>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

policy additions needed to make my system run in secure mode

From: Justin Smith <jsmith_at_mcs.drexel.edu>
Date: 01 Dec 2001 10:21:26 -0500

These are lines of text I had to ADD to the default NSA policy to allow my system to boot and run its normal functions in secure mode:

(I haven't tested X windows and my usual desktop environment yet, so there may be more such additions...)

initrc.te:

# ipchains

allow initrc_t initrc_t:rawip_socket { create setopt };

# usb

allow initrc_t unlabeled_t:dir { search }; allow initrc_t unlabeled_t:file { read getattr };

allow mount_t usr_t:dir { mounton };
allow mount_t usr_t:file { append setattr };
allow mount_t proc_t:dir { mounton };

# postgres

allow initrc_t user_home_t:dir { append };
allow initrc_t user_home_t:file { append };
allow initrc_t var_lib_t:dir { write add_name create };
allow initrc_t var_lib_t:file { create };
allow initrc_t tmpfs_t:file { read write };
--------------------------------------------------------------------------

apache.te:

# General (allow server-side includes)

allow httpd_t httpd_user_script_rw_t:file { getattr read };

#
# Servlets
# (I modified file types to make all my web pages t
# httpd_user_script_rw_t
# and the Tomcat servlet directory to httpd_user_script)
#

allow httpd_t httpd_user_script_t:file { append }; allow initrc_t httpd_user_script_rw_t:dir

{ getattr search };

allow httpd_t httpd_user_script_rw_t:dir

{ search getattr };
allow initrc_t httpd_user_script_rw_t:file

{ read getattr append write };

allow initrc_t httpd_user_script_t:dir { read write }; allow initrc_t httpd_user_script_t:file

{ read write execute execute_no_trans setattr append };

allow initrc_t file_t:lnk_file { read };
allow initrc_t file_t:file { execute execute_no_trans };
allow initrc_t usr_t:file { execute execute_no_trans };
allow initrc_t http_port_t:tcp_socket { name_bind };
--------------------------------------------------------------

user.te:

# Postgres

allow user_t usr_t:file { execute execute_no_trans };
allow user_t initrc_tmp_t:sock_file { write };
allow user_t initrc_t:unix_stream_socket { connect };

----------------------------------------------------------

These may not be ideal from a security point of view but they work.

-- 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Sat 1 Dec 2001 - 10:39:28 EST

This message: [ Message body ]
Next message: 0x_at_bk.ru: "have you seen spfx2.c?"
Previous message: Jesse Pollard: "Re: Fwd: Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm"
Next in thread: Stephen Smalley: "Re: policy additions needed to make my system run in secure mode"
Reply: Stephen Smalley: "Re: policy additions needed to make my system run in secure mode"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT