danieldk
08-03-2006, 04:43 PM
After tinkering with it for a while, I can really recommend the SEEdit project to people using Fedora, RHEL, or CentOS, who dislike the complexity of the default SELinux policies. The SEEdit packages includes the Simplified Policy Description Language (SPDL), a simple AppArmor-like syntax for creating policies. For example:
{
domain vsftpd_t;
program /usr/sbin/vsftpd;
include common-relaxed.sp;
include daemon.sp;
include nameservice.sp;
allow /etc/shadow r,s;
allow /etc/pam.d/vsftpd r,s;
allow /etc/security/pam_env.conf r,s;
allow /etc/vsftpd.user_list r,s;
allow /etc/vsftpd/vsftpd.conf r,s;
allow /var/log/xferlog a,r,s;
allow ~/** r,s;
allowpriv netlink;
allowpriv cap_sys_chroot;
allowpriv audit_write;
allow /etc/selinux/config r,s;
allownet -protocol tcp -port 20 server;
allownet -protocol tcp -port 21 server;
allownet -protocol tcp -port 1024- server;
}
If I have some tome tomorrow, I will post a more extended policy creation session.
Their website is:
http://seedit.sourceforge.net/
{
domain vsftpd_t;
program /usr/sbin/vsftpd;
include common-relaxed.sp;
include daemon.sp;
include nameservice.sp;
allow /etc/shadow r,s;
allow /etc/pam.d/vsftpd r,s;
allow /etc/security/pam_env.conf r,s;
allow /etc/vsftpd.user_list r,s;
allow /etc/vsftpd/vsftpd.conf r,s;
allow /var/log/xferlog a,r,s;
allow ~/** r,s;
allowpriv netlink;
allowpriv cap_sys_chroot;
allowpriv audit_write;
allow /etc/selinux/config r,s;
allownet -protocol tcp -port 20 server;
allownet -protocol tcp -port 21 server;
allownet -protocol tcp -port 1024- server;
}
If I have some tome tomorrow, I will post a more extended policy creation session.
Their website is:
http://seedit.sourceforge.net/