From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Heinrich Kiwi <klausk@br.ibm.com>
Subject: Re: [PATCH 00/07][RFC] RACF audit plugin
Date: Fri, 28 Sep 2007 21:09:20 +0000 (UTC)
Message-ID: <fdjqi0$vk2$1@sea.gmane.org>
References: <1190986087.4113.49.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l8SL9jN7006988
	for <linux-audit@redhat.com>; Fri, 28 Sep 2007 17:09:45 -0400
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id l8SL9csP020477
	for <linux-audit@redhat.com>; Fri, 28 Sep 2007 17:09:39 -0400
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1IbN5T-0006ch-SD
	for linux-audit@redhat.com; Fri, 28 Sep 2007 21:09:27 +0000
Received: from 32.104.18.243 ([32.104.18.243])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <linux-audit@redhat.com>; Fri, 28 Sep 2007 21:09:27 +0000
Received: from klausk by 32.104.18.243 with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <linux-audit@redhat.com>; Fri, 28 Sep 2007 21:09:27 +0000
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Fri, 28 Sep 2007 10:28:07 -0300, Klaus Heinrich Kiwi wrote:

> TODO list:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> - SELinux policy (currently, the plugin runs under the audit daemon
> domain, which denies some network operations, for example)

Steve,

  you mentioned in an IRC chat that dwalsh has made a nice GUI tool for=20
building new policy - can you point it out??

Dan mentioned we would need a policy module that gets loaded by a post-
install script upon the plugin installation. The policy module would=20
define 'racf_t' and 'racf_exec_t' types, and the 'racf_exec_t'-labeled=20
plugin would then transition to it's own 'racf_t' domain upon execution.=20
Transition would be allowed by the 'racf_domtrans(auditd_t)' interface.

As for 'racf_t' permissions, I need LDAP and DNS access. Reading the AVC=20
messages I saw I may need:
tcp_socket {read write shutdown name_connect connect setop create}
udp_socket {read write getattr connect create}
netlink_route_socket { nlmsg_read, read }

Anyone knows if this set of permissions are implemented by a more-generic=
=20
policy interface? Dan?

Thanks!

 Klaus K