Is there a macro for this?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tracy Reed <treed@ultraviolet.org>
To: selinux@tycho.nsa.gov
Subject: Is there a macro for this?
Date: Tue, 24 Mar 2015 18:57:53 -0700	[thread overview]
Message-ID: <20150325015752.GG32173@tracyreed.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 5929 bytes --]

I've written my own policy to confine a custom in-house developed
service.  I am getting the following denials. I'm pretty sure there is a
macro or macros I can use to allow all of these common sorts of things to
happen as I'm pretty sure I used it a few years ago but I can't recall or
find it. Can anyone point me in the right direction?

Thanks!

#============= initrc_t ==============
allow initrc_t myapp_cid_t:dir { getattr search };
allow initrc_t myapp_cid_t:file { read getattr open };
allow initrc_t myapp_java_t:dir { getattr search };

#============= locate_t ==============
allow locate_t myapp_bin_t:dir getattr;
allow locate_t myapp_cid_t:dir { read search open getattr };
allow locate_t myapp_include_t:dir { getattr search };
allow locate_t myapp_java_t:dir { read getattr open search };
allow locate_t myapp_lib64_t:dir { read search open getattr };
allow locate_t myapp_lib_t:dir { read getattr open search };
allow locate_t myapp_logs_t:dir { read search open getattr };
allow locate_t myapp_node_api_t:dir getattr;
allow locate_t myapp_node_bin_t:dir getattr;
allow locate_t myapp_node_conf_t:dir { getattr search };
allow locate_t myapp_node_incoming-dist_t:dir getattr;
allow locate_t myapp_node_lib_t:dir { getattr search };
allow locate_t myapp_node_logs_t:dir getattr;
allow locate_t myapp_node_scripts_t:dir getattr;
allow locate_t myapp_node_tomcat_t:dir { read getattr open search };
allow locate_t myapp_node_util_t:dir getattr;
allow locate_t myapp_node_var_t:dir getattr;
allow locate_t myapp_node_webapps_t:dir { read getattr open search };
allow locate_t myapp_runbooktmp_t:dir getattr;
allow locate_t myapp_share_t:dir { read getattr open search };
allow locate_t myapp_snc-provision_t:dir { read getattr open search };
allow locate_t myapp_temp_t:dir getattr;

#============= logrotate_t ==============
allow logrotate_t var_t:file getattr;

#============= rpm_t ==============
allow rpm_t myapp_bin_t:dir { getattr search };
allow rpm_t myapp_bin_t:file { read getattr open };
allow rpm_t myapp_bin_t:lnk_file { read getattr };
allow rpm_t myapp_cid_t:dir { search getattr };
allow rpm_t myapp_cid_t:file { read getattr open };
allow rpm_t myapp_include_t:dir { getattr search };
allow rpm_t myapp_include_t:file { read getattr open };
allow rpm_t myapp_java_t:dir { getattr search };
allow rpm_t myapp_java_t:file { read getattr open };
allow rpm_t myapp_java_t:lnk_file { read getattr };
allow rpm_t myapp_lib64_t:dir { getattr search };
allow rpm_t myapp_lib64_t:file { read getattr open };
allow rpm_t myapp_lib_t:dir { search getattr };
allow rpm_t myapp_lib_t:file { read getattr open };
allow rpm_t myapp_lib_t:lnk_file { read getattr };
allow rpm_t myapp_logs_t:dir getattr;
allow rpm_t myapp_runbooktmp_t:dir getattr;
allow rpm_t myapp_share_t:dir { getattr search };
allow rpm_t myapp_share_t:file { read getattr open };
allow rpm_t myapp_temp_t:dir getattr;

#============= system_cronjob_t ==============
allow system_cronjob_t myapp_bin_t:dir { search getattr };
allow system_cronjob_t myapp_bin_t:file { ioctl execute read open getattr execute_no_trans };
allow system_cronjob_t myapp_bin_t:lnk_file { read getattr };
allow system_cronjob_t myapp_include_t:dir search;
allow system_cronjob_t myapp_include_t:file { read getattr open };
allow system_cronjob_t myapp_lib64_t:dir { read search open getattr };
allow system_cronjob_t myapp_lib64_t:file { read getattr open execute };
allow system_cronjob_t myapp_lib_t:dir { read search open getattr };
allow system_cronjob_t myapp_lib_t:file { read getattr open execute };
allow system_cronjob_t myapp_logs_t:dir { read getattr open search };
allow system_cronjob_t myapp_logs_t:lnk_file read;
allow system_cronjob_t myapp_node_api_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_bin_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_conf_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_conf_t:file { read ioctl open getattr };
allow system_cronjob_t myapp_node_myapp-release_t:file { read getattr open };
allow system_cronjob_t myapp_node_incoming-dist_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_lib_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_logs_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_logs_t:file getattr;
allow system_cronjob_t myapp_node_scripts_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_tomcat_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_util_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_var_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_webapps_t:dir { read getattr open search };

#============= unconfined_t ==============
allow unconfined_t myapp_bin_t:dir { search getattr };
allow unconfined_t myapp_bin_t:file { read getattr open execute execute_no_trans };
allow unconfined_t myapp_bin_t:lnk_file { read getattr };
allow unconfined_t myapp_include_t:dir search;
allow unconfined_t myapp_include_t:file { read getattr open };
allow unconfined_t myapp_lib64_t:dir { read search open getattr };
allow unconfined_t myapp_lib64_t:file { read getattr open execute };
allow unconfined_t myapp_lib_t:dir { read search open getattr };
allow unconfined_t myapp_lib_t:file { read getattr open execute };
allow unconfined_t myapp_node_bin_t:file getattr;
allow unconfined_t myapp_node_conf_t:dir search;
allow unconfined_t myapp_node_conf_t:file { read getattr open };
allow unconfined_t myapp_node_webapps_t:dir search;
#!!!! The source type 'unconfined_t' can write to a 'dir' of the following types:
# user_home_dir_t, user_tmpfs_t, user_tmp_t, unlabeled_t, proc_type, sandbox_file_t, filesystem_type, user_home_type, sysctl_type, file_type, nfs_t


-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

next             reply	other threads:[~2015-03-25  1:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-25  1:57 Tracy Reed [this message]
2015-03-25  4:55 ` Is there a macro for this? Jason Zaman
2015-03-25 18:13 ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150325015752.GG32173@tracyreed.org \
    --to=treed@ultraviolet.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.