Naive Qs about selinux modules

> Q:  Can any SELinux directive be put into a policy smodule, or are there
> restrictions?
>
>  
>
> For example: suppose I wanted to:
>
>   allow snmpd_t apmd_t:process ptrace;
>
>   allow snmpd_t auditd_t:process ptrace;
>
>   allow snmpd_t automount_t:process ptrace;
>
>  [ ...and so on ]
>
>    
>
> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
> notwithstanding) Could these directives be put into a policy module even
> though the base policy already has an snmpd i/f?
>

>
> --rich
>
>  
>
>  
>
>  
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

> Johnson, Richard wrote:
>> Q:  Can any SELinux directive be put into a policy smodule, or are there
>> restrictions?
>>
>>  
>>
>> For example: suppose I wanted to:
>>
>>   allow snmpd_t apmd_t:process ptrace;
>>
>>   allow snmpd_t auditd_t:process ptrace;
>>
>>   allow snmpd_t automount_t:process ptrace;
>>
>>  [ ...and so on ]
>>
>>    
>>
>> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
>> notwithstanding) Could these directives be put into a policy module even
>> though the base policy already has an snmpd i/f?
>>
> Yes although  watch out for name conflicts,  IE Don't name your module
> the same as an existing module or you will replace it.
>
> BTW the interface
> domain_read_all_domains_state(snmpd_t)
>
> Is probably what you want.
>>  
>>
>> Q.  Can a module define new booleans?  If so are they persistent if the
>> module is unloaded and reloaded?
>>
> Yes and the booleans will be removed if you unload the policy.
>
>>  
>>
>> For example; an snmpd policy module with an snmpd_can_ptrace boolean.
>> Are there namespace conventions?
>>
>>  
> Well we would prefer all booleans to be named with the name of the
> module.  Although there are a lot of booleans that do not follow that
> standard.  I would love to have aliasing for booleans so we could rename
> them.
>> Q. What happens if the base policy (or another policy modules) is
>> updated with overlapping statements.
>>
>>  
> They are additive.
>> Am I correct in believing that the set of allows is the union of the
>> base allows + all module allows?
>>
>>  
> Yes
>> --rich
>>
>>  
>>
>>  
>>
>>  
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@...
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

>> restrictions?
>>
>>  
>>
>> For example: suppose I wanted to:
>>
>>   allow snmpd_t apmd_t:process ptrace;
>>   allow snmpd_t auditd_t:process ptrace;
>>   allow snmpd_t automount_t:process ptrace;
>>  [ ...and so on ]
>>
>> so that snmpd could access mib .1.3.6.1.2.1.6. (advisability
>> notwithstanding) Could these directives be put into a policy module

>> though the base policy already has an snmpd i/f?
>>
>Yes although  watch out for name conflicts,  IE Don't name your module
>the same as an existing module or you will replace it.
>
>BTW the interface
>domain_read_all_domains_state(snmpd_t)
>
>Is probably what you want.
>>
>> Q.  Can a module define new booleans?  If so are they persistent if

>> module is unloaded and reloaded?
>>
>Yes and the booleans will be removed if you unload the policy.
>
>> For example; an snmpd policy module with an snmpd_can_ptrace boolean.
>> Are there namespace conventions?
>
>Well we would prefer all booleans to be named with the name of the
>module.  Although there are a lot of booleans that do not follow that
>standard.  I would love to have aliasing for booleans so we could

>them.
>>
>> Q. What happens if the base policy (or another policy modules) is
>> updated with overlapping statements.
>  
>They are additive.
>>
>> Am I correct in believing that the set of allows is the union of the
>> base allows + all module allows?
>  
>Yes