Re: About audit2allow generated rules
On Fri, 27 Apr 2012, Min Wang <ser.basis@gmail.com> wrote:
> just wondering where is the tclass=sock_file defined?
In the refpolicy source it is in policy/flask/access_vectors .
> basically i have apache mod_tile want to access
>
> /var/run/renderd/renderd.sock ( from renderd)
>
> ls -lZ /var/run/renderd/
> -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.pid
> srwxrwxrwx. apache apache system_u:object_r:var_run_t:s0 renderd.sock
> -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0
> renderd.stats
>
> how can I change /define
>
> tclass=sock_file
sock_file is the class of the object, other classes include "file" and "dir".
These are not things you change, these are human readable names for things
that are part of the OS.
What you want to do is to have the daemon run as renderd_t and use
renderd_var_run_t as the type for the socket fike.
> what I want to do is just granting the permission that is needed?
> or generally is there a simple way to how to define/write a policy
> that only give the needed permission ( there are some howto seems still
> complicated??) ?
> not just rely on aduit2allow to do the magic blindly?
As I said before, you can just grant that access and and it will work. But if
the renderd is running as root then it is a security risk (I guess that
renderd is running as initrc_t or unconfined_t and is not being restricted by
SE Linux). Even if renderd is not given excessive privs then it's not ideal
to allow httpd_t access to sock_file:var_run_t due to the possibility of other
daemons being able to create such objects.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: