[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About audit2allow generated rules

HI Russell
       thanks a lot.

       Another dummy question:

      in the debian leeny there is polgen pkg,

but in sqeeze there is no polgen. where does it go? I guess I installed all related selinux pkg, but could not find polgen I am assuming polgen is simiar to polgengui, but just a command line. http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/


On 04/26/2012 09:47 PM, Russell Coker wrote:
On Fri, 27 Apr 2012, Min Wang<ser.basis@gmail.com>  wrote:
     just wondering where is the tclass=sock_file defined?
In the refpolicy source it is in policy/flask/access_vectors .

    basically i have apache mod_tile want to access

/var/run/renderd/renderd.sock ( from renderd)

ls -lZ /var/run/renderd/
-rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0 renderd.pid
srwxrwxrwx. apache apache system_u:object_r:var_run_t:s0   renderd.sock
-rw-r--r--. apache apache system_u:object_r:initrc_var_run_t:s0

      how can I change /define

sock_file is the class of the object, other classes include "file" and "dir".
These are not things you change, these are human readable names for things
that are part of the OS.

What you want to do is to have the daemon run as renderd_t and use
renderd_var_run_t as the type for the socket fike.

     what I want to do is  just granting the permission that is needed?
     or generally is there a simple way to how to define/write a policy
that only give the needed permission ( there are some howto seems still
complicated??) ?
not just rely on  aduit2allow to do the magic blindly?
As I said before, you can just grant that access and and it will work.  But if
the renderd is running as root then it is a security risk (I guess that
renderd is running as initrc_t or unconfined_t and is not being restricted by
SE Linux).  Even if renderd is not given excessive privs then it's not ideal
to allow httpd_t access to sock_file:var_run_t due to the possibility of other
daemons being able to create such objects.

Reply to: