Tuesday, February 09, 2010

mod_mono, Centos 5 64 bit, and SELinux Part 2

The trick to creating a SELinux policy is setting the mode to be permissive, which prevents nothing but logs all of the infractions to audit.log, and then using the log to generate the policy. After running my mod_mono based application for a bit in permissive mode, I used this command to generate a local policy.



egrep 'http|mono' /var/log/audit/audit.log | audit2allow -M myhttp


Here is the result:



module myhttp 1.0;

require {
type httpd_tmp_t;
type device_t;
type initrc_t;
type httpd_t;
type httpd_sys_script_t;
type http_port_t;
type port_t;
type inotifyfs_t;
class process { execstack execmem getsched ptrace };
class unix_stream_socket connectto;
class chr_file { read write ioctl };
class tcp_socket name_connect;
class file execute;
class sem { unix_read write unix_write associate read destroy };
class shm { unix_read read write unix_write associate };
class dir read;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
allow httpd_sys_script_t httpd_tmp_t:file execute;
allow httpd_sys_script_t inotifyfs_t:dir read;
allow httpd_sys_script_t self:process { execmem getsched ptrace };
allow httpd_sys_script_t self:sem { unix_read write unix_write associate read destroy };

#============= httpd_t ==============
allow httpd_t device_t:chr_file { read write ioctl };
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read read write unix_write associate };
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t self:process { execstack execmem };

No comments: