Re: Should selinux be standard?
On Tue, Sep 16 2008, Stephen Gran wrote:
> This is a sid install of the default policy in non-enforcing mode. I
> can't guarantee that every one of those complaints would have
> generated errors that matter, but it doesn't look like we're tuned for
> a normal install just yet.
Well, seems like I reach a different conclusion:
__> audit2allow <~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
13
13 lines of policy to get it into enforcing mode, assuming all
of these actions are safe to allow.
--8<---------------cut here---------------start------------->8---
allow dhcpc_t ntpd_t:process signal;
allow dhcpc_t ntpd_var_run_t:file { read getattr unlink };
allow dhcpc_t self:capability kill;
allow dhcpc_t tmpfs_t:dir { write search add_name };
allow dhcpc_t tmpfs_t:file { create getattr append };
allow fsadm_t apmd_t:fd use;
allow insmod_t apmd_t:unix_stream_socket { read write };
allow insmod_t lib_t:file execute_no_trans;
allow logrotate_t unconfined_home_dir_t:dir search;
allow mount_t etc_t:file unlink;
allow ntpd_t tmpfs_t:dir { write search add_name };
allow udev_t etc_runtime_t:file { unlink append };
allow unconfined_t self:process { execstack execmem };
--8<---------------cut here---------------end--------------->8---
So, pretty close. Why is logrotate looking into user home
directories? there is the mount and /etc/mtab thingy, and ifconfig
writing to ifstate, these should really be changed.
I think dhcpd policy does need some loving.
I would much rather we chased down these last outlier bits of
policy, and let the local admin decide if they really want logrotate to
look into every single user directory, or not (me, I would prefer to
create a separate lable for log files in my home dir, but that is
perhaps just me).
manoj
--
"The lesser of two evils -- is evil." Seymour (Sy) Leon
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: