* [Fwd: additions to strict policy]
@ 2004-07-01 6:12 Richard Hally
0 siblings, 0 replies; only message in thread
From: Richard Hally @ 2004-07-01 6:12 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2889 bytes --]
Below is a message the was sent to the Fedora-selinux-list. Perhaps some
of these allow rules can be added to the NSA example policy.
Thanks,
Richard Hally
-------- Original Message --------
Subject: additions to strict policy
Date: Tue, 29 Jun 2004 02:14:17 -0400
From: Richard Hally <rhallyx@mindspring.com>
Reply-To: Fedora SELinux support list for users & developers.
<fedora-selinux-list@redhat.com>
To: fedora-selinux-list@redhat.com
Below (and as an attached file) are some policy allow rules to be added
to the strict policy.
These allow rules were developed by running the latest /devel tree using
selinux-policy-strict-sources-1.13.10-3 and putting the resulting avc
denied messages through audit2allow.
Most are necessary to perform normal operations while in enforcing mode.
Some of the rules marked "#from booting" may be candidates for dontaudit
rules.
Thanks for the help,
Richard Hally
#from " logrotate -f /etc/logrotate.conf" while root(sysadm_r)
allow logrotate_t devpts_t:dir { search };
allow logrotate_t initrc_t:process { transition };
allow logrotate_t mysqld_log_t:file { execute };
allow logrotate_t mysqld_log_t:file { execute_no_trans };
allow logrotate_t privoxy_log_t:file { execute };
allow logrotate_t privoxy_log_t:file { execute_no_trans };
allow logrotate_t selinux_config_t:dir { search };
allow logrotate_t selinux_config_t:file { getattr read };
allow logrotate_t staff_home_dir_t:dir { read search };
allow logrotate_t var_t:file { getattr };
allow logrotate_t var_t:file { read };
# from booting
allow lvm_t file_t:dir { getattr read };
allow mount_t ptmx_t:chr_file { read write };
allow mount_t rhgb_gph_t:fd { use };
allow mount_t rhgb_t:unix_stream_socket { read write };
allow rhgb_t staff_home_dir_t:dir { search };
# from booting
allow udev_t dbusd_t:unix_stream_socket { connectto };
allow udev_t dbusd_var_run_t:dir { search };
allow udev_t dbusd_var_run_t:sock_file { write };
allow udev_t file_t:dir { search };
# from exe=/usr/bin/mDNSResponder during boot
allow user_t dns_port_t:udp_socket { name_bind };
# from starting mozilla as staff_r
allow staff_mozilla_t file_t:dir { getattr };
allow staff_mozilla_t staff_home_t:file { unlink };
allow staff_mozilla_t xdm_tmp_t:dir { search };
# from normal gnome session as staff_r
allow staff_screensaver_t xdm_tmp_t:dir { search };
allow staff_screensaver_t xdm_tmp_t:sock_file { write };
allow staff_t file_t:dir { getattr };
allow staff_t staff_t:netlink_route_socket { create };
#from starting postgresql server during boot and using postgresql as user.
allow initrc_su_t postgresql_db_t:dir { search };
allow user_t postgresql_db_t:dir { add_name getattr read remove_name
search write };
allow user_t postgresql_db_t:file { create getattr read rename unlink
write };
allow staff_t user_tmp_t:sock_file { write };
allow staff_t user_t:unix_stream_socket { connectto };
[-- Attachment #2: addthese.te --]
[-- Type: text/plain, Size: 2057 bytes --]
#from " logrotate -f /etc/logrotate.conf" while root(sysadm_r)
allow logrotate_t devpts_t:dir { search };
allow logrotate_t initrc_t:process { transition };
allow logrotate_t mysqld_log_t:file { execute };
allow logrotate_t mysqld_log_t:file { execute_no_trans };
allow logrotate_t privoxy_log_t:file { execute };
allow logrotate_t privoxy_log_t:file { execute_no_trans };
allow logrotate_t selinux_config_t:dir { search };
allow logrotate_t selinux_config_t:file { getattr read };
allow logrotate_t staff_home_dir_t:dir { read search };
allow logrotate_t var_t:file { getattr };
allow logrotate_t var_t:file { read };
# from booting
allow lvm_t file_t:dir { getattr read };
allow mount_t ptmx_t:chr_file { read write };
allow mount_t rhgb_gph_t:fd { use };
allow mount_t rhgb_t:unix_stream_socket { read write };
allow rhgb_t staff_home_dir_t:dir { search };
# from booting
allow udev_t dbusd_t:unix_stream_socket { connectto };
allow udev_t dbusd_var_run_t:dir { search };
allow udev_t dbusd_var_run_t:sock_file { write };
allow udev_t file_t:dir { search };
# from exe=/usr/bin/mDNSResponder during boot
allow user_t dns_port_t:udp_socket { name_bind };
# from starting mozilla as staff_r
allow staff_mozilla_t file_t:dir { getattr };
allow staff_mozilla_t staff_home_t:file { unlink };
allow staff_mozilla_t xdm_tmp_t:dir { search };
# from normal gnome session as staff_r
allow staff_screensaver_t xdm_tmp_t:dir { search };
allow staff_screensaver_t xdm_tmp_t:sock_file { write };
allow staff_t file_t:dir { getattr };
allow staff_t staff_t:netlink_route_socket { create };
#from starting postgresql server during boot and using postgresql as user.
allow initrc_su_t postgresql_db_t:dir { search };
allow user_t postgresql_db_t:dir { add_name getattr read remove_name search write };
allow user_t postgresql_db_t:file { create getattr read rename unlink write };
allow staff_t user_tmp_t:sock_file { write };
allow staff_t user_t:unix_stream_socket { connectto };
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-07-01 6:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-01 6:12 [Fwd: additions to strict policy] Richard Hally
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.