Is there a macro for this?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Is there a macro for this?
@ 2015-03-25  1:57 Tracy Reed
  2015-03-25  4:55 ` Jason Zaman
  2015-03-25 18:13 ` Stephen Smalley
  0 siblings, 2 replies; 3+ messages in thread
From: Tracy Reed @ 2015-03-25  1:57 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 5929 bytes --]

I've written my own policy to confine a custom in-house developed
service.  I am getting the following denials. I'm pretty sure there is a
macro or macros I can use to allow all of these common sorts of things to
happen as I'm pretty sure I used it a few years ago but I can't recall or
find it. Can anyone point me in the right direction?

Thanks!

#============= initrc_t ==============
allow initrc_t myapp_cid_t:dir { getattr search };
allow initrc_t myapp_cid_t:file { read getattr open };
allow initrc_t myapp_java_t:dir { getattr search };

#============= locate_t ==============
allow locate_t myapp_bin_t:dir getattr;
allow locate_t myapp_cid_t:dir { read search open getattr };
allow locate_t myapp_include_t:dir { getattr search };
allow locate_t myapp_java_t:dir { read getattr open search };
allow locate_t myapp_lib64_t:dir { read search open getattr };
allow locate_t myapp_lib_t:dir { read getattr open search };
allow locate_t myapp_logs_t:dir { read search open getattr };
allow locate_t myapp_node_api_t:dir getattr;
allow locate_t myapp_node_bin_t:dir getattr;
allow locate_t myapp_node_conf_t:dir { getattr search };
allow locate_t myapp_node_incoming-dist_t:dir getattr;
allow locate_t myapp_node_lib_t:dir { getattr search };
allow locate_t myapp_node_logs_t:dir getattr;
allow locate_t myapp_node_scripts_t:dir getattr;
allow locate_t myapp_node_tomcat_t:dir { read getattr open search };
allow locate_t myapp_node_util_t:dir getattr;
allow locate_t myapp_node_var_t:dir getattr;
allow locate_t myapp_node_webapps_t:dir { read getattr open search };
allow locate_t myapp_runbooktmp_t:dir getattr;
allow locate_t myapp_share_t:dir { read getattr open search };
allow locate_t myapp_snc-provision_t:dir { read getattr open search };
allow locate_t myapp_temp_t:dir getattr;

#============= logrotate_t ==============
allow logrotate_t var_t:file getattr;

#============= rpm_t ==============
allow rpm_t myapp_bin_t:dir { getattr search };
allow rpm_t myapp_bin_t:file { read getattr open };
allow rpm_t myapp_bin_t:lnk_file { read getattr };
allow rpm_t myapp_cid_t:dir { search getattr };
allow rpm_t myapp_cid_t:file { read getattr open };
allow rpm_t myapp_include_t:dir { getattr search };
allow rpm_t myapp_include_t:file { read getattr open };
allow rpm_t myapp_java_t:dir { getattr search };
allow rpm_t myapp_java_t:file { read getattr open };
allow rpm_t myapp_java_t:lnk_file { read getattr };
allow rpm_t myapp_lib64_t:dir { getattr search };
allow rpm_t myapp_lib64_t:file { read getattr open };
allow rpm_t myapp_lib_t:dir { search getattr };
allow rpm_t myapp_lib_t:file { read getattr open };
allow rpm_t myapp_lib_t:lnk_file { read getattr };
allow rpm_t myapp_logs_t:dir getattr;
allow rpm_t myapp_runbooktmp_t:dir getattr;
allow rpm_t myapp_share_t:dir { getattr search };
allow rpm_t myapp_share_t:file { read getattr open };
allow rpm_t myapp_temp_t:dir getattr;

#============= system_cronjob_t ==============
allow system_cronjob_t myapp_bin_t:dir { search getattr };
allow system_cronjob_t myapp_bin_t:file { ioctl execute read open getattr execute_no_trans };
allow system_cronjob_t myapp_bin_t:lnk_file { read getattr };
allow system_cronjob_t myapp_include_t:dir search;
allow system_cronjob_t myapp_include_t:file { read getattr open };
allow system_cronjob_t myapp_lib64_t:dir { read search open getattr };
allow system_cronjob_t myapp_lib64_t:file { read getattr open execute };
allow system_cronjob_t myapp_lib_t:dir { read search open getattr };
allow system_cronjob_t myapp_lib_t:file { read getattr open execute };
allow system_cronjob_t myapp_logs_t:dir { read getattr open search };
allow system_cronjob_t myapp_logs_t:lnk_file read;
allow system_cronjob_t myapp_node_api_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_bin_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_conf_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_conf_t:file { read ioctl open getattr };
allow system_cronjob_t myapp_node_myapp-release_t:file { read getattr open };
allow system_cronjob_t myapp_node_incoming-dist_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_lib_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_logs_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_logs_t:file getattr;
allow system_cronjob_t myapp_node_scripts_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_tomcat_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_util_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_var_t:dir { read getattr open search };
allow system_cronjob_t myapp_node_webapps_t:dir { read getattr open search };

#============= unconfined_t ==============
allow unconfined_t myapp_bin_t:dir { search getattr };
allow unconfined_t myapp_bin_t:file { read getattr open execute execute_no_trans };
allow unconfined_t myapp_bin_t:lnk_file { read getattr };
allow unconfined_t myapp_include_t:dir search;
allow unconfined_t myapp_include_t:file { read getattr open };
allow unconfined_t myapp_lib64_t:dir { read search open getattr };
allow unconfined_t myapp_lib64_t:file { read getattr open execute };
allow unconfined_t myapp_lib_t:dir { read search open getattr };
allow unconfined_t myapp_lib_t:file { read getattr open execute };
allow unconfined_t myapp_node_bin_t:file getattr;
allow unconfined_t myapp_node_conf_t:dir search;
allow unconfined_t myapp_node_conf_t:file { read getattr open };
allow unconfined_t myapp_node_webapps_t:dir search;
#!!!! The source type 'unconfined_t' can write to a 'dir' of the following types:
# user_home_dir_t, user_tmpfs_t, user_tmp_t, unlabeled_t, proc_type, sandbox_file_t, filesystem_type, user_home_type, sysctl_type, file_type, nfs_t


-- 
Tracy Reed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Is there a macro for this?
  2015-03-25  1:57 Is there a macro for this? Tracy Reed
@ 2015-03-25  4:55 ` Jason Zaman
  2015-03-25 18:13 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2015-03-25  4:55 UTC (permalink / raw)
  To: Tracy Reed; +Cc: selinux

On Tue, Mar 24, 2015 at 06:57:53PM -0700, Tracy Reed wrote:
> I've written my own policy to confine a custom in-house developed
> service.  I am getting the following denials. I'm pretty sure there is a
> macro or macros I can use to allow all of these common sorts of things to
> happen as I'm pretty sure I used it a few years ago but I can't recall or
> find it. Can anyone point me in the right direction?
> 
> Thanks!

Swift has some really useful bash functions to help find macros.
https://github.com/sjvermeu/small.coding/blob/master/selinux-local/localfuncs
it is documented a bit here:
https://wiki.gentoo.org/wiki/Project:SELinux/Development#Starting_from_scratch

> 
> #============= initrc_t ==============
> allow initrc_t myapp_cid_t:dir { getattr search };
> allow initrc_t myapp_cid_t:file { read getattr open };
read_files_pattern(initrc_t, myapp_cid_t, myapp_cid_t)
would cover those two lines above, but its best to find an interface
that will do part of that for you.

> allow initrc_t myapp_java_t:dir { getattr search };
> 
> #============= locate_t ==============
> allow locate_t myapp_bin_t:dir getattr;
> allow locate_t myapp_cid_t:dir { read search open getattr };
> allow locate_t myapp_include_t:dir { getattr search };
> allow locate_t myapp_java_t:dir { read getattr open search };
> allow locate_t myapp_lib64_t:dir { read search open getattr };
> allow locate_t myapp_lib_t:dir { read getattr open search };
> allow locate_t myapp_logs_t:dir { read search open getattr };
> allow locate_t myapp_node_api_t:dir getattr;
> allow locate_t myapp_node_bin_t:dir getattr;
> allow locate_t myapp_node_conf_t:dir { getattr search };
> allow locate_t myapp_node_incoming-dist_t:dir getattr;
> allow locate_t myapp_node_lib_t:dir { getattr search };
> allow locate_t myapp_node_logs_t:dir getattr;
> allow locate_t myapp_node_scripts_t:dir getattr;
> allow locate_t myapp_node_tomcat_t:dir { read getattr open search };
> allow locate_t myapp_node_util_t:dir getattr;
> allow locate_t myapp_node_var_t:dir getattr;
> allow locate_t myapp_node_webapps_t:dir { read getattr open search };
> allow locate_t myapp_runbooktmp_t:dir getattr;
> allow locate_t myapp_share_t:dir { read getattr open search };
> allow locate_t myapp_snc-provision_t:dir { read getattr open search };
> allow locate_t myapp_temp_t:dir getattr;
> 
> #============= logrotate_t ==============
> allow logrotate_t var_t:file getattr;
this likely has nothing to do with your app, you can probably remove it
safely.
> 
> #============= rpm_t ==============
> allow rpm_t myapp_bin_t:dir { getattr search };
> allow rpm_t myapp_bin_t:file { read getattr open };
> allow rpm_t myapp_bin_t:lnk_file { read getattr };
> allow rpm_t myapp_cid_t:dir { search getattr };
> allow rpm_t myapp_cid_t:file { read getattr open };
> allow rpm_t myapp_include_t:dir { getattr search };
> allow rpm_t myapp_include_t:file { read getattr open };
> allow rpm_t myapp_java_t:dir { getattr search };
> allow rpm_t myapp_java_t:file { read getattr open };
> allow rpm_t myapp_java_t:lnk_file { read getattr };
> allow rpm_t myapp_lib64_t:dir { getattr search };
> allow rpm_t myapp_lib64_t:file { read getattr open };
> allow rpm_t myapp_lib_t:dir { search getattr };
> allow rpm_t myapp_lib_t:file { read getattr open };
> allow rpm_t myapp_lib_t:lnk_file { read getattr };
> allow rpm_t myapp_logs_t:dir getattr;
> allow rpm_t myapp_runbooktmp_t:dir getattr;
> allow rpm_t myapp_share_t:dir { getattr search };
> allow rpm_t myapp_share_t:file { read getattr open };
> allow rpm_t myapp_temp_t:dir getattr;
> 
> #============= system_cronjob_t ==============
> allow system_cronjob_t myapp_bin_t:dir { search getattr };
> allow system_cronjob_t myapp_bin_t:file { ioctl execute read open getattr execute_no_trans };
> allow system_cronjob_t myapp_bin_t:lnk_file { read getattr };
> allow system_cronjob_t myapp_include_t:dir search;
> allow system_cronjob_t myapp_include_t:file { read getattr open };
> allow system_cronjob_t myapp_lib64_t:dir { read search open getattr };
> allow system_cronjob_t myapp_lib64_t:file { read getattr open execute };
> allow system_cronjob_t myapp_lib_t:dir { read search open getattr };
> allow system_cronjob_t myapp_lib_t:file { read getattr open execute };
> allow system_cronjob_t myapp_logs_t:dir { read getattr open search };
> allow system_cronjob_t myapp_logs_t:lnk_file read;
> allow system_cronjob_t myapp_node_api_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_bin_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_conf_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_conf_t:file { read ioctl open getattr };
> allow system_cronjob_t myapp_node_myapp-release_t:file { read getattr open };
> allow system_cronjob_t myapp_node_incoming-dist_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_lib_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_logs_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_logs_t:file getattr;
> allow system_cronjob_t myapp_node_scripts_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_tomcat_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_util_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_var_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_webapps_t:dir { read getattr open search };
> 
> #============= unconfined_t ==============
> allow unconfined_t myapp_bin_t:dir { search getattr };
> allow unconfined_t myapp_bin_t:file { read getattr open execute execute_no_trans };
the execute_no_trans means it will be executing without transitioning
into another domain, you should probably be making your own myapp_t and
do something like:
unconfined_domtrans_to(myapp_t, myapp_exec_t)
then you'll want to use manage/read_files_pattern and manage/list_dirs_patterns to
allow myapp_t to manage/readonly its files.

also if you make cronjob_t transition to the myapp_t domain then the
cronjob section could mostly be replaced with:
cron_system_entry(myapp_t, myapp_exec_t)

> allow unconfined_t myapp_bin_t:lnk_file { read getattr };
> allow unconfined_t myapp_include_t:dir search;
> allow unconfined_t myapp_include_t:file { read getattr open };
> allow unconfined_t myapp_lib64_t:dir { read search open getattr };
> allow unconfined_t myapp_lib64_t:file { read getattr open execute };
> allow unconfined_t myapp_lib_t:dir { read search open getattr };
> allow unconfined_t myapp_lib_t:file { read getattr open execute };
> allow unconfined_t myapp_node_bin_t:file getattr;
> allow unconfined_t myapp_node_conf_t:dir search;
> allow unconfined_t myapp_node_conf_t:file { read getattr open };
> allow unconfined_t myapp_node_webapps_t:dir search;
> #!!!! The source type 'unconfined_t' can write to a 'dir' of the following types:
> # user_home_dir_t, user_tmpfs_t, user_tmp_t, unlabeled_t, proc_type, sandbox_file_t, filesystem_type, user_home_type, sysctl_type, file_type, nfs_t
> 
> 
> -- 
> Tracy Reed



> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Is there a macro for this?
  2015-03-25  1:57 Is there a macro for this? Tracy Reed
  2015-03-25  4:55 ` Jason Zaman
@ 2015-03-25 18:13 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2015-03-25 18:13 UTC (permalink / raw)
  To: Tracy Reed, selinux

On 03/24/2015 09:57 PM, Tracy Reed wrote:
> I've written my own policy to confine a custom in-house developed
> service.  I am getting the following denials. I'm pretty sure there is a
> macro or macros I can use to allow all of these common sorts of things to
> happen as I'm pretty sure I used it a few years ago but I can't recall or
> find it. Can anyone point me in the right direction?
> 
> Thanks!

Did you try using audit2allow -R?
Also, your question is more suited to the refpolicy list.

> 
> #============= initrc_t ==============
> allow initrc_t myapp_cid_t:dir { getattr search };
> allow initrc_t myapp_cid_t:file { read getattr open };
> allow initrc_t myapp_java_t:dir { getattr search };
> 
> #============= locate_t ==============
> allow locate_t myapp_bin_t:dir getattr;
> allow locate_t myapp_cid_t:dir { read search open getattr };
> allow locate_t myapp_include_t:dir { getattr search };
> allow locate_t myapp_java_t:dir { read getattr open search };
> allow locate_t myapp_lib64_t:dir { read search open getattr };
> allow locate_t myapp_lib_t:dir { read getattr open search };
> allow locate_t myapp_logs_t:dir { read search open getattr };
> allow locate_t myapp_node_api_t:dir getattr;
> allow locate_t myapp_node_bin_t:dir getattr;
> allow locate_t myapp_node_conf_t:dir { getattr search };
> allow locate_t myapp_node_incoming-dist_t:dir getattr;
> allow locate_t myapp_node_lib_t:dir { getattr search };
> allow locate_t myapp_node_logs_t:dir getattr;
> allow locate_t myapp_node_scripts_t:dir getattr;
> allow locate_t myapp_node_tomcat_t:dir { read getattr open search };
> allow locate_t myapp_node_util_t:dir getattr;
> allow locate_t myapp_node_var_t:dir getattr;
> allow locate_t myapp_node_webapps_t:dir { read getattr open search };
> allow locate_t myapp_runbooktmp_t:dir getattr;
> allow locate_t myapp_share_t:dir { read getattr open search };
> allow locate_t myapp_snc-provision_t:dir { read getattr open search };
> allow locate_t myapp_temp_t:dir getattr;
> 
> #============= logrotate_t ==============
> allow logrotate_t var_t:file getattr;
> 
> #============= rpm_t ==============
> allow rpm_t myapp_bin_t:dir { getattr search };
> allow rpm_t myapp_bin_t:file { read getattr open };
> allow rpm_t myapp_bin_t:lnk_file { read getattr };
> allow rpm_t myapp_cid_t:dir { search getattr };
> allow rpm_t myapp_cid_t:file { read getattr open };
> allow rpm_t myapp_include_t:dir { getattr search };
> allow rpm_t myapp_include_t:file { read getattr open };
> allow rpm_t myapp_java_t:dir { getattr search };
> allow rpm_t myapp_java_t:file { read getattr open };
> allow rpm_t myapp_java_t:lnk_file { read getattr };
> allow rpm_t myapp_lib64_t:dir { getattr search };
> allow rpm_t myapp_lib64_t:file { read getattr open };
> allow rpm_t myapp_lib_t:dir { search getattr };
> allow rpm_t myapp_lib_t:file { read getattr open };
> allow rpm_t myapp_lib_t:lnk_file { read getattr };
> allow rpm_t myapp_logs_t:dir getattr;
> allow rpm_t myapp_runbooktmp_t:dir getattr;
> allow rpm_t myapp_share_t:dir { getattr search };
> allow rpm_t myapp_share_t:file { read getattr open };
> allow rpm_t myapp_temp_t:dir getattr;
> 
> #============= system_cronjob_t ==============
> allow system_cronjob_t myapp_bin_t:dir { search getattr };
> allow system_cronjob_t myapp_bin_t:file { ioctl execute read open getattr execute_no_trans };
> allow system_cronjob_t myapp_bin_t:lnk_file { read getattr };
> allow system_cronjob_t myapp_include_t:dir search;
> allow system_cronjob_t myapp_include_t:file { read getattr open };
> allow system_cronjob_t myapp_lib64_t:dir { read search open getattr };
> allow system_cronjob_t myapp_lib64_t:file { read getattr open execute };
> allow system_cronjob_t myapp_lib_t:dir { read search open getattr };
> allow system_cronjob_t myapp_lib_t:file { read getattr open execute };
> allow system_cronjob_t myapp_logs_t:dir { read getattr open search };
> allow system_cronjob_t myapp_logs_t:lnk_file read;
> allow system_cronjob_t myapp_node_api_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_bin_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_conf_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_conf_t:file { read ioctl open getattr };
> allow system_cronjob_t myapp_node_myapp-release_t:file { read getattr open };
> allow system_cronjob_t myapp_node_incoming-dist_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_lib_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_logs_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_logs_t:file getattr;
> allow system_cronjob_t myapp_node_scripts_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_tomcat_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_util_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_var_t:dir { read getattr open search };
> allow system_cronjob_t myapp_node_webapps_t:dir { read getattr open search };
> 
> #============= unconfined_t ==============
> allow unconfined_t myapp_bin_t:dir { search getattr };
> allow unconfined_t myapp_bin_t:file { read getattr open execute execute_no_trans };
> allow unconfined_t myapp_bin_t:lnk_file { read getattr };
> allow unconfined_t myapp_include_t:dir search;
> allow unconfined_t myapp_include_t:file { read getattr open };
> allow unconfined_t myapp_lib64_t:dir { read search open getattr };
> allow unconfined_t myapp_lib64_t:file { read getattr open execute };
> allow unconfined_t myapp_lib_t:dir { read search open getattr };
> allow unconfined_t myapp_lib_t:file { read getattr open execute };
> allow unconfined_t myapp_node_bin_t:file getattr;
> allow unconfined_t myapp_node_conf_t:dir search;
> allow unconfined_t myapp_node_conf_t:file { read getattr open };
> allow unconfined_t myapp_node_webapps_t:dir search;
> #!!!! The source type 'unconfined_t' can write to a 'dir' of the following types:
> # user_home_dir_t, user_tmpfs_t, user_tmp_t, unlabeled_t, proc_type, sandbox_file_t, filesystem_type, user_home_type, sysctl_type, file_type, nfs_t
> 
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-03-25 18:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-25  1:57 Is there a macro for this? Tracy Reed
2015-03-25  4:55 ` Jason Zaman
2015-03-25 18:13 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.