[refpolicy] Critique requested

[hal@deer-run.com (Hal Pomeranz)]

I'm still wrapping my head around the SELinux Reference Policy, but
I was curious if the experts on this list would like to comment on
the sample policy files below.  It's a simple policy for the old
portsentry HIDS.  It's not a complete policy by any means, since I've
just been testing in "stealth mode" and not triggering any actions
on detects, but it's a start.  I'm curious if I'm making any stylistic
or technical errors.

Also a question, if I may.  I originally compiled portsentry from
source as a standard dynamically-linked executable.  However, when I
started this binary under SELinux control I kept getting denials on
the shared library "lib_t" files and directories as well as on various
"ld_so*_t" files.  Recompiling as a statically-linked executable made
this problem go away (obviously), but what's the magic to get a
standard dynamically-linked executable to not generate these errors?
I've looked at the sample files in the refpolicy source and haven't
been able to figure out the trick.

FWIW I've been doing my testing on a CentOS (RHEL) 5.3 system.  It
doesn't have the latest and greatest version of refpolicy installed by
default, but it's a fairly recent version.

-- 
Hal Pomeranz, Founder/CEO      Deer Run Associates      hal at deer-run.com
    Network Connectivity and Security, Systems Management, Training
-------------- next part --------------
/usr/local/sbin/portsentry	--	gen_context(system_u:object_r:portsentry_exec_t,s0)
/etc/portsentry(/.*)?			gen_context(system_u:object_r:portsentry_etc_t,s0)
/var/lib/portsentry(/.*)?		gen_context(system_u:object_r:portsentry_log_t,s0)
-------------- next part --------------
policy_module(portsentry, 1.0.4)

#### Declarations

type portsentry_t;
domain_type(portsentry_t)
role system_r types portsentry_t;

type portsentry_exec_t;
domain_entry_file(portsentry_t, portsentry_exec_t)
init_daemon_domain(portsentry_t, portsentry_exec_t)

type portsentry_etc_t;
files_config_file(portsentry_etc_t)

type portsentry_log_t;
logging_log_file(portsentry_log_t);

#### Policy

# limited since we're going to allow binding to everything
define(`portsentry_socket_perms', `{ bind connect create listen read write }')

allow portsentry_t self:tcp_socket portsentry_socket_perms;
allow portsentry_t self:udp_socket portsentry_socket_perms;
allow portsentry_t self:unix_dgram_socket portsentry_socket_perms;
allow portsentry_t self:rawip_socket portsentry_socket_perms;
allow portsentry_t self:capability { net_raw net_bind_service };
allow portsentry_t self:process fork;

allow portsentry_t portsentry_etc_t:dir list_dir_perms;
allow portsentry_t portsentry_etc_t:file read_file_perms;
allow portsentry_t portsentry_log_t:dir list_dir_perms;
allow portsentry_t portsentry_log_t:file rw_file_perms;

corenet_tcp_bind_all_ports(portsentry_t)
corenet_tcp_bind_all_nodes(portsentry_t)
corenet_udp_bind_all_ports(portsentry_t)
corenet_udp_bind_all_nodes(portsentry_t)
kernel_sendrecv_unlabeled_packets(portsentry_t)

logging_send_syslog_msg(portsentry_t)
miscfiles_read_localization(portsentry_t)
files_search_etc(portsentry_t)
files_search_var_lib(portsentry_t)