* named policy patch
@ 2005-04-12 13:26 Russell Coker
2005-04-12 13:38 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2005-04-12 13:26 UTC (permalink / raw)
To: SELinux, Daniel J Walsh
[-- Attachment #1: Type: text/plain, Size: 369 bytes --]
The attached patch allows named to correctly start on FC4T2 with the strict
policy when unlimitedRC is commented.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 1001 bytes --]
diff -u old/named.fc new/named.fc
--- old/named.fc 2005-04-12 23:24:32.000000000 +1000
+++ new/named.fc 2005-04-12 23:24:23.000000000 +1000
@@ -16,6 +16,7 @@
/etc/rndc.* -- system_u:object_r:named_conf_t
/etc/rndc.key -- system_u:object_r:dnssec_t
/usr/sbin/named -- system_u:object_r:named_exec_t
+/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t
/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t
/var/run/ndc -s system_u:object_r:named_var_run_t
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
diff -u old/named.te new/named.te
--- old/named.te 2005-04-12 23:24:39.000000000 +1000
+++ new/named.te 2005-04-12 23:24:45.000000000 +1000
@@ -15,6 +15,9 @@
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
+type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
+
# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: named policy patch
2005-04-12 13:26 named policy patch Russell Coker
@ 2005-04-12 13:38 ` Daniel J Walsh
2005-04-12 13:56 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2005-04-12 13:38 UTC (permalink / raw)
To: russell; +Cc: SELinux
Russell Coker wrote:
>The attached patch allows named to correctly start on FC4T2 with the strict
>policy when unlimitedRC is commented.
>
>
>
>------------------------------------------------------------------------
>
>diff -u old/named.fc new/named.fc
>--- old/named.fc 2005-04-12 23:24:32.000000000 +1000
>+++ new/named.fc 2005-04-12 23:24:23.000000000 +1000
>@@ -16,6 +16,7 @@
> /etc/rndc.* -- system_u:object_r:named_conf_t
> /etc/rndc.key -- system_u:object_r:dnssec_t
> /usr/sbin/named -- system_u:object_r:named_exec_t
>+/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t
> /usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t
> /var/run/ndc -s system_u:object_r:named_var_run_t
> /var/run/bind(/.*)? system_u:object_r:named_var_run_t
>diff -u old/named.te new/named.te
>--- old/named.te 2005-04-12 23:24:39.000000000 +1000
>+++ new/named.te 2005-04-12 23:24:45.000000000 +1000
>@@ -15,6 +15,9 @@
> daemon_domain(named, `, nscd_client_domain')
> tmp_domain(named)
>
>+type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
>+domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
>+
> # For /var/run/ndc used in BIND 8
> file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
>
>
>
Why not just label chckconf as named_exec_t?
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: named policy patch
2005-04-12 13:38 ` Daniel J Walsh
@ 2005-04-12 13:56 ` Russell Coker
0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2005-04-12 13:56 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On Tuesday 12 April 2005 23:38, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >+/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t
>
> Why not just label chckconf as named_exec_t?
We don't want a transition from sysadm_t when the administrator runs it.
named_t does not have access to sysadm_tty_device_t or sysadm_devpts_t, I
believe that if the startup fails then the administrator will want to run
named-checkconf as part of a debugging process and will therefore need to
have it running in sysadm_t to display the results.
It's exactly the same as the situation with ntpdate.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-12 13:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-12 13:26 named policy patch Russell Coker
2005-04-12 13:38 ` Daniel J Walsh
2005-04-12 13:56 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.