Chapter 8. Customizing and Writing Policy
99
permission. The
can_exec()
macro includes the permission
rx_file_perms
, which grants a com
mon set of read and execute permissions to a file. Now you can make this substitution:
# these related rules ...
allow syslogd_t bin_t:dir search;
allow syslogd_t bin_t:file { execute execute_no_trans getattr \
read };
allow syslogd_t shell_exec_t:file { execute execute_no_trans \
getattr read };
# combine into this one rule
can_exec(syslog_t, { bin_t shell_exec_t } )
You also see in the rules that two of the rules are from
syslog ng
attempting to use a directory in
/usr/
of the type
usr_t
:
# These rules can be eliminated by properly labeling
# the files in the target location.
allow syslogd_t usr_t:dir { add_name remove_name write };
allow syslogd_t usr_t:file { append create getattr read setattr \
unlink write };
Your configuration uses a directory in
/usr/
to write log files to. Because this log data is not user
data, it should have an appropriate label,
var_log_t
.
# If syslog ng is configured to put logs in /usr/local/logs/,
# relabel that directory, and new files in the directory
# inherit the proper type.
chcon R t var_log_t /usr/local/logs/
Now you can trim the rules in
$SELINUX_SRC/domains/misc/local.te
to read:
can_exec(syslog_t, { bin_t shell_exec_t } )
allow syslogd_t etc_runtime_t:file { getattr read };
allow syslogd_t proc_kmsg_t:file write;
allow syslogd_t proc_t:file { getattr read };
allow syslogd_t bin_t:lnk_file read;
allow syslogd_t sbin_t:dir search;
allow syslogd_t self:capability { chown fowner fsetid sys_admin };
You also need to make an appropriate file contexts file so that the labeling is
maintained
during
relabeling
operations.
Put
the
following
context
declaration
in
/etc/selinux/targeted/src/policy/file_contexts/misc/local.fc
:
/usr/syslog(/.*)?
system_u:object_r:var_log_t
8.3. Writing New Policy for a Daemon
These section provides an overall methodology to follow for writing a new policy from scratch. Al
though this is more complex than adding a few rules to
local.te
, the concepts are the same. You
bring the application under TE rules and work through the AVC denials, adding rules each time until
all permissions are resolved.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved