* [refpolicy] Write permission for /proc/net/xt_recent/
@ 2014-01-25 16:36 Luis Ressel
2014-02-01 3:37 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Luis Ressel @ 2014-01-25 16:36 UTC (permalink / raw)
To: refpolicy
Hello,
On my systems, it's neccessary for sysadm_t to be allowed to write to
proc_net_t files, specifically to the files in /proc/net/xt_recent/,
which allow manual control of the "recent" module of iptables. I don't
think it's neccessary to add another type for these files, as the other
proc_net_t files aren't writeable anyway. So I'd propose
"allow sysadm_t proc_net_t:file write;"
I don't have a patch, as I'm not sure where to put this (in
roles/sysadm.te or somewhere else) and if a new interface should be
added for it.
Regards,
Luis Ressel
--
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140125/d3e26b77/attachment.bin
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] Write permission for /proc/net/xt_recent/
2014-01-25 16:36 [refpolicy] Write permission for /proc/net/xt_recent/ Luis Ressel
@ 2014-02-01 3:37 ` Christopher J. PeBenito
2014-02-01 10:08 ` Luis Ressel
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2014-02-01 3:37 UTC (permalink / raw)
To: refpolicy
On 1/25/2014 11:36 AM, Luis Ressel wrote:
> On my systems, it's neccessary for sysadm_t to be allowed to write to
> proc_net_t files, specifically to the files in /proc/net/xt_recent/,
> which allow manual control of the "recent" module of iptables. I don't
What program is used to do this? Perhaps that should be iptables_exec_t instead.
> I don't have a patch, as I'm not sure where to put this (in
> roles/sysadm.te or somewhere else) and if a new interface should be
> added for it.
Accesses of types in other modules need to use interfaces.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] Write permission for /proc/net/xt_recent/
2014-02-01 3:37 ` Christopher J. PeBenito
@ 2014-02-01 10:08 ` Luis Ressel
0 siblings, 0 replies; 3+ messages in thread
From: Luis Ressel @ 2014-02-01 10:08 UTC (permalink / raw)
To: refpolicy
On Fri, 31 Jan 2014 22:37:02 -0500
"Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On 1/25/2014 11:36 AM, Luis Ressel wrote:
> > On my systems, it's neccessary for sysadm_t to be allowed to write
> > to proc_net_t files, specifically to the files
> > in /proc/net/xt_recent/, which allow manual control of the "recent"
> > module of iptables. I don't
>
> What program is used to do this? Perhaps that should be
> iptables_exec_t instead.
I'm writing to those files manually via echo. I'll just write a helper
script then and label it accordingly.
--
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140201/ff7e3ae3/attachment.bin
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-02-01 10:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-25 16:36 [refpolicy] Write permission for /proc/net/xt_recent/ Luis Ressel
2014-02-01 3:37 ` Christopher J. PeBenito
2014-02-01 10:08 ` Luis Ressel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.