From: p.chifflier@inl.fr (Pierre Chifflier) Date: Tue, 21 Oct 2008 10:55:58 +0200 Subject: [refpolicy] request for comments: policy for nufw and nuauth In-Reply-To: <48FCD4AD.2090606@redhat.com> References: <20081020162358.GB30642@piche.inl.fr> <48FCD4AD.2090606@redhat.com> Message-ID: <20081021085558.GD30642@piche.inl.fr> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote: > You should never (almost never) have a gen_requires interface in a te file. > > You should use interfaces. Hi, Thanks for the review. I've re-written the policies from scratch, and trying to use interfaces and macros when available (files attached, this time not gzipped, to ease review). > files_pid_file(nuauth_var_run_t) > allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name }; > allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink }; > allow nuauth_t nuauth_var_run_t:sock_file { unlink create write }; > > > Should probably be something like > > manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) > manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) Fixed > > > allow nuauth_t etc_t:file { getattr read }; > Should be > files_read_etc(nuauth_t) This one does not seems to work. I had to add: allow $1 nufw_etc_t:dir list_dir_perms; read_files_pattern($1,nufw_etc_t,nufw_etc_t) read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t) > > > # allow clients to connect > allow unconfined_t nuauth_port_t:tcp_socket recv_msg; > allow unconfined_t nuauth_port_t:tcp_socket name_connect; > > Not necessary. unconfined_t already can Not here. Maybe it's related to the way I add the port ? I'm using: semanage port -a -t nuauth_port_t -p tcp 4129 Maybe there is a boolean to allow connections ? > > >allow nuauth_t bin_t:dir search; > corecmd_search_bin(nuauth_t) > > > allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg > recv_msg }; > > Look for corenetwork calls. > Fixed Thanks for your help ! Pierre