screen.te zsh fixes

screen.te zsh fixes

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

Hi,

Similar fixes to screen.te needed for the zsh symlinks.  Patch attached.

You know though, I am thinking more and more that we should treat
/etc/alternatives specially for setfiles.  We could follow the symlink
and label it with the type of the file it points to.  That way we
wouldn't have to add all these special etc_t:{lnk_file} { read }
permissions to various programs that are able to execute bin_t or
whatever.



[-- Attachment #2: screen-te.patch --]
[-- Type: text/plain, Size: 816 bytes --]

--- /usr/share/selinux/policy/default/macros/program/screen_macros.te	Sat May 24 22:07:24 2003
+++ screen_macros.te	Sat Jun 28 02:32:23 2003
@@ -63,7 +63,7 @@
 allow $1_screen_t proc_t:dir search;
 allow $1_screen_t proc_t:lnk_file read;
 dontaudit $1_screen_t device_t:chr_file { getattr };
-allow $1_screen_t etc_t:file { read getattr };
+allow $1_screen_t etc_t:{file lnk_file} { read getattr };
 allow $1_screen_t self:dir { search read };
 allow $1_screen_t self:lnk_file { read };
 allow $1_screen_t device_t:dir search;
@@ -72,6 +72,7 @@
 allow $1_screen_t self:unix_stream_socket create_socket_perms;
 can_exec($1_screen_t, shell_exec_t)
 allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file { read };
 
 dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
 ')

Re: screen.te zsh fixes

[Russell Coker]

On Sat, 28 Jun 2003 16:36, Colin Walters wrote:
> Similar fixes to screen.te needed for the zsh symlinks.  Patch attached.

OK, it's in my tree.

> You know though, I am thinking more and more that we should treat
> /etc/alternatives specially for setfiles.  We could follow the symlink
> and label it with the type of the file it points to.  That way we
> wouldn't have to add all these special etc_t:{lnk_file} { read }
> permissions to various programs that are able to execute bin_t or
> whatever.

So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read" 
and "bar_exec_t:lnk_file read" because the domain in question needs to access 
executable types foo_exec_t and bar_exec_t.

I guess we could change the can_exec() macro to allow this at the same time.

Another thing I've been thinking about is the handling of the /etc/localtime, 
it gets regenerated by many scripts with type etc_t.  Maybe it would be best 
if we use etc_t for /etc/localtime of type symlink and locale_t for a file 
type (hard link).  Then we can have a macro read_locale() which on Debian 
allows reading etc_t:lnk_file (and thus covers /etc/alternatives as a 
side-affect).

Does Red Hat have something like /etc/alternatives?  Or is it only a Debian 
thing?


PS  This is going to be a bit ugly.  Whatever we do to solve this is going to 
require a relabel of /etc as part of the upgrade process.  But I am coming to 
the conclusion that we have got some things wrong in the past and should fix 
them.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: screen.te zsh fixes

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 2039 bytes --]

On Sat, 2003-06-28 at 03:41, Russell Coker wrote:
> On Sat, 28 Jun 2003 16:36, Colin Walters wrote:
> > Similar fixes to screen.te needed for the zsh symlinks.  Patch attached.
> 
> OK, it's in my tree.

Cool.  Actually I discovered some things in further usage.  First of all
I have a ~/.screenrc that I really need to use; the default ^a screen
keybinding sucks for emacs :)  So I created a new type $1_home_screen_t
much like $1_home_ssh_t.
Also apparently screen does stuff with pipes and dgram sockets.  And
there are the usual locale things.
Updated patch to both macros/program/screen_macros.te and
file_contexts/program/screen.fc attached.  This patch supersedes the
previous one.

> So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read" 
> and "bar_exec_t:lnk_file read" because the domain in question needs to access 
> executable types foo_exec_t and bar_exec_t.
> 
> I guess we could change the can_exec() macro to allow this at the same time.

Right.

> Another thing I've been thinking about is the handling of the /etc/localtime, 
> it gets regenerated by many scripts with type etc_t.  Maybe it would be best 
> if we use etc_t for /etc/localtime of type symlink and locale_t for a file 
> type (hard link).  Then we can have a macro read_locale() which on Debian 
> allows reading etc_t:lnk_file (and thus covers /etc/alternatives as a 
> side-affect).

That makes sense to me.  I am running into the locale issue a lot.

> Does Red Hat have something like /etc/alternatives?  Or is it only a Debian 
> thing?

I think I heard that they adopted the idea, although not the specific
Debian implementation.  Hopefully a Red Hat person here can speak up.

> PS  This is going to be a bit ugly.  Whatever we do to solve this is going to 
> require a relabel of /etc as part of the upgrade process.  But I am coming to 
> the conclusion that we have got some things wrong in the past and should fix 
> them.

Yeah.  But as long as we provide a transition document of some sort, I
think it should be ok...

[-- Attachment #2: screen-te-2.patch --]
[-- Type: text/plain, Size: 1782 bytes --]

--- /usr/share/selinux/policy/default/macros/program/screen_macros.te	Sat May 24 22:07:24 2003
+++ screen_macros.te	Sat Jun 28 03:48:45 2003
@@ -22,6 +22,7 @@
 define(`screen_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_screen_t, domain, privlog, auth, privfd;
+type $1_home_screen_t, file_type, sysadmfile;
 
 allow $1_screen_t shadow_t:file { read getattr };
 
@@ -39,6 +40,10 @@
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
 
+allow $1_screen_t $1_home_screen_t:{file lnk_file} r_file_perms;
+allow $1_t $1_home_screen_t:{file lnk_file} create_file_perms;
+allow $1_t $1_home_screen_t:{file lnk_file} { relabelfrom relabelto };
+
 allow $1_screen_t privfd:fd use;
 
 # Write to utmp.
@@ -63,15 +68,22 @@
 allow $1_screen_t proc_t:dir search;
 allow $1_screen_t proc_t:lnk_file read;
 dontaudit $1_screen_t device_t:chr_file { getattr };
-allow $1_screen_t etc_t:file { read getattr };
+allow $1_screen_t etc_t:{file lnk_file} { read getattr };
 allow $1_screen_t self:dir { search read };
 allow $1_screen_t self:lnk_file { read };
 allow $1_screen_t device_t:dir search;
 allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
 
+# Internal screen networking
+allow $1_screen_t self:fd *;
 allow $1_screen_t self:unix_stream_socket create_socket_perms;
+allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
 can_exec($1_screen_t, shell_exec_t)
 allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file { read };
+allow $1_screen_t locale_t:dir r_dir_perms;
+allow $1_screen_t locale_t:{file lnk_file} r_file_perms;
 
 dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
 ')

[-- Attachment #3: screen-fc.patch --]
[-- Type: text/plain, Size: 286 bytes --]

--- /usr/share/selinux/policy/default/file_contexts/program/screen.fc	Sat May 24 22:07:24 2003
+++ screen.fc	Sat Jun 28 03:57:39 2003
@@ -1,2 +1,3 @@
-# su
+# screen
 /usr/bin/screen			system_u:object_r:screen_exec_t
+/home/[^/]+/\.screenrc		system_u:object_r:user_home_screen_t

Re: screen.te zsh fixes

[Bart Mallio]

On 28 Jun 2003, Colin Walters wrote:

> > Does Red Hat have something like /etc/alternatives?  Or is it only a Debian
> > thing?
>
> I think I heard that they adopted the idea, although not the specific
> Debian implementation.  Hopefully a Red Hat person here can speak up.

It does, actually.  On my vanilla install of RH 9, its got 21 links
bridging mta stuff to sendmail, and lp stuff to cups.  RH's man pages
claim that their "alternatives" is "a reimplementation of the Debian
alternatives system...primarily to remove the dependency on perl."

Let me know if there's any RH-generic config stuff (copies of man pages,
settings, etc.) I can pass on.

Best,
-Bart



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: screen.te zsh fixes

[Russell Coker]

On Sat, 28 Jun 2003 17:59, Colin Walters wrote:
> Cool.  Actually I discovered some things in further usage.  First of all
> I have a ~/.screenrc that I really need to use; the default ^a screen
> keybinding sucks for emacs :)  So I created a new type $1_home_screen_t
> much like $1_home_ssh_t.
> Also apparently screen does stuff with pipes and dgram sockets.  And
> there are the usual locale things.
> Updated patch to both macros/program/screen_macros.te and
> file_contexts/program/screen.fc attached.  This patch supersedes the
> previous one.

OK, that's in my tree too.

> > So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file
> > read" and "bar_exec_t:lnk_file read" because the domain in question needs
> > to access executable types foo_exec_t and bar_exec_t.
> >
> > I guess we could change the can_exec() macro to allow this at the same
> > time.
>
> Right.

I'm holding off on this one at the moment.  I'm not sure that there's enough 
benefit to justify the effort right now.

> > Another thing I've been thinking about is the handling of the
> > /etc/localtime, it gets regenerated by many scripts with type etc_t. 
> > Maybe it would be best if we use etc_t for /etc/localtime of type symlink
> > and locale_t for a file type (hard link).  Then we can have a macro
> > read_locale() which on Debian allows reading etc_t:lnk_file (and thus
> > covers /etc/alternatives as a side-affect).
>
> That makes sense to me.  I am running into the locale issue a lot.

OK, that's in my tree now.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.