Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: screen.te zsh fixes Date: 28 Jun 2003 02:36:37 -0400
Similar fixes to screen.te needed for the zsh symlinks. Patch attached. You know though, I am thinking more and more that we should treat /etc/alternatives specially for setfiles. We could follow the symlink and label it with the type of the file it points to. That way we wouldn't have to add all these special etc_t:{lnk_file} { read } permissions to various programs that are able to execute bin_t or whatever.
dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; ') -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: screen.te zsh fixes Date: Sat, 28 Jun 2003 17:41:05 +1000
OK, it's in my tree.
> You know though, I am thinking more and more that we should treat So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read" and "bar_exec_t:lnk_file read" because the domain in question needs to access executable types foo_exec_t and bar_exec_t. I guess we could change the can_exec() macro to allow this at the same time. Another thing I've been thinking about is the handling of the /etc/localtime, it gets regenerated by many scripts with type etc_t. Maybe it would be best if we use etc_t for /etc/localtime of type symlink and locale_t for a file type (hard link). Then we can have a macro read_locale() which on Debian allows reading etc_t:lnk_file (and thus covers /etc/alternatives as a side-affect). Does Red Hat have something like /etc/alternatives? Or is it only a Debian thing? PS This is going to be a bit ugly. Whatever we do to solve this is going to require a relabel of /etc as part of the upgrade process. But I am coming to the conclusion that we have got some things wrong in the past and should fix them. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Colin Walters <walters_at_verbum.org> subject: Re: screen.te zsh fixes Date: 28 Jun 2003 03:59:34 -0400
Cool. Actually I discovered some things in further usage. First of all
I have a ~/.screenrc that I really need to use; the default ^a screen
keybinding sucks for emacs :) So I created a new type $1_home_screen_t
much like $1_home_ssh_t.
> So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read" Right.
> Another thing I've been thinking about is the handling of the /etc/localtime, That makes sense to me. I am running into the locale issue a lot.
> Does Red Hat have something like /etc/alternatives? Or is it only a Debian I think I heard that they adopted the idea, although not the specific Debian implementation. Hopefully a Red Hat person here can speak up.
> PS This is going to be a bit ugly. Whatever we do to solve this is going to Yeah. But as long as we provide a transition document of some sort, I think it should be ok...
allow $1_screen_t shadow_t:file { read getattr };
@@ -39,6 +40,10 @@
+allow $1_screen_t $1_home_screen_t:{file lnk_file} r_file_perms; +allow $1_t $1_home_screen_t:{file lnk_file} create_file_perms; +allow $1_t $1_home_screen_t:{file lnk_file} { relabelfrom relabelto }; + allow $1_screen_t privfd:fd use;
# Write to utmp.
-allow $1_screen_t etc_t:file { read getattr }; +allow $1_screen_t etc_t:{file lnk_file} { read getattr }; allow $1_screen_t self:dir { search read }; allow $1_screen_t self:lnk_file { read }; allow $1_screen_t device_t:dir search; allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; +# Internal screen networking +allow $1_screen_t self:fd *; allow $1_screen_t self:unix_stream_socket create_socket_perms; +allow $1_screen_t self:unix_dgram_socket create_socket_perms;+ can_exec($1_screen_t, shell_exec_t) allow $1_screen_t bin_t:dir search; +allow $1_screen_t bin_t:lnk_file { read }; +allow $1_screen_t locale_t:dir r_dir_perms; +allow $1_screen_t locale_t:{file lnk_file} r_file_perms; dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; ')
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Bart Mallio <bmallio_at_theworld.com> subject: Re: screen.te zsh fixes Date: Sat, 28 Jun 2003 08:56:15 -0400
On 28 Jun 2003, Colin Walters wrote:
> > Does Red Hat have something like /etc/alternatives? Or is it only a Debian It does, actually. On my vanilla install of RH 9, its got 21 links bridging mta stuff to sendmail, and lp stuff to cups. RH's man pages claim that their "alternatives" is "a reimplementation of the Debian alternatives system...primarily to remove the dependency on perl." Let me know if there's any RH-generic config stuff (copies of man pages, settings, etc.) I can pass on.
Best,
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: screen.te zsh fixes Date: Sun, 29 Jun 2003 14:38:15 +1000
OK, that's in my tree too.
> > So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file I'm holding off on this one at the moment. I'm not sure that there's enough benefit to justify the effort right now.
> > Another thing I've been thinking about is the handling of the OK, that's in my tree now. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |