* [patch] a few small new macros for global_macros.te
@ 2003-07-15 20:44 Colin Walters
2003-07-15 23:31 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Colin Walters @ 2003-07-15 20:44 UTC (permalink / raw)
To: selinux; +Cc: Russell Coker
[-- Attachment #1: Type: text/plain, Size: 361 bytes --]
Hi,
I noticed a lot of .te files were repeatedly specifying access to etc_t
and etc_runtime_t. So I created
a macro normal_config_file_access for that. Also while the domain_trans
macro is useful, it doesn't allow for #! scripts, since the file has to
be read. So there's a new macro domain_trans_read.
This patch is needed for my spamassassin policies.
[-- Attachment #2: global-macros.patch --]
[-- Type: text/plain, Size: 1649 bytes --]
--- selinux-policy-1.0.orig/macros/global_macros.te
+++ selinux-policy-1.0/macros/global_macros.te
@@ -303,6 +303,11 @@
allow $3 $2:file entrypoint;
')
+define(`domain_trans_read',`
+domain_trans($1,$2,$3)
+allow $1 $2:file read;
+')
+
#################################
#
# domain_auto_trans(parent_domain, program_type, child_domain)
@@ -776,6 +781,22 @@
allow $1 sbin_t:notdevfile_class_set r_file_perms;
')
+# Read most typical stuff in /etc.
+define(`normal_config_file_read_access',`
+r_dir_file($1, etc_t)
+allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
+allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
+allow $1 ld_so_cache_t:file r_file_perms;
+')
+
+# Read access to almost all of /etc.
+define(`extended_config_file_read_access',`
+normal_config_file_read_access($1)
+allow $1 etc_aliases_t:{ file lnk_file } r_file_perms;
+allow $1 etc_mail_t:dir r_dir_perms;
+allow $1 etc_mail_t:{ file lnk_file } r_file_perms;
+')
+
#
# general_file_read_access(domain)
#
@@ -859,15 +880,9 @@
')
allow $1 boot_t:lnk_file read;
-# Read /etc.
-allow $1 etc_t:dir r_dir_perms;
-allow $1 etc_t:notdevfile_class_set r_file_perms;
-allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
-allow $1 etc_aliases_t:{ file lnk_file } r_file_perms;
-allow $1 etc_mail_t:dir r_dir_perms;
-allow $1 etc_mail_t:{ file lnk_file } r_file_perms;
-allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
-allow $1 ld_so_cache_t:file r_file_perms;
+# Read /etc
+normal_config_file_read_access($1)
+extended_config_file_read_access($1)
# Read /lib.
allow $1 lib_t:dir r_dir_perms;
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [patch] a few small new macros for global_macros.te
2003-07-15 20:44 [patch] a few small new macros for global_macros.te Colin Walters
@ 2003-07-15 23:31 ` Russell Coker
2003-07-16 4:27 ` Colin Walters
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2003-07-15 23:31 UTC (permalink / raw)
To: Colin Walters, selinux
On Wed, 16 Jul 2003 06:44, Colin Walters wrote:
> I noticed a lot of .te files were repeatedly specifying access to etc_t
> and etc_runtime_t. So I created
> a macro normal_config_file_access for that. Also while the domain_trans
> macro is useful, it doesn't allow for #! scripts, since the file has to
> be read. So there's a new macro domain_trans_read.
In my tree domain_trans() does what your domain_trans_read() does.
Does it make sense to have a rule involveing ld_so_cache_t apart from
uses_shlib()? When would you want to grant access to ld_so_cache_t but not
use uses_shlib()?
What do you need extended_config_file_read_access() for?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] a few small new macros for global_macros.te
2003-07-15 23:31 ` Russell Coker
@ 2003-07-16 4:27 ` Colin Walters
0 siblings, 0 replies; 3+ messages in thread
From: Colin Walters @ 2003-07-16 4:27 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
On Tue, 2003-07-15 at 19:31, Russell Coker wrote:
> On Wed, 16 Jul 2003 06:44, Colin Walters wrote:
> > I noticed a lot of .te files were repeatedly specifying access to etc_t
> > and etc_runtime_t. So I created
> > a macro normal_config_file_access for that. Also while the domain_trans
> > macro is useful, it doesn't allow for #! scripts, since the file has to
> > be read. So there's a new macro domain_trans_read.
>
> In my tree domain_trans() does what your domain_trans_read() does.
Ok. That seems more sensible actually. I just merged it back in as
well.
> Does it make sense to have a rule involveing ld_so_cache_t apart from
> uses_shlib()? When would you want to grant access to ld_so_cache_t but not
> use uses_shlib()?
You're right, it's probably not useful. I've deleted it.
> What do you need extended_config_file_read_access() for?
That just came because I broke it out of general_file_read_access, which
I see you've deleted in your tree. I just did that as well, and since
extended_config_file_read_access isn't used either, I've deleted it too.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-07-16 4:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-15 20:44 [patch] a few small new macros for global_macros.te Colin Walters
2003-07-15 23:31 ` Russell Coker
2003-07-16 4:27 ` Colin Walters
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.