Boolean/RPM data in policy

Boolean/RPM data in policy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have been asked to map booleans to RPM's by some customers.  The idea
is to show which booleans effect which packages.

Some booleans would effect multiple packages.

For example

You might want a command to show all booleans that effect the httpd rpm.

In Fedora 8 system-config-selinux/booleans page includes information on
the modules, description and boolean name.  It gives you the ability to
filer and sort on these.   The semanage booleans -l command line also
gives this information.  So you can pipe it to grep to search for
particular booleans.

# semanage boolean -l | grep samba.*export
samba_export_all_rw            -> off   Allow Samba to share any
file/directory read/write
samba_export_all_ro            -> off   Allow Samba to share any
file/directory read only
samba_share_nfs                -> off   Allow samba to export NFS volumes.

But, module names and rpm do not match, and several boolean effect
multiple RPMS.

So it would be nice to have a semanage command that said something like
show me the booleans that effect the httpd package.

One suggestion would be to update the policy xml to include distribution
specific data.



## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## <Packages>
## <RedHat>
## <package>httpd</package>
## </RedHat>
## </Package>
## </desc>
gen_tunable(httpd_builtin_scripting,false

Then semanage and system-config-selinux could use this data.  Another
solution would be to allow vendors to ship a look aside database with
this info in it.

The problem with either solution is that the data will get out of date
quickly.  For example lots of RPMS are effected by use_nfs_home_dirs,
every confined domain that needs to access the homedir would use this
boolean.  Or allow_ypbind would effect every domain that calls
auth_use_nsswitch.

So the final solution would be to do nothing, except improve the
documentation on the booleans so a user would be likely to figure out
one to solve his problem

spamassassin is failing with nfs homedirs?
# semanage boolean -l | grep nfs
# semanage boolean -l | grep nfs | grep spam
<No Output>
#semanage boolean -l | grep nfs
xen_use_nfs                    -> off   Allow xen to manage nfs files
use_nfs_home_dirs              -> on    Support NFS home directories
allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs
used for public file transfer services.
cdrecord_read_content          -> off   Allow cdrecord to read various
content. nfs, samba, removable devices, user temp and untrusted content
files
httpd_use_nfs                  -> off   Allow httpd to access nfs file
systems
samba_share_nfs                -> off   Allow samba to export NFS volumes.
allow_nfsd_anon_write          -> off   Allow nfs servers to modify
public files used for public file transfer services. Files/Directories
must be labeled public_content_rw_t
nfs_export_all_rw              -> off   Allow any files/directories to
be exported read/write via NFS.
nfs_export_all_ro              -> on    Allow any files/directories to
be exported read/only via NFS.


Ahh, I wonder if use_nfs_home_dirs would make it work...


So what do others think?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHWAo3rlYvE4MpobMRAs/ZAJ9DjIKI9siNxi3y87TLNvGnJjb+2ACfXwVF
hmUNcDyCWgUOXozalbKQFYI=
=HCRY
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.