Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 26th April 2012, 11:45 AM
Scriptum Offline
Registered User
 
Join Date: Apr 2011
Posts: 11
linuxubuntuchrome
Question Selinux policy: inheritance of rules

I want to write policy module (mls) for the application that will have same rules as one of existing applications but with additional rules. It there a way to inherit all allow's from other domain?

Smth like

Code:
policy_module my_app 1.0
require {
type user_t,xselection_t;
class xselection {read write};
}
#this domain will have same allow's as user_t
type my_app_t : inherits user_t

allow my_app_t xselection_t : xselection {read write};
In short, almost all programs in mls policy run in user_t domain, but one of these programs must have a little more privileges.

I found only one example in reference policy - wm_t, policy for wm_t can't access user's data but I want to keep all user_t restrictions.
Reply With Quote
  #2  
Old 26th April 2012, 07:07 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfirefox
Re: Selinux policy: inheritance of rules

You could use type attributes, or type aliases for that i guess.

http://selinuxproject.org/page/TypeStatements

See the attribute, typeattribute, typealias and typebounds statements.

Or you could use templates maybe?

http://selinuxproject.org/page/TypeRules
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #3  
Old 10th May 2012, 03:34 PM
Scriptum Offline
Registered User
 
Join Date: Apr 2011
Posts: 11
linuxubuntuchrome
Re: Selinux policy: inheritance of rules

If I create alias:
Code:
typealias user_t alias inherit_t;
and then add attribure to alias:
Code:
mls_file_write_all_levels(inherit_t);
user_t also gets mls_file_write_all_levels permission. But I want to find a way to make inherit_t trusted and keep user_t untrusted.
Reply With Quote
  #4  
Old 10th May 2012, 03:53 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfirefox
Re: Selinux policy: inheritance of rules

Right, i was not sure about that but makes sense come to think of it.

I guess you would have to settle with using type attributes.

See if you can use user_usertype and then extent that (not sure if that will work but this attribute is available in f16)

Code:
# seinfo -xauser_usertype
   user_usertype
      user_openoffice_t
      user_java_t
      user_mono_t
      user_wine_t
      user_execmem_t
      user_t
Code:
sesearch -ASCT -s user_usertype | grep user_usertype
sesearch -ASCT -t user_usertype | grep user_usertype
If that does not work the way you like then i guess youll have to use type attributes to implement something similar (or use templates) by your self

If you want to clone the user_t user login domain then why not just clone that module, rename it and extent it?
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
Reply

Tags
inheritance, policy, rules, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
selinux: hand tweaking policieand yum selinux-policy updates: overriden or perserved? mbiggerstaff Security and Privacy 2 20th January 2014 08:52 PM
Safe to remove packages selinux-policy and selinux-policy-targeted? JuhaniJaakola Using Fedora 1 30th December 2011 10:37 PM
SELinux: Could not open policy file.. policy.26 birdwatcher Using Fedora 0 18th October 2011 10:43 PM
selinux-policy and selinux-policy-targeted alanrouse Fedora 13 Development Branch 10 24th March 2010 12:03 PM
SELinux policy help kquizak Security and Privacy 2 3rd August 2007 10:37 PM


Current GMT-time: 05:23 (Tuesday, 21-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin Copyright 2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Nanpiao Photos on Instagram - Hongchon Travel Photos - Wyckoff Travel Photos