I spent an hour this afternoon with the latest NetLabel patch and Klaus'
original "toy" policy module trying to "flesh it out a bit". The
resulting policy file is attached (as well as a simple Makefile to build
and install the module). I will caution people that I haven't done much
testing with this new policy module yet but what I have done, mostly
running 'netlabelctl' seems to work well enough.
--
paul moore
linux security @ hp
.PHONY: all install clean
all: netlabel.pp
install: netlabel.pp
semodule -i netlabel.pp
netlabel.mod: netlabel.te
checkmodule -M -m netlabel.te -o netlabel.mod
netlabel.pp: netlabel.mod
semodule_package -m netlabel.mod -o netlabel.pp
clean:
$(RM) -f netlabel.pp netlabel.mod
#######
#
# Sample NetLabel SELinux policy module
# Paul Moore <[EMAIL PROTECTED]>
#
# Based on a "toy policy module" by Klaus Weidner
#
#
###
#
# module information
#
module netlabel 0.1;
require {
type user_t, staff_t, sysadm_t;
type staff_tty_device_t;
type etc_t, ld_so_cache_t, ld_so_t, lib_t, shlib_t, local_login_t;
attribute domain;
attribute entry_type;
attribute exec_type;
attribute file_type;
class tcp_socket { recv_msg };
class udp_socket { recv_msg };
class dir { search };
class file { ioctl getattr read execute entrypoint };
class chr_file { ioctl getattr read write };
class lnk_file { read };
class fd { use };
class netlink_socket { create bind write read };
class process { transition noatsecure siginh rlimitinh };
}
###
#
# netlabel types
#
type netlabelctl_t;
type netlabelctl_exec_t;
typeattribute netlabelctl_t domain;
typeattribute netlabelctl_exec_t entry_type;
typeattribute netlabelctl_exec_t exec_type;
typeattribute netlabelctl_exec_t file_type;
role staff_r types netlabelctl_t;
###
#
# policy
#
# sending NetLabel'd packets does not require a SELinux privilege, however,
# receiving NetLabel'd packets does
allow user_t user_t:{ tcp_socket udp_socket } { recv_msg };
allow staff_t staff_t:{ tcp_socket udp_socket } { recv_msg };
allow sysadm_t sysadm_t:{ tcp_socket udp_socket } { recv_msg };
# allow the staff_t to configure the NetLabel subsystem
# NOTE: this should be sysadm_t or some other domain but staff_t is handy
# for testing right now
# NOTE: [/usr/local]/sbin/netlabelctl should be labeled "netlabelctl_exec_t"
# domain_entry_file(netlabelctl_t,netlabel_exec_t)
allow netlabelctl_t netlabelctl_exec_t:file entrypoint;
allow netlabelctl_t netlabelctl_exec_t:file { getattr read };
# domain_auto_trans(staff_t,netlabelctl_exec_t,netlabelctl_t)
allow staff_t netlabelctl_exec_t:file { getattr read execute };
allow staff_t netlabelctl_t:process transition;
dontaudit staff_t netlabelctl_t:process { noatsecure siginh rlimitinh };
type_transition staff_t netlabelctl_exec_t:process netlabelctl_t;
# shared libraries
allow netlabelctl_t etc_t:dir search;
allow netlabelctl_t { ld_so_cache_t ld_so_t }:file { getattr read };
allow netlabelctl_t lib_t:dir search;
allow netlabelctl_t lib_t:lnk_file { read };
allow netlabelctl_t shlib_t:file { getattr read execute };
# user i/o
allow netlabelctl_t { staff_t local_login_t }:fd use;
allow netlabelctl_t staff_tty_device_t:chr_file { ioctl getattr read write };
# netlink communications
allow netlabelctl_t self:netlink_socket { create bind write read };
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
