From: Colin Walters <walters@verbum.org>
To: Russell Coker <russell@coker.com.au>
Cc: selinux@tycho.nsa.gov
Subject: Re: screen.te zsh fixes
Date: 28 Jun 2003 03:59:34 -0400 [thread overview]
Message-ID: <1056787174.14920.94.camel@columbia> (raw)
In-Reply-To: <200306281741.05471.russell@coker.com.au>
[-- Attachment #1: Type: text/plain, Size: 2039 bytes --]
On Sat, 2003-06-28 at 03:41, Russell Coker wrote:
> On Sat, 28 Jun 2003 16:36, Colin Walters wrote:
> > Similar fixes to screen.te needed for the zsh symlinks. Patch attached.
>
> OK, it's in my tree.
Cool. Actually I discovered some things in further usage. First of all
I have a ~/.screenrc that I really need to use; the default ^a screen
keybinding sucks for emacs :) So I created a new type $1_home_screen_t
much like $1_home_ssh_t.
Also apparently screen does stuff with pipes and dgram sockets. And
there are the usual locale things.
Updated patch to both macros/program/screen_macros.te and
file_contexts/program/screen.fc attached. This patch supersedes the
previous one.
> So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read"
> and "bar_exec_t:lnk_file read" because the domain in question needs to access
> executable types foo_exec_t and bar_exec_t.
>
> I guess we could change the can_exec() macro to allow this at the same time.
Right.
> Another thing I've been thinking about is the handling of the /etc/localtime,
> it gets regenerated by many scripts with type etc_t. Maybe it would be best
> if we use etc_t for /etc/localtime of type symlink and locale_t for a file
> type (hard link). Then we can have a macro read_locale() which on Debian
> allows reading etc_t:lnk_file (and thus covers /etc/alternatives as a
> side-affect).
That makes sense to me. I am running into the locale issue a lot.
> Does Red Hat have something like /etc/alternatives? Or is it only a Debian
> thing?
I think I heard that they adopted the idea, although not the specific
Debian implementation. Hopefully a Red Hat person here can speak up.
> PS This is going to be a bit ugly. Whatever we do to solve this is going to
> require a relabel of /etc as part of the upgrade process. But I am coming to
> the conclusion that we have got some things wrong in the past and should fix
> them.
Yeah. But as long as we provide a transition document of some sort, I
think it should be ok...
[-- Attachment #2: screen-te-2.patch --]
[-- Type: text/plain, Size: 1782 bytes --]
--- /usr/share/selinux/policy/default/macros/program/screen_macros.te Sat May 24 22:07:24 2003
+++ screen_macros.te Sat Jun 28 03:48:45 2003
@@ -22,6 +22,7 @@
define(`screen_domain',`
# Derived domain based on the calling user domain and the program.
type $1_screen_t, domain, privlog, auth, privfd;
+type $1_home_screen_t, file_type, sysadmfile;
allow $1_screen_t shadow_t:file { read getattr };
@@ -39,6 +40,10 @@
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
+allow $1_screen_t $1_home_screen_t:{file lnk_file} r_file_perms;
+allow $1_t $1_home_screen_t:{file lnk_file} create_file_perms;
+allow $1_t $1_home_screen_t:{file lnk_file} { relabelfrom relabelto };
+
allow $1_screen_t privfd:fd use;
# Write to utmp.
@@ -63,15 +68,22 @@
allow $1_screen_t proc_t:dir search;
allow $1_screen_t proc_t:lnk_file read;
dontaudit $1_screen_t device_t:chr_file { getattr };
-allow $1_screen_t etc_t:file { read getattr };
+allow $1_screen_t etc_t:{file lnk_file} { read getattr };
allow $1_screen_t self:dir { search read };
allow $1_screen_t self:lnk_file { read };
allow $1_screen_t device_t:dir search;
allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
+# Internal screen networking
+allow $1_screen_t self:fd *;
allow $1_screen_t self:unix_stream_socket create_socket_perms;
+allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
can_exec($1_screen_t, shell_exec_t)
allow $1_screen_t bin_t:dir search;
+allow $1_screen_t bin_t:lnk_file { read };
+allow $1_screen_t locale_t:dir r_dir_perms;
+allow $1_screen_t locale_t:{file lnk_file} r_file_perms;
dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
')
[-- Attachment #3: screen-fc.patch --]
[-- Type: text/plain, Size: 286 bytes --]
--- /usr/share/selinux/policy/default/file_contexts/program/screen.fc Sat May 24 22:07:24 2003
+++ screen.fc Sat Jun 28 03:57:39 2003
@@ -1,2 +1,3 @@
-# su
+# screen
/usr/bin/screen system_u:object_r:screen_exec_t
+/home/[^/]+/\.screenrc system_u:object_r:user_home_screen_t
next prev parent reply other threads:[~2003-06-28 7:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-28 6:36 screen.te zsh fixes Colin Walters
2003-06-28 7:41 ` Russell Coker
2003-06-28 7:59 ` Colin Walters [this message]
2003-06-28 12:56 ` Bart Mallio
2003-06-29 4:38 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1056787174.14920.94.camel@columbia \
--to=walters@verbum.org \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.