From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 21 Oct 2008 11:02:39 -0400 Subject: [refpolicy] request for comments: policy for nufw and nuauth In-Reply-To: <20081021085558.GD30642@piche.inl.fr> References: <20081020162358.GB30642@piche.inl.fr> <48FCD4AD.2090606@redhat.com> <20081021085558.GD30642@piche.inl.fr> Message-ID: <48FDEF0F.3080105@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Pierre Chifflier wrote: > On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote: >> You should never (almost never) have a gen_requires interface in a te file. >> >> You should use interfaces. > > Hi, > > Thanks for the review. I've re-written the policies from scratch, and > trying to use interfaces and macros when available (files attached, this > time not gzipped, to ease review). > Nothing attached. >> files_pid_file(nuauth_var_run_t) >> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name }; >> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink }; >> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write }; >> >> >> Should probably be something like >> >> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) >> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) > > Fixed > >>> allow nuauth_t etc_t:file { getattr read }; >> Should be >> files_read_etc(nuauth_t) > > This one does not seems to work. I had to add: > > allow $1 nufw_etc_t:dir list_dir_perms; > read_files_pattern($1,nufw_etc_t,nufw_etc_t) > read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t) > >> >> # allow clients to connect >> allow unconfined_t nuauth_port_t:tcp_socket recv_msg; >> allow unconfined_t nuauth_port_t:tcp_socket name_connect; >> >> Not necessary. unconfined_t already can corenet_port(nuauth_port_t) if ports will be >= 1024 corenet_reserved_port(nuauth_port_t) if ports will can be < 1024 corenet_rpc_port(nuauth_port_t) if ports will can be bewtween 600 and 1024. > Not here. Maybe it's related to the way I add the port ? > I'm using: > semanage port -a -t nuauth_port_t -p tcp 4129 > > Maybe there is a boolean to allow connections ? > >>> allow nuauth_t bin_t:dir search; >> corecmd_search_bin(nuauth_t) >> >>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg >> recv_msg }; >> >> Look for corenetwork calls. >> > > Fixed > > Thanks for your help ! > > Pierre >