suggested policy change

suggested policy change

[Justin Smith]

Adding the rules:
# policy/domains/system/kmod.te
allow kmod_t sysctl_kernel_t:file rw_file_perms;

# policy/domains/program/modutil.te
allow insmod_t sysctl_kernel_t:file rw_file_perms;

results in the error messages:

error in the statement ending on line 25688 (token ';'): assertion
failed:  allow kmod_t sysctl_kernel_t:file { write append } was granted.


error in the statement ending on line 25688 (token ';'): assertion
failed:  allow insmod_t sysctl_kernel_t:file { write append } was
granted.

i.e., they conflict with some of the neverallow rules. Should I simply
get rid of the appropriate neverallow rules?

--

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: suggested policy change

[Westerman, Mark]

I would not get rid of the neverallow rule. 
If you must add insmod_t and kmod_t to assertion rule

file assert.te

neverallow ~{ initrc_t admin } sysctl_kernel_t:file { write append };

Modification

neverallow ~{ insmod_t kmod_t initrc_t admin } sysctl_kernel_t:file { write
append };


Mark

-----Original Message-----
From: Justin Smith [mailto:jsmith@mcs.drexel.edu]
Sent: Wednesday, March 06, 2002 10:49 AM
To: selinux@tycho.nsa.gov
Subject: suggested policy change


Adding the rules:
# policy/domains/system/kmod.te
allow kmod_t sysctl_kernel_t:file rw_file_perms;

# policy/domains/program/modutil.te
allow insmod_t sysctl_kernel_t:file rw_file_perms;

results in the error messages:

error in the statement ending on line 25688 (token ';'): assertion
failed:  allow kmod_t sysctl_kernel_t:file { write append } was granted.


error in the statement ending on line 25688 (token ';'): assertion
failed:  allow insmod_t sysctl_kernel_t:file { write append } was
granted.

i.e., they conflict with some of the neverallow rules. Should I simply
get rid of the appropriate neverallow rules?

--

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: suggested policy change

[Stephen Smalley]

On 6 Mar 2002, Justin Smith wrote:

> i.e., they conflict with some of the neverallow rules. Should I simply
> get rid of the appropriate neverallow rules?

I changed the existing neverallow rule in assert.te to include kmod_t and
insmod_t in the list for this assertion, i.e.:

neverallow ~{ initrc_t admin kmod_t insmod_t } sysctl_kernel_t:file {
write append };

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.