I got a quick info how to start writing policy for OpenLMI providers,
see below. Please try so for you providers and send AVCs to Mirek Grepl.
I can only add:
0.1: Install necessary packages
# yum install selinux-policy-devel
0.2: read /usr/share/doc/tog-pegasus-2.12.1/README.RedHat.Security
0.3: based on the document above:
# cp
/usr/share/doc/tog-pegasus-2.12.1/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
/usr/libexec/pegasus/<yourprovider>-cimprovagt
(and package the file)
# chmod 755 /usr/libexec/pegasus/<yourprovider>-cimprovagt
Jan
-------- Original Message --------
Subject: how to get a policy for openlmi-*
Date: Wed, 29 May 2013 10:16:36 +0200
From: Miroslav Grepl <mgrepl(a)redhat.com>
To: jsafrane(a)redhat.com
1. create own policy for a provider
# cat mypol.te
policy_module(mypol,1.0)
pegasus_openlmi_domain_template(providername)
and run
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
# chcon -t pegasus_openlmi_providername_exec_t PATH_TO/providername
test it and run
# ausearch -m avc -ts recent
and send me AVC msgs.
For example we define in the policy
pegasus_openlmi_domain_template(account)
If you want to activate the policy for this account provider, you need
to run
# chcon -t pegasus_openlmi_account_exec_t
/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt