FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-08-2008, 10:23 PM
"Johnson, Richard"
 
Default Naive Qs about selinux modules

Q:¬* Can any SELinux directive be put into a policy smodule,
or are there restrictions?


¬*


For example: suppose I wanted to:


¬* allow snmpd_t apmd_trocess
ptrace;


¬* allow snmpd_t
auditd_trocess ptrace;


¬* allow snmpd_t
automount_trocess ptrace;


¬*[ ‚Ķand so on ]


¬*¬*


so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
notwithstanding) Could these directives be put into a policy module even though
the base policy already has an snmpd i/f?


¬*


Q.¬* Can a module define new booleans?¬* If so are
they persistent if the module is unloaded and reloaded?


¬*


For example; an snmpd policy module with an snmpd_can_ptrace
boolean.¬* Are there namespace conventions?


¬*


Q. What happens if the base policy (or another policy
modules) is updated with overlapping statements.


¬*


Am I correct in believing that the set of allows is the
union of the base allows + all module allows?


¬*


--rich


¬*


¬*


¬*







--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-09-2008, 12:46 PM
Daniel J Walsh
 
Default Naive Qs about selinux modules

Johnson, Richard wrote:
> Q: Can any SELinux directive be put into a policy smodule, or are there
> restrictions?
>
>
>
> For example: suppose I wanted to:
>
> allow snmpd_t apmd_trocess ptrace;
>
> allow snmpd_t auditd_trocess ptrace;
>
> allow snmpd_t automount_trocess ptrace;
>
> [ ...and so on ]
>
>
>
> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
> notwithstanding) Could these directives be put into a policy module even
> though the base policy already has an snmpd i/f?
>
Yes although watch out for name conflicts, IE Don't name your module
the same as an existing module or you will replace it.

BTW the interface
domain_read_all_domains_state(snmpd_t)

Is probably what you want.
>
>
> Q. Can a module define new booleans? If so are they persistent if the
> module is unloaded and reloaded?
>
Yes and the booleans will be removed if you unload the policy.

>
>
> For example; an snmpd policy module with an snmpd_can_ptrace boolean.
> Are there namespace conventions?
>
>
Well we would prefer all booleans to be named with the name of the
module. Although there are a lot of booleans that do not follow that
standard. I would love to have aliasing for booleans so we could rename
them.
>
> Q. What happens if the base policy (or another policy modules) is
> updated with overlapping statements.
>
>
They are additive.
>
> Am I correct in believing that the set of allows is the union of the
> base allows + all module allows?
>
>
Yes
>
> --rich
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-09-2008, 01:11 PM
Daniel J Walsh
 
Default Naive Qs about selinux modules

Daniel J Walsh wrote:
> Johnson, Richard wrote:
>> Q: Can any SELinux directive be put into a policy smodule, or are there
>> restrictions?
>>
>>
>>
>> For example: suppose I wanted to:
>>
>> allow snmpd_t apmd_trocess ptrace;
>>
>> allow snmpd_t auditd_trocess ptrace;
>>
>> allow snmpd_t automount_trocess ptrace;
>>
>> [ ...and so on ]
>>
>>
>>
>> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
>> notwithstanding) Could these directives be put into a policy module even
>> though the base policy already has an snmpd i/f?
>>
> Yes although watch out for name conflicts, IE Don't name your module
> the same as an existing module or you will replace it.
>
> BTW the interface
> domain_read_all_domains_state(snmpd_t)
>
> Is probably what you want.
>>
>>
>> Q. Can a module define new booleans? If so are they persistent if the
>> module is unloaded and reloaded?
>>
> Yes and the booleans will be removed if you unload the policy.
>
>>
>>
>> For example; an snmpd policy module with an snmpd_can_ptrace boolean.
>> Are there namespace conventions?
>>
>>
> Well we would prefer all booleans to be named with the name of the
> module. Although there are a lot of booleans that do not follow that
> standard. I would love to have aliasing for booleans so we could rename
> them.
>> Q. What happens if the base policy (or another policy modules) is
>> updated with overlapping statements.
>>
>>
> They are additive.
>> Am I correct in believing that the set of allows is the union of the
>> base allows + all module allows?
>>
>>
> Yes
>> --rich
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Futher answered on

http://danwalsh.livejournal.com/23710.html

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-09-2008, 01:14 PM
"Johnson, Richard"
 
Default Naive Qs about selinux modules

Daniel J Walsh wrote:
Johnson, Richard wrote:
>> Q: Can any SELinux directive be put into a policy smodule, or are
there
>> restrictions?
>>
>>
>>
>> For example: suppose I wanted to:
>>
>> allow snmpd_t apmd_trocess ptrace;
>> allow snmpd_t auditd_trocess ptrace;
>> allow snmpd_t automount_trocess ptrace;
>> [ ...and so on ]
>>
>> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
>> notwithstanding) Could these directives be put into a policy module
even
>> though the base policy already has an snmpd i/f?
>>
>Yes although watch out for name conflicts, IE Don't name your module
>the same as an existing module or you will replace it.
>
>BTW the interface
>domain_read_all_domains_state(snmpd_t)
>
>Is probably what you want.
>>
>> Q. Can a module define new booleans? If so are they persistent if
the
>> module is unloaded and reloaded?
>>
>Yes and the booleans will be removed if you unload the policy.
>
>> For example; an snmpd policy module with an snmpd_can_ptrace boolean.
>> Are there namespace conventions?
>
>Well we would prefer all booleans to be named with the name of the
>module. Although there are a lot of booleans that do not follow that
>standard. I would love to have aliasing for booleans so we could
rename
>them.
>>
>> Q. What happens if the base policy (or another policy modules) is
>> updated with overlapping statements.
>
>They are additive.
>>
>> Am I correct in believing that the set of allows is the union of the
>> base allows + all module allows?
>
>Yes

Thanks. And thanks for the hint about domain_read_all_domains_state().

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org