[DSE-Dev] Fixing up SELinux reference policy for Debian
Russell Coker
russell at coker.com.au
Mon May 21 09:18:13 UTC 2007
On Saturday 19 May 2007 02:08, Manoj Srivastava <srivasta at debian.org> wrote:
> On Wed, 16 May 2007 22:54:00 +1000, Russell Coker <russell at coker.com.au> >
I have not yet made this change. I have discovered additional
> issues with cron;
> ,----
>
> | #============= initrc_t ==============
> | # src="initrc_t" tgt="crond_t" class="fifo_file", perms="{ read ioctl }"
> | # comm="sysklogd" exe="" path=""
> | allow initrc_t crond_t:fifo_file { read ioctl };
> | # src="initrc_t" tgt="system_crond_t" class="fd", perms="use"
> | # comm="sysklogd" exe="" path=""
> | allow initrc_t system_crond_t:fd use;
> | # src="initrc_t" tgt="system_crond_t" class="fifo_file", perms="write"
> | # comm="sysklogd" exe="" path=""
> | allow initrc_t system_crond_t:fifo_file write;
Hmm, seems lacking permission for restarting daemons from cron. That should
be allowed.
> | #============= system_crond_t ==============
> | # src="system_crond_t" tgt="apt_var_lib_t" class="file", perms="read"
> | # comm="cp" exe="" path=""
> | allow system_crond_t apt_var_lib_t:file read;
> | # src="system_crond_t" tgt="var_t" class="dir", perms="{ write add_name
> | }" # comm="cp" exe="" path=""
> | allow system_crond_t var_t:dir { write add_name };
> | # src="system_crond_t" tgt="var_t" class="file", perms="{ write create
> | setattr }" # comm="cp" exe="" path=""
> | allow system_crond_t var_t:file { write create setattr };
Looks like one of those scripts to backup Debian data to /var/backup.
Maybe if you give /etc/cron.daily/aptitude type backup_exec_t and allow it to
transition to backup_t from system_crond_t.
> However, when cretaing the refpolicy package itself, I can
> across this little denial while linking:
> ,----
>
> | #============= user_t ==============
> | # src="user_t" tgt="shlib_t" class="file", perms="ioctl"
> | # comm="ld" exe="" path=""
> | allow user_t shlib_t:file ioctl;
>
> `----
>
> Shouldn't that be allowed?
Yes, that's fine.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
More information about the SELinux-devel
mailing list