From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] request for comments: policy for nufw and nuauth
Date: Tue, 21 Oct 2008 11:02:39 -0400 [thread overview]
Message-ID: <48FDEF0F.3080105@redhat.com> (raw)
In-Reply-To: <20081021085558.GD30642@piche.inl.fr>
Pierre Chifflier wrote:
> On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
>> You should never (almost never) have a gen_requires interface in a te file.
>>
>> You should use interfaces.
>
> Hi,
>
> Thanks for the review. I've re-written the policies from scratch, and
> trying to use interfaces and macros when available (files attached, this
> time not gzipped, to ease review).
>
Nothing attached.
>> files_pid_file(nuauth_var_run_t)
>> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
>> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
>> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
>>
>>
>> Should probably be something like
>>
>> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
>> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
>
> Fixed
>
>>> allow nuauth_t etc_t:file { getattr read };
>> Should be
>> files_read_etc(nuauth_t)
>
> This one does not seems to work. I had to add:
>
> allow $1 nufw_etc_t:dir list_dir_perms;
> read_files_pattern($1,nufw_etc_t,nufw_etc_t)
> read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
>
>>
>> # allow clients to connect
>> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
>> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
>>
>> Not necessary. unconfined_t already can
corenet_port(nuauth_port_t) if ports will be >= 1024
corenet_reserved_port(nuauth_port_t) if ports will can be < 1024
corenet_rpc_port(nuauth_port_t) if ports will can be bewtween 600 and 1024.
> Not here. Maybe it's related to the way I add the port ?
> I'm using:
> semanage port -a -t nuauth_port_t -p tcp 4129
>
> Maybe there is a boolean to allow connections ?
>
>>> allow nuauth_t bin_t:dir search;
>> corecmd_search_bin(nuauth_t)
>>
>>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
>> recv_msg };
>>
>> Look for corenetwork calls.
>>
>
> Fixed
>
> Thanks for your help !
>
> Pierre
>
next prev parent reply other threads:[~2008-10-21 15:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-20 16:23 [refpolicy] request for comments: policy for nufw and nuauth Pierre Chifflier
2008-10-20 18:57 ` Daniel J Walsh
2008-10-21 8:55 ` Pierre Chifflier
2008-10-21 15:02 ` Daniel J Walsh [this message]
2008-10-21 15:22 ` Pierre Chifflier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48FDEF0F.3080105@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.