Description of problem: After doing this howto: http://people.redhat.com/sgrubb/audit/prelude.txt i noticed some issues in prelude policy some high lights are: patch to prelude init script needed escape character policy for prelude-lml was missing policy for prewikka was coarse and didnt have a files config file these patches are against 331-48 f9 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 309716 [details] patch1
Created attachment 309717 [details] patch2
Created attachment 309993 [details] prelude.fc
Created attachment 309994 [details] prelude.te
Thanks. looks good. Although i wanted the files_config_file for prewikka because it has a mysql password in there. Also i noticed that you removed the gamin optional policy block for prelude-lml. Not sure why but it seemed needed when i tried it. Also i think (domain_use_interactive_fds(prelude_lml_t) may not be required
So you are trying to prevent other domains from reading the config file? In that case you might want to label it something like prewikka_secret_t and not give it files_config, since files_config allows all domains to read, just like etc_t. gamin_ is a bad thing to use for a system service, since it is long running and shared by other domains. So it causes SELinux problems when it is run. gamin policy is not being shipped so this optional block will not be executed. The gamin policy is also pretty broken right now.
understood, i also noticed you didnt declare a domain type for prelude-lml. Interface admin_prelude needs update to reflect prelude-lml. also we need a prelude_manage_spool() for snort
Created attachment 309995 [details] snort.te
Created attachment 309996 [details] snort.if
Created attachment 309997 [details] snort.fc
files_search_spool(snort_t) should be in that optional_policy block for prelude, since any domain will need to be able to search spool to be able to append to preludes spool files
######################################## ## <summary> ## Append to prelude-manager write files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`prelude_write_spool_files',` gen_require(` type prelude_spool_t; ') files_search_spool($1) allow $1 prelude_spool_t:dir { read search getattr }; allow $1 prelude_spool_t:file { read lock getattr write append }; ')
Fixed in selinux-policy-3.3.1-70.fc9.noarch
thanks. one small issue left: #============= snort_t ============== allow snort_t prelude_spool_t:dir read; and this, but you have explained why: #============= prelude_lml_t ============== allow prelude_lml_t gamin_exec_t:file { read execute };
By the way should, corenet_tcp_connect_prelude_port(snort_t), not be in the optional policy block designated for prelude? I know the port is defined in corenetwork but if there is no prelude module than there likely wont be a prelude_port_type.
No, Other policies might not include the prelude policy but would still define the prelude port Fixed in selinux-policy-3.3.1-71.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.