Chapter 8. Customizing and Writing Policy


99


permission. The


can_exec()


macro includes the permission


rx_file_perms


, which grants a com 


mon set of read and execute permissions to a file. Now you can make this substitution:


# these related rules ...


allow syslogd_t bin_t:dir search;


allow syslogd_t bin_t:file { execute execute_no_trans getattr \


read };


allow syslogd_t shell_exec_t:file { execute execute_no_trans \


getattr read };


# combine into this one rule


can_exec(syslog_t, { bin_t shell_exec_t } )


You also see in the rules that two of the rules are from


syslog ng


attempting to use a directory in


/usr/


of the type


usr_t


:


# These rules can be eliminated by properly labeling


# the files in the target location.


allow syslogd_t usr_t:dir { add_name remove_name write };


allow syslogd_t usr_t:file { append create getattr read setattr \


unlink write };


Your configuration uses a directory in


/usr/


to write log files to. Because this log data is not user


data, it should have an appropriate label,


var_log_t


.


# If syslog ng is configured to put logs in /usr/local/logs/,


# relabel that directory, and new files in the directory


# inherit the proper type.


chcon  R  t var_log_t /usr/local/logs/


Now you can trim the rules in


$SELINUX_SRC/domains/misc/local.te


to read:


can_exec(syslog_t, { bin_t shell_exec_t } )


allow syslogd_t etc_runtime_t:file { getattr read };


allow syslogd_t proc_kmsg_t:file write;


allow syslogd_t proc_t:file { getattr read };


allow syslogd_t bin_t:lnk_file read;


allow syslogd_t sbin_t:dir search;


allow syslogd_t self:capability { chown fowner fsetid sys_admin };


You also need to make an appropriate file contexts file so that the labeling is


maintained


during


relabeling


operations.


Put


the


following


context


declaration


in


/etc/selinux/targeted/src/policy/file_contexts/misc/local.fc


:


/usr/syslog(/.*)?


system_u:object_r:var_log_t


8.3. Writing New Policy for a Daemon


These section provides an overall methodology to follow for writing a new policy from scratch. Al 


though this is more complex than adding a few rules to


local.te


, the concepts are the same. You


bring the application under TE rules and work through the AVC denials, adding rules each time until


all permissions are resolved.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved