local policy changes, /var/lib access, syslogd

local policy changes, /var/lib access, syslogd

[Colin Walters]

Hi,

I have a few questions.  First, where is the best place to keep one's
local policy changes?  For example, I wanted to let user_t have general
access to httpd_sys_content_t, since almost all of my users maintain
their own websites.  So I just put 

# Since most of our users are also web admins, just allow this.
rw_dir_create_file(user_t,httpd_sys_content_t)
allow user_t httpd_sys_content_t:dir create_dir_perms;

in /etc/selinux/domains/misc/local.te.  Is there a more "standard" place
for this?

Secondly, I'm getting a lot of programs wanting search access to
/var/lib (var_lib_t).  At least sshd_t, user_ssh_t, syslogd_t,
postfix_master_t, etc.  I added a bunch of dontaudit rules, but I'm
wondering if anyone knew why these programs were trying to access
/var/lib?

Finally, I also get a number of denials from syslogd attempting to
access /dev/xconsole:

avc:  denied  { read write } for  pid=162 exe=/sbin/syslogd path=/dev/xconsole dev=03:01 ino=2310191 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=fifo_file

I don't plan to use X on this machine, so I could just add a dontaudit I
suppose, but I'm curious why this isn't the default.

And thanks for SELinux, it's great!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Russell Coker]

On Wed, 25 Jun 2003 11:49, Colin Walters wrote:
> in /etc/selinux/domains/misc/local.te.  Is there a more "standard" place
> for this?

No.  I personally use domains/misc/custom.te, but it's a local issue.

We probably should document some suggested names to avoid the possibility of 
conflicts.

> Secondly, I'm getting a lot of programs wanting search access to
> /var/lib (var_lib_t).  At least sshd_t, user_ssh_t, syslogd_t,
> postfix_master_t, etc.  I added a bunch of dontaudit rules, but I'm
> wondering if anyone knew why these programs were trying to access
> /var/lib?

One way that programs can request search access to a directory is if you do 
the following:
cd /var/lib ; ssh foo

For ssh this is a very common issue.  I guess we could set things up such that 
a program in a user_whatever_t domain gets allow (or dontaudit) for search 
access to every type of directory that user_t has access to.  But that may 
permit undesired access.

Is sshd configured to have a privsep directory under /var/lib?

I suspect that postfix_master_t is trying to copy files around to setup a 
chroot environment.  For my machines I configure postfix to not use chroot.  
Chroot does not restrict postfix as much as SE Linux does and requires that 
Postfix be given access that I don't want to permit.

I would like to know more about what syslogd is doing.

> Finally, I also get a number of denials from syslogd attempting to
> access /dev/xconsole:
>
> avc:  denied  { read write } for  pid=162 exe=/sbin/syslogd
> path=/dev/xconsole dev=03:01 ino=2310191
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t
> tclass=fifo_file
>
> I don't plan to use X on this machine, so I could just add a dontaudit I
> suppose, but I'm curious why this isn't the default.

/dev/xconsole is not inherantly related to X.  It is a named pipe that syslogd 
logs to, and it can be used by X or other programs to display the logs.

You can use /dev/xconsole without using X, or you can use X without 
/dev/xconsole (as I do).

If you run SE Linux on an X based workstation then you still probably don't 
want to permit the users to see the logs.

The best thing to do (IMHO) is to configure syslogd to not write anything to 
/dev/xconsole.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Colin Walters]

(I'm going to CC you because this list is so slow)

On Tue, 2003-06-24 at 23:54, Russell Coker wrote:

> We probably should document some suggested names to avoid the possibility of 
> conflicts.

Yeah, it'd be a good idea, but no big deal.

> One way that programs can request search access to a directory is if you do 
> the following:
> cd /var/lib ; ssh foo

No, I'm not doing anything like that.

> Is sshd configured to have a privsep directory under /var/lib?

I don't have any privsep stuff in my sshd config, no.

> I suspect that postfix_master_t is trying to copy files around to setup a 
> chroot environment.  For my machines I configure postfix to not use chroot.

I did that as well on the advice of weasel (from #selinux irc).  But I
still get that message.  

Also, since this occurs for so many programs, I suspect something lower
level is doing it, like glibc maybe?

> /dev/xconsole is not inherantly related to X.  

Right, I understand that.

> The best thing to do (IMHO) is to configure syslogd to not write anything to 
> /dev/xconsole.

Good idea, I've done that.  Thanks!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Russell Coker]

On Wed, 25 Jun 2003 14:09, Colin Walters wrote:
> > Is sshd configured to have a privsep directory under /var/lib?
>
> I don't have any privsep stuff in my sshd config, no.
>
> > I suspect that postfix_master_t is trying to copy files around to setup a
> > chroot environment.  For my machines I configure postfix to not use
> > chroot.
>
> I did that as well on the advice of weasel (from #selinux irc).  But I
> still get that message.

Please give me the full log details from dmesg, and tell me what operations 
are necessary to cause it (restart of daemon, make connection, etc).

> Also, since this occurs for so many programs, I suspect something lower
> level is doing it, like glibc maybe?

Maybe libnss_db.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Colin Walters]

On Wed, 2003-06-25 at 00:22, Russell Coker wrote:
> On Wed, 25 Jun 2003 14:09, Colin Walters wrote:
> > > Is sshd configured to have a privsep directory under /var/lib?
> >
> > I don't have any privsep stuff in my sshd config, no.
> >
> > > I suspect that postfix_master_t is trying to copy files around to setup a
> > > chroot environment.  For my machines I configure postfix to not use
> > > chroot.
> >
> > I did that as well on the advice of weasel (from #selinux irc).  But I
> > still get that message.
> 
> Please give me the full log details from dmesg, 

It just looks like this (for example):

avc:  denied  { search } for  pid=5269 exe=/usr/lib/postfix/tlsmgr path=/lib dev=16:01 ino=32769 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:var_lib_t tclass=dir
 
avc:  denied  { search } for  pid=5340 exe=/usr/lib/postfix/master path=/lib dev=16:01 ino=32769 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:var_lib_t tclass=dir

> and tell me what operations 
> are necessary to cause it (restart of daemon, make connection, etc).

Restarting postfix causes it for me.

> Maybe libnss_db.

Ok, interesting.  After I remove the 'db' lines in /etc/nsswitch.conf,
the avc denial for /usr/lib/postfix/master goes away, but the one for
/usr/lib/postfix/tlsmgr stays!  I guess I'm going to have to resort to
stracing it here...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Russell Coker]

On Wed, 25 Jun 2003 15:16, Colin Walters wrote:
> It just looks like this (for example):
>
> avc:  denied  { search } for  pid=5269 exe=/usr/lib/postfix/tlsmgr
> path=/lib dev=16:01 ino=32769 scontext=system_u:system_r:postfix_master_t
> tcontext=system_u:object_r:var_lib_t tclass=dir

tlsmgr apparently caches some information on connections (public keys for TLS 
I guess) under /var/lib.  Policy needs to be adjusted for this.  tlsmgr 
probably needs it's own domain.

Something like the following should do it.  Try it out and send me whatever 
variant on it works.  NB  I've never even compiled this policy snippet so 
there may be typos etc.

postfix.te:
postfix_server_domain(tlsmgr)
allow postfix_tlsmgr_t var_lib_t:dir search;
type postfix_tlscache_t, file_type, sysadmfile;
rw_dir_create_file(postfix_tlsmgr_t, postfix_tlscache_t)

postfix.fc:
/usr/lib/postfix/tlsmgr           system_u:object_r:postfix_tlsmgr_exec_t
/var/lib/whatever(.*)?		system_u:object_r:postfix_tlscache_t

> > Maybe libnss_db.
>
> Ok, interesting.  After I remove the 'db' lines in /etc/nsswitch.conf,
> the avc denial for /usr/lib/postfix/master goes away, but the one for
> /usr/lib/postfix/tlsmgr stays!  I guess I'm going to have to resort to
> stracing it here...

In the case of libnss_db then some "allow domain" rules could be used to grant 
access to the directories.  Steve really doesn't like this, so no such policy 
will ever get into the NSA tree (I've got some similar things in my nscd 
policy which he doesn't like).

Also note that libnss_db offers little benefit for information sources with 
less than 5000 entries.  Last time I did some serious benchmarking on this it 
seemed that about 10,000 entries was when you were forced to use something 
other than plain text files (but it depends on your use of course).

In Debian libnss-db seems to get installed by default and to get installed on 
upgrades.  This may be a bad idea as it often has issues (if it was half as 
good as the AIX equivalent then there would be no problems).  I'm inclined to 
believe that libnss-db should be re-written to work in a similar manner to 
AIX (which is considerably more difficult than you might imagine, otherwise 
I'd have done it), or deprecated in Debian.

I haven't raised this issue for discussion on debian-devel because I've got 
more than enough other things to bother with at the moment.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: local policy changes, /var/lib access, syslogd

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 1430 bytes --]

On Wed, 2003-06-25 at 02:13, Russell Coker wrote:
> On Wed, 25 Jun 2003 15:16, Colin Walters wrote:
> > It just looks like this (for example):
> >
> > avc:  denied  { search } for  pid=5269 exe=/usr/lib/postfix/tlsmgr
> > path=/lib dev=16:01 ino=32769 scontext=system_u:system_r:postfix_master_t
> > tcontext=system_u:object_r:var_lib_t tclass=dir
> 
> tlsmgr apparently caches some information on connections (public keys for TLS 
> I guess) under /var/lib.  Policy needs to be adjusted for this.

Ah, I have it.  This is all actually my fault.  I have 

tls_random_exchange_name = /var/lib/postfix/prng_exch

This was leftover from a previous postfix configuration.  I want to have
/etc RO in general, and plus the prng_exch kept showing up in my
integrit reports.  It really belongs in /var.  I'm going to be asking
the maintainer to change it upstream.

> tlsmgr 
> probably needs it's own domain.

Yeah.

> Something like the following should do it.  Try it out and send me whatever 
> variant on it works.  

Ok, I ended up not using the tlscache stuff.  My changes to postfix.te
and postfix.fc are attached.

> I haven't raised this issue for discussion on debian-devel because I've got 
> more than enough other things to bother with at the moment.

Ok.  Yeah, I wasn't using the db stuff at all.  I agree it probably
shouldn't be the default.  In the meantime though what do you think
about adding some dontaudit rules?


[-- Attachment #2: postfix.te.patch --]
[-- Type: text/plain, Size: 2845 bytes --]

--- /usr/share/selinux/policy/default/domains/program/postfix.te	Sat May 24 22:07:24 2003
+++ postfix.te	Wed Jun 25 16:47:45 2003
@@ -10,6 +10,7 @@
 type postfix_exec_t, file_type, sysadmfile, exec_type;
 type postfix_public_t, file_type, sysadmfile;
 type postfix_private_t, file_type, sysadmfile;
+type postfix_lib_t, file_type, sysadmfile;
 type postfix_spool_t, file_type, sysadmfile;
 type postfix_spool_maildrop_t, file_type, sysadmfile;
 type postfix_spool_flush_t, file_type, sysadmfile;
@@ -39,6 +40,8 @@
 allow postfix_$1_t bin_t:lnk_file r_file_perms;
 allow postfix_$1_t shell_exec_t:file rx_file_perms;
 allow postfix_$1_t var_spool_t:dir r_dir_perms;
+allow postfix_$1_t var_lib_t:dir {search getattr};
+allow postfix_$1_t postfix_lib_t:dir r_dir_perms;
 allow postfix_$1_t postfix_exec_t:file rx_file_perms;
 allow postfix_$1_t devtty_t:chr_file rw_file_perms;
 allow postfix_$1_t etc_runtime_t:file r_file_perms;
@@ -91,7 +94,8 @@
 allow postfix_master_t etc_aliases_t:file r_file_perms;
 create_dir_file(postfix_master_t, postfix_spool_flush_t)
 allow postfix_master_t random_device_t:chr_file { read getattr };
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
+allow postfix_master_t postfix_lib_t:dir rw_dir_perms;
+allow postfix_master_t postfix_prng_t:file create_file_perms;
 
 # allow access to deferred queue and allow removing bogus incoming entries
 allow postfix_master_t postfix_spool_t:dir create_dir_perms;
@@ -114,18 +118,21 @@
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
 allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-allow postfix_smtp_t random_device_t:chr_file r_file_perms;
 allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
 
 postfix_server_domain(smtpd)
-allow postfix_smtpd_t random_device_t:chr_file r_file_perms;
 allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
 allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
 allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
 
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+postfix_server_domain(tlsmgr)
+allow postfix_tlsmgr_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+allow postfix_tlsmgr_t postfix_private_t:fifo_file rw_file_perms;
+
+allow { postfix_smtp_t postfix_smtpd_t postfix_tlsmgr_t } random_device_t:chr_file r_file_perms;
+allow { postfix_smtp_t postfix_smtpd_t postfix_tlsmgr_t } postfix_prng_t:file rw_file_perms;
 
 postfix_server_domain(local, `, mta_delivery_agent')
 ifdef(`procmail.te', `

[-- Attachment #3: postfix.fc.patch --]
[-- Type: text/plain, Size: 1149 bytes --]

--- /usr/share/selinux/policy/default/file_contexts/program/postfix.fc	Sat May 24 22:07:24 2003
+++ ../../file_contexts/program/postfix.fc	Wed Jun 25 16:32:47 2003
@@ -2,6 +2,8 @@
 /etc/postfix(/.*)?		system_u:object_r:etc_postfix_t
 /etc/postfix/postfix-script.*	system_u:object_r:postfix_exec_t
 /etc/postfix/prng_exch		system_u:object_r:postfix_prng_t
+/var/lib/postfix(/.*)?		system_u:object_r:postfix_lib_t
+/var/lib/postfix/prng_exch	system_u:object_r:postfix_prng_t
 /usr/lib/postfix/.*		system_u:object_r:postfix_exec_t
 /usr/lib/postfix/cleanup	system_u:object_r:postfix_cleanup_exec_t
 /usr/lib/postfix/local		system_u:object_r:postfix_local_exec_t
@@ -11,6 +13,7 @@
 /usr/lib/postfix/showq		system_u:object_r:postfix_showq_exec_t
 /usr/lib/postfix/smtp		system_u:object_r:postfix_smtp_exec_t
 /usr/lib/postfix/smtpd		system_u:object_r:postfix_smtpd_exec_t
+/usr/lib/postfix/tlsmgr         system_u:object_r:postfix_tlsmgr_exec_t
 /usr/lib/postfix/bounce		system_u:object_r:postfix_bounce_exec_t
 /usr/lib/postfix/pipe		system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias		system_u:object_r:postfix_master_exec_t