* gentoo diff for dhcpd
@ 2004-11-21 11:48 petre rodan
2004-11-23 21:13 ` James Carter
0 siblings, 1 reply; 2+ messages in thread
From: petre rodan @ 2004-11-21 11:48 UTC (permalink / raw)
To: SELinux
[-- Attachment #1.1: Type: text/plain, Size: 144 bytes --]
added needed capabilities
sys_chroot-related file locations
bye,
peter
--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux
[-- Attachment #1.2: selinux-dhcp.diff --]
[-- Type: text/plain, Size: 1896 bytes --]
--- /root/public_html/policy/nsa/file_contexts/program/dhcpd.fc 2004-11-19 10:48:10.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.fc 2004-11-19 10:35:55.000000000 +0200
@@ -8,3 +8,27 @@
/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
define(`dhcp_defined')
')
+
+ifdef(`distro_gentoo', `
+/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
+
+# for the chroot setup
+/chroot -d system_u:object_r:root_t
+/chroot/dhcp -d system_u:object_r:root_t
+/chroot/dhcp/dev -d system_u:object_r:device_t
+/chroot/dhcp/etc -d system_u:object_r:etc_t
+/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t
+/chroot/dhcp/var -d system_u:object_r:var_t
+/chroot/dhcp/var/run -d system_u:object_r:var_run_t
+/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t
+/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t
+')
+
--- /root/public_html/policy/nsa/domains/program/unused/dhcpd.te 2004-11-20 09:01:20.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.te 2004-11-20 09:47:28.000000000 +0200
@@ -67,3 +67,8 @@
# allow reading /proc
allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
tmp_domain(dhcpd)
+
+ifdef(`distro_gentoo', `
+allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+allow initrc_t dhcpd_state_t:file setattr;
+')
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: gentoo diff for dhcpd
2004-11-21 11:48 gentoo diff for dhcpd petre rodan
@ 2004-11-23 21:13 ` James Carter
0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2004-11-23 21:13 UTC (permalink / raw)
To: petre rodan; +Cc: SELinux
Merged. I removed the '/chroot' line. It will already be labeled with
root_t and it doesn't pertain to the dhcp stuff anyway.
--- /root/public_html/policy/nsa/file_contexts/program/dhcpd.fc 2004-11-19 10:48:10.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.fc 2004-11-19 10:35:55.000000000 +0200
@@ -8,3 +8,27 @@
/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
define(`dhcp_defined')
')
+
+ifdef(`distro_gentoo', `
+/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
+
+# for the chroot setup
+/chroot -d system_u:object_r:root_t
+/chroot/dhcp -d system_u:object_r:root_t
+/chroot/dhcp/dev -d system_u:object_r:device_t
+/chroot/dhcp/etc -d system_u:object_r:etc_t
+/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t
+/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t
+/chroot/dhcp/var -d system_u:object_r:var_t
+/chroot/dhcp/var/run -d system_u:object_r:var_run_t
+/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t
+/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t
+')
+
On Sun, 2004-11-21 at 06:48, petre rodan wrote:
> added needed capabilities
> sys_chroot-related file locations
>
> bye,
> peter
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-11-23 21:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-21 11:48 gentoo diff for dhcpd petre rodan
2004-11-23 21:13 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.