[Clip] Need help with a Clip policy using SLIDE/CDS
jwood at cryptek.com
Mon Aug 24 08:55:40 CDT 2009
I am trying to create policy for one our products.
I am using 3.1-0 of clip SELinux policy and SLIDE/CDS. I have a remote
target server set up with our application and slideRemote (monolithic).
I have a created a policy for our application and can deploy it via
slideRemote. The files and directories possess the expected security
labels but I can not get the processes to transition into their domains.
I believe I have created the appropriate structure(s) in SLIDE/CDS but
clearly something is missing.
I have tried look at the files containing the results of CDS diagram but
that has not been useful. Is there someone who can help me out?
I am little hesitant about sending out work product on the list but here
is somewhat generic description of the processes involved.
The first process domain is a modified Apache httpd. It operates in
proxy mode. It reads a security policy (which is a resource that is
shared with the other process domains) to makes allow/disallow access
decisions for files residing on a remote server.
This process will not transition out of init_t.
The second process domain is java process that communicates with a
remote administrator appliance via TCP/IP. This process manages/updates
the security policy that was mentioned earlier. This process will not
transition out java_t
The third process domain is a tomcat web server that operates under
process #1. It also reads the security policy and makes access
decisions for web/xml content.
All of these processes are started via init scripts.
I have gone ahead and attached a zip file containing the policy source
and a screen shot of the CDS graphic.
The information contained in this communication is confidential and privileged proprietary information intended only for the personal and confidential use of the individual or entity to whom it is addressed. If you are not the addressee indicated in this message (or an agent responsible for delivery of the message to such person), you are hereby notified that you have received this communication in error and that any review, dissemination, copying or unauthorized use of this message is strictly prohibited. In such case, you should destroy this message and kindly notify the sender by email.
Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Cryptek shall be understood as neither given nor endorsed by it. It is Cryptek's policy that emails are intended for and should be used for business purposes only.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197974 bytes
Url : http://oss.tresys.com/pipermail/clip/attachments/20090824/f31b4717/attachment.bin
More information about the Clip