On Tue, 2013-08-20 at 10:51 +0000, Juan Orti Alcaine wrote:
El 2013-08-19 13:27, Dominick Grift escribió:
On Sun, 2013-08-18 at 20:10 +0200, Juan Orti Alcaine wrote:
Hello, I'm the package mantainer of gogoc, and I'm creating my first policy module for it following the instructions of this draft in the wiki [1].
It says you must build your module for three policies: mls, scritct and targeted, but I don't see any strict policy, is this information still correct? Must I build it also for minimum?
Yes strict no longer exists, so remove any reference to it
And what about the minimum policy?
Probably should ignore minimal as well. Since that policy model aims to be minimal
Also, I see some packages dropping their policies to /usr/share/selinux/packages/ and others to /usr/share/selinux/{targeted,mls}. What's better?
Not sure but probably the latter
Also I have doubts if the module will always live in the gogoc package or it will be migrated sometime to the main selinux-policy-targeted package.
If you can take a look at the policy to find any possible error it would be great. It's already in the git repository of gogoc [2]
You policy should have no require{} in the .te file, everything should have an api that you can use instead
Only type transition on what you need to type transition on, instead of everything (you type transition on everything)
corecmd_bin_entry_type(gogoc_t) <- this doesnt make sense as you do not domain type transition on bin_t anywhere
radvd_admin(gogoc_t, system_r) <- this one isnt appropriate here
systemd_exec_systemctl(gogoc_t) <- why is this needed?
allow gogoc_t radvd_exec_t:file { read execute open execute_no_trans }; <-- depending on why gogoc runs dadvd you may want to run radvd with a domain transition instead. If it turns out that you should have ran radvd with a domain transition ,then it is encouraged you start over with your policy because, one should always take care of type transitions first before adding any other rules. because type transitions can greatly impact access your process needs
There are duplicate rules in your policy
For example: sysnet_dns_name_resolve(gogoc_t) and files_read_etc_files(gogoc_t)
are already enclosed with: auth_use_nsswitch(gogoc_t)
Theres probably a bit moreroom for improvement other than above but this is a start
Thank you for your comments, I'm newbie at policy writing.
What gogoc does is to negotiate the tunnel and execute a shell script to configure the tun interface and launch the radvd with a custom config to advertise the prefix in the net.
I'm rewriting the policy and have doubts about how to transition to the radvd_t domain. I miss a interface like radvd_domtrans(gogoc_t), which I think it's the way to do the transition, another way I'm thinking it's adding a section require{ type radvd_exec_t;} and grant access to execute and domain transition. Which api function should I use?
upstream will probably only accept it with the use of a dadvd_domtrans() but for your solution for now you could do something like this:
optional_policy(` gen_require(` type radvd_exec_t, radvd_t; ') domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t) ')
Regards, Juan.