs_use_ld_so(amtu_t)
> +libs_use_shared_libs(amtu_t)
> +
> +# Specific allow rules required for amtu
> +allow amtu_t self:capability { audit_write net_raw };
> +allow amtu_t self:netlink_audit_socket { create nlmsg_relay read write };
> +allow amtu_t self:packet_socket { bind create read write };
> +allow amtu_t self:udp_socket { create ioctl };
> +allow amtu_t sysadm_devpts_t:chr_file { read write getattr ioctl };
> +allow amtu_t boot_t:dir { add_name getattr read remove_name search write };
> +allow amtu_t boot_t:file { create getattr read unlink write };
> +allow amtu_t etc_runtime_t:file { getattr read };
> +allow amtu_t proc_t:file { getattr read };
> +
> +optional_policy(`
> + seutil_use_newrole_fds(amtu_t)
> +');
> +
> +optional_policy(`
> + userdom_use_sysadm_fds(amtu_t)
> +');
> +
> +optional_policy(`
> + userdom_sigchld_sysadm(amtu_t)
> +');
> +
> +optional_policy(`
> + nscd_dontaudit_search_pid(amtu_t)
> +');
> +
> +optional_policy(`
> + kernel_dontaudit_read_system_state(amtu_t)
> +');
> +
> +optional_policy(`
> + term_dontaudit_search_ptys(amtu_t)
> +');
> +
>
>
>
>
> Thank you,
>
> Emily Ratliff
> IBM Linux Technology Center
> TCEM, Linux Quality, Support, and Security
>
>
> --
> redhat-lspp mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
