From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h5S7xk0S017954 for ; Sat, 28 Jun 2003 03:59:46 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h5S7xj5e021741 for ; Sat, 28 Jun 2003 07:59:45 GMT Received: from monk.verbum.org (monk.debian.net [216.226.142.128]) by jazzband.ncsc.mil with ESMTP id h5S7xj92021738 for ; Sat, 28 Jun 2003 07:59:45 GMT Subject: Re: screen.te zsh fixes From: Colin Walters To: Russell Coker Cc: selinux@tycho.nsa.gov In-Reply-To: <200306281741.05471.russell@coker.com.au> References: <1056782197.14920.85.camel@columbia> <200306281741.05471.russell@coker.com.au> Content-Type: multipart/mixed; boundary="=-TBnBPBMDbhP67Okxgw5s" Message-Id: <1056787174.14920.94.camel@columbia> Mime-Version: 1.0 Date: 28 Jun 2003 03:59:34 -0400 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --=-TBnBPBMDbhP67Okxgw5s Content-Type: text/plain Content-Transfer-Encoding: 7bit On Sat, 2003-06-28 at 03:41, Russell Coker wrote: > On Sat, 28 Jun 2003 16:36, Colin Walters wrote: > > Similar fixes to screen.te needed for the zsh symlinks. Patch attached. > > OK, it's in my tree. Cool. Actually I discovered some things in further usage. First of all I have a ~/.screenrc that I really need to use; the default ^a screen keybinding sucks for emacs :) So I created a new type $1_home_screen_t much like $1_home_ssh_t. Also apparently screen does stuff with pipes and dgram sockets. And there are the usual locale things. Updated patch to both macros/program/screen_macros.te and file_contexts/program/screen.fc attached. This patch supersedes the previous one. > So instead of adding "etc_t:lnk_file read" we add "foo_exec_t:lnk_file read" > and "bar_exec_t:lnk_file read" because the domain in question needs to access > executable types foo_exec_t and bar_exec_t. > > I guess we could change the can_exec() macro to allow this at the same time. Right. > Another thing I've been thinking about is the handling of the /etc/localtime, > it gets regenerated by many scripts with type etc_t. Maybe it would be best > if we use etc_t for /etc/localtime of type symlink and locale_t for a file > type (hard link). Then we can have a macro read_locale() which on Debian > allows reading etc_t:lnk_file (and thus covers /etc/alternatives as a > side-affect). That makes sense to me. I am running into the locale issue a lot. > Does Red Hat have something like /etc/alternatives? Or is it only a Debian > thing? I think I heard that they adopted the idea, although not the specific Debian implementation. Hopefully a Red Hat person here can speak up. > PS This is going to be a bit ugly. Whatever we do to solve this is going to > require a relabel of /etc as part of the upgrade process. But I am coming to > the conclusion that we have got some things wrong in the past and should fix > them. Yeah. But as long as we provide a transition document of some sort, I think it should be ok... --=-TBnBPBMDbhP67Okxgw5s Content-Disposition: attachment; filename=screen-te-2.patch Content-Type: text/plain; name=screen-te-2.patch; charset=UTF-8 Content-Transfer-Encoding: quoted-printable --- /usr/share/selinux/policy/default/macros/program/screen_macros.te Sat M= ay 24 22:07:24 2003 +++ screen_macros.te Sat Jun 28 03:48:45 2003 @@ -22,6 +22,7 @@ define(`screen_domain',` # Derived domain based on the calling user domain and the program. type $1_screen_t, domain, privlog, auth, privfd; +type $1_home_screen_t, file_type, sysadmfile; =20 allow $1_screen_t shadow_t:file { read getattr }; =20 @@ -39,6 +40,10 @@ # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') =20 +allow $1_screen_t $1_home_screen_t:{file lnk_file} r_file_perms; +allow $1_t $1_home_screen_t:{file lnk_file} create_file_perms; +allow $1_t $1_home_screen_t:{file lnk_file} { relabelfrom relabelto }; + allow $1_screen_t privfd:fd use; =20 # Write to utmp. @@ -63,15 +68,22 @@ allow $1_screen_t proc_t:dir search; allow $1_screen_t proc_t:lnk_file read; dontaudit $1_screen_t device_t:chr_file { getattr }; -allow $1_screen_t etc_t:file { read getattr }; +allow $1_screen_t etc_t:{file lnk_file} { read getattr }; allow $1_screen_t self:dir { search read }; allow $1_screen_t self:lnk_file { read }; allow $1_screen_t device_t:dir search; allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; =20 +# Internal screen networking +allow $1_screen_t self:fd *; allow $1_screen_t self:unix_stream_socket create_socket_perms; +allow $1_screen_t self:unix_dgram_socket create_socket_perms; + can_exec($1_screen_t, shell_exec_t) allow $1_screen_t bin_t:dir search; +allow $1_screen_t bin_t:lnk_file { read }; +allow $1_screen_t locale_t:dir r_dir_perms; +allow $1_screen_t locale_t:{file lnk_file} r_file_perms; =20 dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; ') --=-TBnBPBMDbhP67Okxgw5s Content-Disposition: attachment; filename=screen-fc.patch Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; name=screen-fc.patch; charset=UTF-8 --- /usr/share/selinux/policy/default/file_contexts/program/screen.fc Sat M= ay 24 22:07:24 2003 +++ screen.fc Sat Jun 28 03:57:39 2003 @@ -1,2 +1,3 @@ -# su +# screen /usr/bin/screen system_u:object_r:screen_exec_t +/home/[^/]+/\.screenrc system_u:object_r:user_home_screen_t --=-TBnBPBMDbhP67Okxgw5s-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.