[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About audit2allow generated rules

On Fri, 27 Apr 2012, Min Wang <ser.basis@gmail.com> wrote:
>     just wondering where is the tclass=sock_file defined?

In the refpolicy source it is in policy/flask/access_vectors .

>    basically i have apache mod_tile want to access
> /var/run/renderd/renderd.sock ( from renderd)
> ls -lZ /var/run/renderd/
> -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.pid
> srwxrwxrwx. apache apache system_u:object_r:var_run_t:s0   renderd.sock
> -rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0
> renderd.stats
>      how can I change /define
> tclass=sock_file

sock_file is the class of the object, other classes include "file" and "dir".  
These are not things you change, these are human readable names for things 
that are part of the OS.

What you want to do is to have the daemon run as renderd_t and use 
renderd_var_run_t as the type for the socket fike.

>     what I want to do is  just granting the permission that is needed?
>     or generally is there a simple way to how to define/write a policy
> that only give the needed permission ( there are some howto seems still
> complicated??) ?
> not just rely on  aduit2allow to do the magic blindly?

As I said before, you can just grant that access and and it will work.  But if 
the renderd is running as root then it is a security risk (I guess that 
renderd is running as initrc_t or unconfined_t and is not being restricted by 
SE Linux).  Even if renderd is not given excessive privs then it's not ideal 
to allow httpd_t access to sock_file:var_run_t due to the possibility of other 
daemons being able to create such objects.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to: