--
attached mail follows:
- Add debugfs
- Add Russell fixes for restorecon, games, postfix
- Turn off user_canbe_sysadm for strict policy
- Add a couple of privs for kernel to look at domain
- Don't transition from unconfined_t (sysadm_t) to ipconfig_t for
targeted policy
- Insmod wants to write to /proc file system
- Apmd needs to write to /sys file system
- Automount needs additional privs
- Cups creates fifo_file in /tmp that it needs to communicate with.
- Hal needs additional privs
- lvm needs var_run_domain
- tighten up privoxy network
- Allow udev to work with tmpfs_t before /dev is labeled
- misc minor fixes
- misc minor changes to file_context
- Turn on reiserfs again
--
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.14/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/misc/kernel.te 2005-05-02 14:57:26.000000000 -0400
@@ -36,6 +36,7 @@
# Send signal to any process.
allow kernel_t domain:process signal;
+allow kernel_t domain:dir search;
# Access the console.
allow kernel_t device_t:dir search;
@@ -50,6 +51,7 @@
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.14/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.14/domains/program/ifconfig.te 2005-05-02 14:57:26.000000000 -0400
@@ -21,7 +21,9 @@
general_domain_access(ifconfig_t)
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+')
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.14/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.14/domains/program/modutil.te 2005-05-02 14:57:26.000000000 -0400
@@ -143,7 +143,7 @@
allow insmod_t proc_t:dir search;
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-allow insmod_t proc_t:file { getattr read };
+allow insmod_t proc_t:file rw_file_perms;
allow insmod_t proc_t:lnk_file read;
# Write to /proc/mtrr.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400
@@ -20,7 +20,7 @@
role secadm_r types restorecon_t;
allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
allow restorecon_t { userdomain init_t privfd }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.14/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/apmd.te 2005-05-02 14:57:26.000000000 -0400
@@ -31,7 +31,7 @@
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read };
-read_sysctl(apmd_t)
+can_sysctl(apmd_t)
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
@@ -56,3 +56,4 @@
allow auditctl_t sysctl_kernel_t:file read;
allow auditd_t self:process setsched;
dontaudit auditctl_t init_t:fd use;
+allow auditctl_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.14/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.14/domains/program/unused/automount.te 2005-05-02 14:57:26.000000000 -0400
@@ -26,7 +26,7 @@
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
allow automount_t proc_t:file { getattr read };
allow automount_t self:process { setpgid setsched };
-allow automount_t self:capability sys_nice;
+allow automount_t self:capability { sys_nice dac_override };
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
@@ -66,4 +66,9 @@
allow automount_t home_root_t:dir getattr;
allow automount_t mnt_t:dir { getattr search };
-allow initrc_t automount_etc_t:file { getattr read };
+can_exec(initrc_t, automount_etc_t)
+
+# Need something like the following
+# file_type_auto_trans(automount_t, file_type, automount_tmp_t, dir)
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.14/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/consoletype.te 2005-05-02 14:57:26.000000000 -0400
@@ -57,6 +57,7 @@
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
+dontaudit consoletype_t proc_t:dir search;
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400
@@ -22,6 +22,7 @@
logdir_domain(cupsd)
tmp_domain(cupsd)
+file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
allow cupsd_t devpts_t:dir search;
@@ -246,8 +247,9 @@
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file read;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.14/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/hald.te 2005-05-02 14:57:26.000000000 -0400
@@ -10,12 +10,12 @@
#
# hald_exec_t is the type of the hald executable.
#
-daemon_domain(hald, `, fs_domain, nscd_client_domain')
+daemon_domain(hald, `, fs_domain, nscd_client_domain, privmem')
can_exec_any(hald_t)
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow hald_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
@@ -36,7 +36,7 @@
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
can_network_server(hald_t)
can_ypbind(hald_t)
@@ -47,6 +47,7 @@
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
allow hald_t mouse_device_t:chr_file r_file_perms;
+allow hald_t memory_device_t:chr_file r_file_perms;
can_getsecurity(hald_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.14/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/hotplug.te 2005-05-02 14:57:26.000000000 -0400
@@ -156,4 +156,4 @@
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
-allow kernel_t hotplug_etc_t:dir search;
+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.14/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.14/domains/program/unused/i18n_input.te 2005-05-02 14:57:26.000000000 -0400
@@ -14,6 +14,7 @@
can_ypbind(i18n_input_t)
can_tcp_connect(userdomain, i18n_input_t)
+can_unix_connect(i18n_input_t, initrc_t)
allow i18n_input_t self:fifo_file rw_file_perms;
allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
@@ -28,3 +29,4 @@
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+allow i18n_input_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.14/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-02 14:57:26.000000000 -0400
@@ -26,6 +26,7 @@
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
+allow kudzu_t proc_t:lnk_file getattr;
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.14/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.14/domains/program/unused/lvm.te 2005-05-02 14:57:26.000000000 -0400
@@ -112,7 +112,7 @@
allow lvm_t lvm_control_t:chr_file rw_file_perms;
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
allow initrc_t device_t:chr_file create;
-dontaudit lvm_t var_run_t:dir getattr;
+var_run_domain(lvm)
# for when /usr is not mounted
dontaudit lvm_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.14/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.14/domains/program/unused/pamconsole.te 2005-05-02 14:57:26.000000000 -0400
@@ -45,5 +45,5 @@
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
-allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow initrc_t pam_var_console_t:dir rw_dir_perms;
allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.23.14/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.14/domains/program/unused/postfix.te 2005-05-05 15:10:42.000000000 -0400
@@ -180,6 +180,7 @@
# for OpenSSL certificates
r_dir_file(postfix_smtpd_t,usr_t)
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
+allow postfix_smtpd_t self:file { getattr read };
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.23.14/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.14/domains/program/unused/privoxy.te 2005-05-03 10:27:27.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the privoxy_t domain.
#
-daemon_domain(privoxy)
+daemon_domain(privoxy, `, web_client_domain')
logdir_domain(privoxy)
@@ -16,9 +16,10 @@
allow privoxy_t self:capability net_bind_service;
# Use the network.
-can_network(privoxy_t)
-allow privoxy_t port_type:tcp_socket name_connect;
-allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+can_network_tcp(privoxy_t)
+can_ypbind(privoxy_t)
+can_resolve(privoxy_t)
+allow privoxy_t http_cache_port_t:tcp_socket name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
allow privoxy_t self:unix_stream_socket create_socket_perms ;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.14/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/udev.te 2005-05-02 14:57:26.000000000 -0400
@@ -38,8 +38,8 @@
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir rw_dir_perms;
-allow udev_t tmpfs_t:sock_file create_file_perms;
+allow udev_t tmpfs_t:dir create_dir_perms;
+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
allow udev_t tmpfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.23.14/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.14/domains/program/unused/updfstab.te 2005-05-02 14:57:26.000000000 -0400
@@ -31,6 +31,8 @@
ifdef(`dbusd.te', `
dbusd_client(system, updfstab)
allow updfstab_t system_dbusd_t:dbus { send_msg };
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
')
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
@@ -73,3 +75,7 @@
dontaudit updfstab_t { home_dir_type home_type }:dir search;
allow updfstab_t fs_t:filesystem { getattr };
allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.14/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/xdm.te 2005-05-02 14:57:26.000000000 -0400
@@ -344,3 +344,4 @@
# Run telinit->init to shutdown.
can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xserver.te policy-1.23.14/domains/program/unused/xserver.te
--- nsapolicy/domains/program/unused/xserver.te 2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.14/domains/program/unused/xserver.te 2005-05-02 14:57:26.000000000 -0400
@@ -20,3 +20,4 @@
# Everything else is in the xserver_domain macro in
# macros/program/xserver_macros.te.
+allow initrc_t xserver_log_t:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.14/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-05-02 14:06:56.000000000 -0400
+++ policy-1.23.14/file_contexts/distros.fc 2005-05-02 14:57:26.000000000 -0400
@@ -37,7 +37,8 @@
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
-/etc/pki(/.*)? system_u:object_r:cert_t
+/etc/pki(/.*)? system_u:object_r:cert_t
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
#
# /emul/ia32-linux/usr
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.14/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.14/file_contexts/program/cups.fc 2005-05-02 14:57:26.000000000 -0400
@@ -25,6 +25,7 @@
/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
')
/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
+/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
/var/spool/cups(/.*)? system_u:object_r:print_spool_t
/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.23.14/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.14/file_contexts/program/rhgb.fc 2005-05-02 14:57:26.000000000 -0400
@@ -1,2 +1 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.14/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-05-02 14:06:56.000000000 -0400
+++ policy-1.23.14/file_contexts/types.fc 2005-05-05 15:00:35.000000000 -0400
@@ -129,6 +129,7 @@
/dev/nvram -c system_u:object_r:memory_device_t
/dev/random -c system_u:object_r:random_device_t
/dev/urandom -c system_u:object_r:urandom_device_t
+/dev/adb.* -c system_u:object_r:tty_device_t
/dev/capi.* -c system_u:object_r:tty_device_t
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -381,6 +382,7 @@
/usr/local/etc(/.*)? system_u:object_r:etc_t
/usr/local/src(/.*)? system_u:object_r:src_t
/usr/local/man(/.*)? system_u:object_r:man_t
+/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /usr/X11R6/man
diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.23.14/fs_use
--- nsapolicy/fs_use 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.14/fs_use 2005-05-03 08:38:23.000000000 -0400
@@ -8,6 +8,7 @@
fs_use_xattr ext3 system_u:object_r:fs_t;
fs_use_xattr xfs system_u:object_r:fs_t;
fs_use_xattr jfs system_u:object_r:fs_t;
+fs_use_xattr reiserfs system_u:object_r:fs_t;
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.23.14/genfs_contexts
--- nsapolicy/genfs_contexts 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.14/genfs_contexts 2005-05-03 08:37:51.000000000 -0400
@@ -91,8 +91,7 @@
genfscon nfs4 / system_u:object_r:nfs_t
genfscon afs / system_u:object_r:nfs_t
-# reiserfs - until xattr security support works properly
-genfscon reiserfs / system_u:object_r:nfs_t
+genfscon debugfs / system_u:object_r:debugfs_t
# needs more work
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.14/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.14/macros/core_macros.te 2005-05-02 14:57:26.000000000 -0400
@@ -341,7 +341,6 @@
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
-allow $1 proc_t:file { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400
@@ -17,11 +17,14 @@
if (! disable_games_trans) {
domain_auto_trans($1_t, games_exec_t, $1_games_t)
}
+can_exec($1_games_t, games_exec_t)
role $1_r types $1_games_t;
+can_create_pty($1_games)
+
# X access, /tmp files
x_client_domain($1_games, $1)
-tmp_domain($1_games)
+tmp_domain($1_games, `', { dir notdevfile_class_set })
uses_shlib($1_games_t)
read_locale($1_games_t)
@@ -36,6 +39,10 @@
allow $1_games_t self:process execmem;
}
+if (allow_execmod) {
+allow $1_games_t texrel_shlib_t:file execmod;
+}
+
allow $1_games_t var_t:dir { search getattr };
rw_dir_create_file($1_games_t, games_data_t)
allow $1_games_t sound_device_t:chr_file rw_file_perms;
@@ -65,8 +72,8 @@
allow $1_games_t var_lib_t:dir search;
r_dir_file($1_games_t, man_t)
-allow $1_games_t proc_t:dir search;
-allow $1_games_t proc_t:file { read getattr };
+allow $1_games_t { proc_t self }:dir search;
+allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
ifdef(`mozilla.te', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
@@ -75,15 +82,23 @@
allow $1_games_t self:file { getattr read };
allow $1_games_t self:fifo_file rw_file_perms;
-# kpat spews errors
-dontaudit $1_games_t bin_t:dir getattr;
+allow $1_games_t self:sem create_sem_perms;
+
+allow $1_games_t { bin_t sbin_t }:dir { getattr search };
+can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
+allow $1_games_t bin_t:lnk_file read;
+
dontaudit $1_games_t var_run_t:dir search;
+dontaudit $1_games_t initrc_var_run_t:file { read write };
+dontaudit $1_games_t var_log_t:dir search;
# Allow games to read /etc/mtab and /etc/nsswitch.conf
allow $1_games_t etc_t:file { getattr read };
allow $1_games_t etc_runtime_t:file { getattr read };
-#
+can_network($1_games_t)
+allow $1_games_t port_t:tcp_socket name_bind;
+allow $1_games_t port_t:tcp_socket name_connect;
')dnl end macro definition
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.23.14/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.14/macros/program/su_macros.te 2005-05-02 14:57:26.000000000 -0400
@@ -61,7 +61,7 @@
')
# Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
dontaudit $1_su_t self:capability sys_tty_config;
#
# Caused by su - init scripts
@@ -90,9 +90,10 @@
ifdef(`chkpwd.te', `
domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
-allow $1_su_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
+allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
') dnl end su_restricted_domain
define(`su_mini_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.14/Makefile
--- nsapolicy/Makefile 2005-04-20 15:40:34.000000000 -0400
+++ policy-1.23.14/Makefile 2005-05-03 08:38:52.000000000 -0400
@@ -196,7 +196,7 @@
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.14/net_contexts
--- nsapolicy/net_contexts 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.14/net_contexts 2005-05-02 14:57:26.000000000 -0400
@@ -227,6 +227,8 @@
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
portcon udp 3130 system_u:object_r:http_cache_port_t
+# 8118 is for privoxy
+portcon tcp 8118 system_u:object_r:http_cache_port_t
ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.14/tunables/distro.tun 2005-05-02 14:57:26.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.14/tunables/tunable.tun 2005-05-05 15:16:58.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.14/types/file.te
--- nsapolicy/types/file.te 2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.14/types/file.te 2005-05-03 07:58:12.000000000 -0400
@@ -312,6 +312,9 @@
type cifs_t, fs_type, noexattrfile, sysadmfile;
allow cifs_t self:filesystem associate;
+type debugfs_t, fs_type, sysadmfile;
+allow debugfs_t self:filesystem associate;
+
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
allow removable_t self:filesystem associate;
@@ -320,3 +323,5 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+
+
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
> > --- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400
> > +++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400
> > @@ -20,7 +20,7 @@
> > role secadm_r types restorecon_t;
> >
> > allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
> > -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
> > +allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
Perhaps (?):
allow restorecon_t tty_device_t:chr_file { read write ioctl};
access_terminal(restorecon_t, $2)
access_terminal(restorecon_t, initrc)
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
> > --- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
> > +++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
> > @@ -56,3 +56,4 @@
> > allow auditctl_t sysctl_kernel_t:file read;
> > allow auditd_t self:process setsched;
> > dontaudit auditctl_t init_t:fd use;
> > +allow auditctl_t initrc_devpts_t:chr_file { read write };
Perhaps (?):
access_terminal(auditctl_t, initrc)
> > allow consoletype_t crond_t:fifo_file { read getattr ioctl };
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
> > --- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
> > +++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400
> > @@ -22,6 +22,7 @@
> > logdir_domain(cupsd)
> >
> > tmp_domain(cupsd)
> > +file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
tmp_domain(cupsd, `', { file dir fifo_file })
> > @@ -47,6 +47,7 @@
> > allow hald_t printer_device_t:chr_file rw_file_perms;
> > allow hald_t urandom_device_t:chr_file read;
> > allow hald_t mouse_device_t:chr_file r_file_perms;
> > +allow hald_t memory_device_t:chr_file r_file_perms;
?? That no longer triggers an assertion violation?
I specifically had to allow it in the assertion list when
it was necessary for dmidecode. Why is it still necessary?
> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
> > --- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400
> > +++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400
> > @@ -17,11 +17,14 @@
> > if (! disable_games_trans) {
> > domain_auto_trans($1_t, games_exec_t, $1_games_t)
> > }
> > +can_exec($1_games_t, games_exec_t)
It needs to re-execute itself??
Question:
Is it better to create orbit-$USER in a startup script, or
to include selinux support in libORBit2 in order to
properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
when it's created?
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Friday 06 May 2005 07:44, Ivan Gyurdiev <ivg2@cornell.edu> wrote:
> > > diff --exclude-from=exclude -N -u -r
> > > nsapolicy/domains/program/restorecon.te
> > > policy-1.23.14/domains/program/restorecon.te ---
> > > nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000
> > > -0400 +++ policy-1.23.14/domains/program/restorecon.te 2005-05-05
> > > 15:11:06.000000000 -0400 @@ -20,7 +20,7 @@
> > > role secadm_r types restorecon_t;
> > >
> > > allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
> > > -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read
> > > write ioctl }; +allow restorecon_t { tty_device_t admin_tty_type
> > > devtty_t }:chr_file { read write ioctl };
>
> Perhaps (?):
>
> allow restorecon_t tty_device_t:chr_file { read write ioctl};
> access_terminal(restorecon_t, $2)
You mean:
access_terminal(restorecon_t, sysadm)
> access_terminal(restorecon_t, initrc)
There is no initrc_tty_device_t defined (and we are not going to define one).
> > > diff --exclude-from=exclude -N -u -r
> > > nsapolicy/domains/program/unused/auditd.te
> > > policy-1.23.14/domains/program/unused/auditd.te ---
> > > nsapolicy/domains/program/unused/auditd.te 2005-05-02
> > > 14:06:54.000000000 -0400 +++
> > > policy-1.23.14/domains/program/unused/auditd.te 2005-05-02
> > > 14:57:26.000000000 -0400 @@ -56,3 +56,4 @@
> > > allow auditctl_t sysctl_kernel_t:file read;
> > > allow auditd_t self:process setsched;
> > > dontaudit auditctl_t init_t:fd use;
> > > +allow auditctl_t initrc_devpts_t:chr_file { read write };
>
> Perhaps (?):
>
> access_terminal(auditctl_t, initrc)
Again, it's not going to work.
> > > allow consoletype_t crond_t:fifo_file { read getattr ioctl };
> > > diff --exclude-from=exclude -N -u -r
> > > nsapolicy/domains/program/unused/cups.te
> > > policy-1.23.14/domains/program/unused/cups.te ---
> > > nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000
> > > -0400 +++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02
> > > 14:57:26.000000000 -0400 @@ -22,6 +22,7 @@
> > > logdir_domain(cupsd)
> > >
> > > tmp_domain(cupsd)
> > > +file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
>
> tmp_domain(cupsd, `', { file dir fifo_file })
Yes.
> > > @@ -47,6 +47,7 @@
> > > allow hald_t printer_device_t:chr_file rw_file_perms;
> > > allow hald_t urandom_device_t:chr_file read;
> > > allow hald_t mouse_device_t:chr_file r_file_perms;
> > > +allow hald_t memory_device_t:chr_file r_file_perms;
>
> ?? That no longer triggers an assertion violation?
> I specifically had to allow it in the assertion list when
> it was necessary for dmidecode. Why is it still necessary?
I agree, this shouldn't be needed.
> > > diff --exclude-from=exclude -N -u -r
> > > nsapolicy/macros/program/games_domain.te
> > > policy-1.23.14/macros/program/games_domain.te ---
> > > nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000
> > > -0400 +++ policy-1.23.14/macros/program/games_domain.te 2005-05-05
> > > 15:10:05.000000000 -0400 @@ -17,11 +17,14 @@
> > > if (! disable_games_trans) {
> > > domain_auto_trans($1_t, games_exec_t, $1_games_t)
> > > }
> > > +can_exec($1_games_t, games_exec_t)
>
> It needs to re-execute itself??
Absolutely.
> Is it better to create orbit-$USER in a startup script, or
> to include selinux support in libORBit2 in order to
> properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
> when it's created?
What does orbit do exactly? What needs to access it?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> > Is it better to create orbit-$USER in a startup script, or
> > to include selinux support in libORBit2 in order to
> > properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
> > when it's created?
>
> What does orbit do exactly? What needs to access it?
ORBit is an implementation of CORBA - it has to do with
inter-process communication. All GNOME programs use
it to talk to each other. For example, mozilla (with gnome support)
uses it to talk to GConf and the gnome vfs daemon
(and other things that I haven't figured out yet, which
need to be constrained).
Apps create sockets in /tmp/orbit-$USER, and read/write to other apps'
sockets to talk to them.
The current orbit rules in mozilla/gift are a mess, because they allow
interaction w/ ROLE_tmp_t, which seems to me like a bad idea.
I have a better suggestion (I think), included as part of my patch here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800
It's the patch you were looking at earlier, but I've added a lot more
stuff, and fixed bugs. It can't be merged at this point, but parts of
it probably can..
...but orbit-$USER needs to be labeled properly, and it can be created
by anything that interfaces w/ libORBit-2, I think...which means
that either it has to be created by a startup script, or
the library should be modified to use matchpathcon()
when it creates the folder. I don't know which.
I also thought perhaps there should be a skeleton for /tmp
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156452)
but I'm now starting to think that's may be a bad idea, and I should
close the bug.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> ...but orbit-$USER needs to be labeled properly, and it can be created
> by anything that interfaces w/ libORBit-2, I think...which means
> that either it has to be created by a startup script, or
> the library should be modified to use matchpathcon()
> when it creates the folder. I don't know which.
> I also thought perhaps there should be a skeleton for /tmp
> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156452)
> but I'm now starting to think that's may be a bad idea, and I should
> close the bug.
...and does tmpwatch need to be allowed to erase those folders?
If so, startup script is not an option... because right now tmpwatch
goes and tries to erase all of this..
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Saturday 07 May 2005 01:39, Ivan Gyurdiev <ivg2@cornell.edu> wrote:
> > ...but orbit-$USER needs to be labeled properly, and it can be created
> > by anything that interfaces w/ libORBit-2, I think...which means
> > that either it has to be created by a startup script, or
> > the library should be modified to use matchpathcon()
> > when it creates the folder. I don't know which.
> > I also thought perhaps there should be a skeleton for /tmp
> > (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156452)
> > but I'm now starting to think that's may be a bad idea, and I should
> > close the bug.
>
> ...and does tmpwatch need to be allowed to erase those folders?
> If so, startup script is not an option... because right now tmpwatch
> goes and tries to erase all of this..
Every type that is used by default for objects created under /tmp should be
removable by tmpwatch. Types such as user_home_t should not be removable by
tmpwatch as this is the entire aim of the tmpwatch policy.
This means of course that a user who desires it can avoid having their files
removed by giving them a type that tmpwatch can't remove. This is not such a
bad thing IMHO, tmpwatch is not designed as part of the security system, and
SE Linux is not designed to deal with resource allocation issues.
One possibility would be to allow tmpwatch to go through user (not sysadm)
home directories but not have search access to home_root_t. But this makes
the protection of user home directories from tmpwatch dependant on the label
of home_root_t, I'm not certain that in all cases of automounting and strange
configuration of home directories we can rely on the label of home_root_t
being assigned to /home to protect sub-directories.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> One possibility would be to allow tmpwatch to go through user (not sysadm)
> home directories but not have search access to home_root_t. But this makes
> the protection of user home directories from tmpwatch dependant on the label
> of home_root_t, I'm not certain that in all cases of automounting and strange
> configuration of home directories we can rely on the label of home_root_t
> being assigned to /home to protect sub-directories.
I am a bit confused - /tmp/orbit-$USER is not in /home...
I was just wondering whether the orbit folder should be allowed to
be erased by tmpwatch due to inactivity... If so, it will need to
be recreated (without rebooting), and that's why I was saying that
in that case, libORBit probably needs to set the correct context itself,
as opposed to a startup script solution that creates this folder.
There is no problem as far as tmpwatch goes - I can just mark the type
tmpfile, I guess.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Sat, 2005-05-07 at 13:04 -0400, Ivan Gyurdiev wrote:
> > One possibility would be to allow tmpwatch to go through user (not sysadm)
> > home directories but not have search access to home_root_t. But this makes
> > the protection of user home directories from tmpwatch dependant on the label
> > of home_root_t, I'm not certain that in all cases of automounting and strange
> > configuration of home directories we can rely on the label of home_root_t
> > being assigned to /home to protect sub-directories.
>
> I am a bit confused - /tmp/orbit-$USER is not in /home...
> I was just wondering whether the orbit folder should be allowed to
> be erased by tmpwatch due to inactivity... If so, it will need to
> be recreated (without rebooting), and that's why I was saying that
> in that case, libORBit probably needs to set the correct context itself,
> as opposed to a startup script solution that creates this folder.
>
> There is no problem as far as tmpwatch goes - I can just mark the type
> tmpfile, I guess.
Patch for ORBit2 here - see the last attachment:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800
I think I should submit the ORBit part of this patch for inclusion...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ivan Gyurdiev wrote:
>On Sat, 2005-05-07 at 13:04 -0400, Ivan Gyurdiev wrote:
>
>
>>>One possibility would be to allow tmpwatch to go through user (not sysadm)
>>>home directories but not have search access to home_root_t. But this makes
>>>the protection of user home directories from tmpwatch dependant on the label
>>>of home_root_t, I'm not certain that in all cases of automounting and strange
>>>configuration of home directories we can rely on the label of home_root_t
>>>being assigned to /home to protect sub-directories.
>>>
>>>
>>I am a bit confused - /tmp/orbit-$USER is not in /home...
>>I was just wondering whether the orbit folder should be allowed to
>>be erased by tmpwatch due to inactivity... If so, it will need to
>>be recreated (without rebooting), and that's why I was saying that
>>in that case, libORBit probably needs to set the correct context itself,
>>as opposed to a startup script solution that creates this folder.
>>
>>There is no problem as far as tmpwatch goes - I can just mark the type
>>tmpfile, I guess.
>>
>>
>
>Patch for ORBit2 here - see the last attachment:
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800
>
>I think I should submit the ORBit part of this patch for inclusion...
>
>
>
I am not crazy about this patch. Since I don't think we need to run a
priveledged orbit.
If we have the init scripts create a /tmp/orbit directory and the login
creates orbit-$USER
under there we can get all the transitions correct. Can't we?
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> I am not crazy about this patch. Since I don't think we need to run a
> priveledged orbit.
orbit is not privileged - there will be no orbit domain -
it's just a file type with some macros to mark the appropriate sockets,
and allow connections between them.
The benefit of this is that:
(1) Applications no longer access ROLE_tmp_t,
they access ROLE_orbit_tmp_t instead, which is a more
specific type for this operation, separate from the type
that would be used for other things.
(2) Once things are properly confined they will not need
to access ROLE_orbit_tmp_t either, which is really the point of
this patch - proper labeling of orbit sockets for each
application. Already gift is disallowed access to anything but
gconf orbit sockets. This doesn't work for mozilla yet, because
it talks to gnome-vfs-daemon, and other things, but eventually
all of them should be confined.
(3) This removes generic types, and adds more specific ones.
I see this as a step forward.
See the patches I sent for the implementation.
> If we have the init scripts create a /tmp/orbit directory and the login
> creates orbit-$USER
> under there we can get all the transitions correct. Can't we?
So, do you oppose the whole patch, or just the part the makes
orbit depend on libselinux?
I'm not sure about a startup script - that's a possible solution,
but Bill Nottingham didn't like my /tmp skeleton idea, and after
a while I thought it would be better to do this in the application
as well.
With a startup script, we have to create the folder for all users,
regardless of whether they need it. Also, orbit
creates /tmp/orbit-$USER-(random hex number) for some reason,
and I haven't figured out why it does that yet. Also, tmpwatch
might erase that folder due to inactivity (and maybe it should
be able to). If that happens, we don't want to have to reboot
to recreate it.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ivan Gyurdiev wrote:
>>I am not crazy about this patch. Since I don't think we need to run a
>>priveledged orbit.
>>
>>
>
>orbit is not privileged - there will be no orbit domain -
>it's just a file type with some macros to mark the appropriate sockets,
>and allow connections between them.
>
>The benefit of this is that:
>
>(1) Applications no longer access ROLE_tmp_t,
>they access ROLE_orbit_tmp_t instead, which is a more
>specific type for this operation, separate from the type
>that would be used for other things.
>
>(2) Once things are properly confined they will not need
>to access ROLE_orbit_tmp_t either, which is really the point of
>this patch - proper labeling of orbit sockets for each
>application. Already gift is disallowed access to anything but
>gconf orbit sockets. This doesn't work for mozilla yet, because
>it talks to gnome-vfs-daemon, and other things, but eventually
>all of them should be confined.
>
>(3) This removes generic types, and adds more specific ones.
>I see this as a step forward.
>
>See the patches I sent for the implementation.
>
>
>
>>If we have the init scripts create a /tmp/orbit directory and the login
>>creates orbit-$USER
>>under there we can get all the transitions correct. Can't we?
>>
>>
>
>So, do you oppose the whole patch, or just the part the makes
>orbit depend on libselinux?
>
>I'm not sure about a startup script - that's a possible solution,
>but Bill Nottingham didn't like my /tmp skeleton idea, and after
>a while I thought it would be better to do this in the application
>as well.
>
>With a startup script, we have to create the folder for all users,
>regardless of whether they need it. Also, orbit
>creates /tmp/orbit-$USER-(random hex number) for some reason,
>and I haven't figured out why it does that yet. Also, tmpwatch
>might erase that folder due to inactivity (and maybe it should
>be able to). If that happens, we don't want to have to reboot
>to recreate it.
>
>
>
Doesn't you patch mean that every app that links with orbit needs to
able to read context files
and able to setfscreatecon?
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> Doesn't you patch mean that every app that links with orbit needs to
> able to read context files
> and able to setfscreatecon?
>
Oh - I thought you meant something else.
Yes, it does. Is this a bad thing?
The setfscreatecon is limited to self -
##################################
#
# can_setfscreate(domain)
#
# Authorize a domain to set its fscreate context
# (via /proc/pid/attr/fscreate).
#
define(`can_setfscreate',`
allow $1 self:process setfscreate;
allow $1 proc_t:dir search;
allow $1 proc_t:{ file lnk_file } read;
allow $1 self:dir search;
allow $1 self:file { getattr read write };
')
Here's the full list of selinux privileges needed:
# Set its type - libselinux integration
can_setfscreate($1_t)
can_getsecurity($1_t)
r_dir_file($1_t, selinux_config_t)
r_dir_file($1_t, file_context_t)
allow $1_t default_context_t:dir search;
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ivan Gyurdiev wrote:
>>Doesn't you patch mean that every app that links with orbit needs to
>>able to read context files
>>and able to setfscreatecon?
>>
>>
>>
>
>Oh - I thought you meant something else.
>Yes, it does. Is this a bad thing?
>
>The setfscreatecon is limited to self -
>
>##################################
>#
># can_setfscreate(domain)
>#
># Authorize a domain to set its fscreate context
># (via /proc/pid/attr/fscreate).
>#
>define(`can_setfscreate',`
>allow $1 self:process setfscreate;
>allow $1 proc_t:dir search;
>allow $1 proc_t:{ file lnk_file } read;
>allow $1 self:dir search;
>allow $1 self:file { getattr read write };
>')
>
>Here's the full list of selinux privileges needed:
>
>
># Set its type - libselinux integration
>can_setfscreate($1_t)
>can_getsecurity($1_t)
>r_dir_file($1_t, selinux_config_t)
>r_dir_file($1_t, file_context_t)
>allow $1_t default_context_t:dir search;
>
>
>
I think I can create a file with context of passwd_t via those privs?
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Mon, 2005-05-09 at 14:27 -0400, Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
>
> >>Doesn't you patch mean that every app that links with orbit needs to
> >>able to read context files
> >>and able to setfscreatecon?
> >>
...
> >
> >Here's the full list of selinux privileges needed:
> >
> >
> ># Set its type - libselinux integration
> >can_setfscreate($1_t)
> >can_getsecurity($1_t)
> >r_dir_file($1_t, selinux_config_t)
> >r_dir_file($1_t, file_context_t)
> >allow $1_t default_context_t:dir search;
> >
> >
> >
> I think I can create a file with context of passwd_t via those privs?
Is this true? Doesn't selinux audit calls to create/write/getattr/read..
for passwd_t.. or does setfscreate(passwd_t) allow all of this.
If that's true, then it's definitely not what I intended to do.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Mon, 2005-05-09 at 14:37 -0400, Ivan Gyurdiev wrote:
> On Mon, 2005-05-09 at 14:27 -0400, Daniel J Walsh wrote:
> > I think I can create a file with context of passwd_t via those privs?
>
> Is this true? Doesn't selinux audit calls to create/write/getattr/read..
> for passwd_t.. or does setfscreate(passwd_t) allow all of this.
>
> If that's true, then it's definitely not what I intended to do.
can_setfscreate() just allows a process (domain) to request a specific
security context for newly created files other than the default. The
ability to create specific file types is then mediated by the file
create permission check. Hence, can_setfscreate(X) does not allow a
domain to create files in arbitrary types; it still has to pass the file
create check as well.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Sunday 08 May 2005 03:04, Ivan Gyurdiev <ivg2@cornell.edu> wrote:
> > One possibility would be to allow tmpwatch to go through user (not
> > sysadm) home directories but not have search access to home_root_t. But
> > this makes the protection of user home directories from tmpwatch
> > dependant on the label of home_root_t, I'm not certain that in all cases
> > of automounting and strange configuration of home directories we can rely
> > on the label of home_root_t being assigned to /home to protect
> > sub-directories.
>
> I am a bit confused - /tmp/orbit-$USER is not in /home...
> I was just wondering whether the orbit folder should be allowed to
> be erased by tmpwatch due to inactivity... If so, it will need to
> be recreated (without rebooting), and that's why I was saying that
> in that case, libORBit probably needs to set the correct context itself,
> as opposed to a startup script solution that creates this folder.
Tmpwatch should be allowed to erase it along with every other type that is
used by default for object creation under /tmp.
Users can create files with type user_home_t under /tmp by setting the
fscreatecon.
Files of type user_home_t under /tmp can not be removed by tmpwatch.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ivan Gyurdiev wrote:
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
>>>--- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400
>>>+++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400
>>>@@ -20,7 +20,7 @@
>>> role secadm_r types restorecon_t;
>>>
>>> allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
>>>-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
>>>+allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
>>>
>>>
>
>Perhaps (?):
>
>allow restorecon_t tty_device_t:chr_file { read write ioctl};
>access_terminal(restorecon_t, $2)
>access_terminal(restorecon_t, initrc)
>
>
>
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
>>>--- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
>>>+++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
>>>@@ -56,3 +56,4 @@
>>> allow auditctl_t sysctl_kernel_t:file read;
>>> allow auditd_t self:process setsched;
>>> dontaudit auditctl_t init_t:fd use;
>>>+allow auditctl_t initrc_devpts_t:chr_file { read write };
>>>
>>>
>
>Perhaps (?):
>
>access_terminal(auditctl_t, initrc)
>
>
>
>>> allow consoletype_t crond_t:fifo_file { read getattr ioctl };
>>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
>>>--- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
>>>+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400
>>>@@ -22,6 +22,7 @@
>>> logdir_domain(cupsd)
>>>
>>> tmp_domain(cupsd)
>>>+file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
>>>
>>>
>
>tmp_domain(cupsd, `', { file dir fifo_file })
>
>
>
ok
>>>@@ -47,6 +47,7 @@
>>> allow hald_t printer_device_t:chr_file rw_file_perms;
>>> allow hald_t urandom_device_t:chr_file read;
>>> allow hald_t mouse_device_t:chr_file r_file_perms;
>>>+allow hald_t memory_device_t:chr_file r_file_perms;
>>>
>>>
>
>?? That no longer triggers an assertion violation?
>
>
privmem attribute allows this.
>I specifically had to allow it in the assertion list when
>it was necessary for dmidecode. Why is it still necessary?
>
>
>
>>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
>>>--- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400
>>>+++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400
>>>@@ -17,11 +17,14 @@
>>> if (! disable_games_trans) {
>>> domain_auto_trans($1_t, games_exec_t, $1_games_t)
>>> }
>>>+can_exec($1_games_t, games_exec_t)
>>>
>>>
>
>It needs to re-execute itself??
>
>===============
>
>Question:
>
>Is it better to create orbit-$USER in a startup script, or
>to include selinux support in libORBit2 in order to
>properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
>when it's created?
>
>
>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Friday 06 May 2005 05:35, Daniel J Walsh <dwalsh@redhat.com> wrote:
> +allow cupsd_t crond_t:fd use;
Something is wrong here. crond_t has attribute privfd, and from
daemon_base_domain() cupsd_t gets the following:
allow cupsd_t privfd:fd use;
-daemon_domain(hald, `, fs_domain, nscd_client_domain')
+daemon_domain(hald, `, fs_domain, nscd_client_domain, privmem')
-allow hald_t self:capability { net_admin sys_admin dac_override
dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override
dac_read_search mknod sys_rawio };
+allow hald_t memory_device_t:chr_file r_file_perms;
The dmidecode_t domain removes the need for those changes.
+can_unix_connect(i18n_input_t, initrc_t)
What's happening here? Looks like a daemon running in the wrong domain.
+allow kudzu_t proc_t:lnk_file getattr;
We already have the following:
allow kudzu_t { self proc_t }:lnk_file read;
We should probably change it to:
allow kudzu_t { self proc_t }:lnk_file { getattr read };
-dontaudit lvm_t var_run_t:dir getattr;
+var_run_domain(lvm)
What is this for? CLVM?
-allow udev_t tmpfs_t:dir rw_dir_perms;
-allow udev_t tmpfs_t:sock_file create_file_perms;
+allow udev_t tmpfs_t:dir create_dir_perms;
+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
In what situations is this required? When udev is working correctly it will
never try to create files or directories of type tmpfs_t.
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
Why move this from rhgb.fc to distros.fc? Surely it's more of a RHGB specific
thing than a distribution specific thing. Not that there are any other
distributions using RHGB at the moment.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Russell Coker wrote:
>On Friday 06 May 2005 05:35, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>+allow cupsd_t crond_t:fd use;
>>
>>
>
>Something is wrong here. crond_t has attribute privfd, and from
>daemon_base_domain() cupsd_t gets the following:
>allow cupsd_t privfd:fd use;
>
>-daemon_domain(hald, `, fs_domain, nscd_client_domain')
>+daemon_domain(hald, `, fs_domain, nscd_client_domain, privmem')
>
>-allow hald_t self:capability { net_admin sys_admin dac_override
>dac_read_search mknod };
>+allow hald_t self:capability { net_admin sys_admin dac_override
>dac_read_search mknod sys_rawio };
>
>+allow hald_t memory_device_t:chr_file r_file_perms;
>
>The dmidecode_t domain removes the need for those changes.
>
>
>
Ok Removed
>+can_unix_connect(i18n_input_t, initrc_t)
>
>What's happening here? Looks like a daemon running in the wrong domain.
>
>+allow kudzu_t proc_t:lnk_file getattr;
>
>We already have the following:
>allow kudzu_t { self proc_t }:lnk_file read;
>
>We should probably change it to:
>allow kudzu_t { self proc_t }:lnk_file { getattr read };
>
>
>
I don't see this.
>-dontaudit lvm_t var_run_t:dir getattr;
>+var_run_domain(lvm)
>
>What is this for? CLVM?
>
>
>
I don't recall but it was trying to write a pid file.
>-allow udev_t tmpfs_t:dir rw_dir_perms;
>-allow udev_t tmpfs_t:sock_file create_file_perms;
>+allow udev_t tmpfs_t:dir create_dir_perms;
>+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
>
>In what situations is this required? When udev is working correctly it will
>never try to create files or directories of type tmpfs_t.
>
>
>
This is happening before the /dev is relabeled.
>+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
>
>Why move this from rhgb.fc to distros.fc? Surely it's more of a RHGB specific
>thing than a distribution specific thing. Not that there are any other
>distributions using RHGB at the moment.
>
>
>
Because we are not support rhgb in targeted. But need to be able to
mount on it.
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Friday 06 May 2005 22:43, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >+allow kudzu_t proc_t:lnk_file getattr;
> >
> >We already have the following:
> >allow kudzu_t { self proc_t }:lnk_file read;
> >
> >We should probably change it to:
> >allow kudzu_t { self proc_t }:lnk_file { getattr read };
>
> I don't see this.
My mistake, it's in daemon_core_rules().
We should probably change daemon_core_rules() on line 256 of
macros/global_macros.te from:
allow $1_t { self proc_t }:lnk_file read;
to:
allow $1_t { self proc_t }:lnk_file { getattr read };
> >-dontaudit lvm_t var_run_t:dir getattr;
> >+var_run_domain(lvm)
> >
> >What is this for? CLVM?
>
> I don't recall but it was trying to write a pid file.
What was the name of the file? If nothing else we will need a .fc entry for
it.
> >-allow udev_t tmpfs_t:dir rw_dir_perms;
> >-allow udev_t tmpfs_t:sock_file create_file_perms;
> >+allow udev_t tmpfs_t:dir create_dir_perms;
> >+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
> >
> >In what situations is this required? When udev is working correctly it
> > will never try to create files or directories of type tmpfs_t.
>
> This is happening before the /dev is relabeled.
/dev is populated initially before SE Linux is enabled (from the initrd). It
is relabeled on line 42 of /etc/rc.sysinit. How is udev being started in
between the SE Linux load (start of init) and line 42 of rc.sysinit?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.