more policy patches

more policy patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1004 bytes --]

The attached patch removes some more bogus access to devpts_t:chr_file.

prelink_t is not permitted to create sym-links of type bin_t or lib_t, so it 
makes no sense to allow it to unlink them AFAIK.  If for some strange reason 
this is not a silly thing to do then we need a comment in the policy to 
explain it.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120620
The above URL shows the resolution to the allow procmail_t mqueue_spool_t 
issue.  The user had stuffed up their procmail configuration.  It is quite 
fortunate for them that SE Linux revealed this error to them and allowed them 
to fix it.

Added a dontaudit in rpcd.te to stop "ls -l /etc" filling the logs with 
entries about exports_t.

Removed can_exec_any from xdm.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff2 --]
[-- Type: text/x-diff, Size: 9762 bytes --]

diff -ru /usr/src/se/policy/domains/program/unused/ntpd.te ./domains/program/unused/ntpd.te
--- /usr/src/se/policy/domains/program/unused/ntpd.te	2004-08-19 17:10:36.000000000 +1000
+++ ./domains/program/unused/ntpd.te	2004-08-05 13:40:26.000000000 +1000
@@ -66,5 +66,3 @@
 can_udp_send(ntpd_t, sysadm_t)
 can_udp_send(sysadm_t, ntpd_t)
 can_udp_send(ntpd_t, ntpd_t)
-
-dontaudit ntpd_t devpts_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/unused/portmap.te ./domains/program/unused/portmap.te
--- /usr/src/se/policy/domains/program/unused/portmap.te	2004-08-06 19:08:12.000000000 +1000
+++ ./domains/program/unused/portmap.te	2004-02-18 05:36:51.000000000 +1100
@@ -52,5 +52,3 @@
 
 # do not log when it tries to bind to a port belonging to another domain
 #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
-dontaudit portmap_t devpts_t:chr_file { read write };
-
diff -ru /usr/src/se/policy/domains/program/unused/prelink.te ./domains/program/unused/prelink.te
--- /usr/src/se/policy/domains/program/unused/prelink.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/prelink.te	2004-06-17 03:07:47.000000000 +1000
@@ -30,8 +30,6 @@
 allow prelink_t file_type:lnk_file r_file_perms;
 allow prelink_t file_type:file getattr;
 allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
-allow prelink_t { bin_t lib_t }:lnk_file { unlink };
-
 allow prelink_t ld_so_t:file execute_no_trans;
 
 allow prelink_t self:capability { chown dac_override fowner fsetid };
diff -ru /usr/src/se/policy/domains/program/unused/procmail.te ./domains/program/unused/procmail.te
--- /usr/src/se/policy/domains/program/unused/procmail.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/procmail.te	2004-05-05 05:07:47.000000000 +1000
@@ -71,4 +71,3 @@
 ifdef(`sendmail.te', `
 r_dir_file(procmail_t, etc_mail_t)
 ')
-allow procmail_t mqueue_spool_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/rpcd.te ./domains/program/unused/rpcd.te
--- /usr/src/se/policy/domains/program/unused/rpcd.te	2004-08-21 13:19:07.000000000 +1000
+++ ./domains/program/unused/rpcd.te	2004-08-21 13:22:58.000000000 +1000
@@ -24,6 +24,7 @@
 ')
 
 type exports_t, file_type, sysadmfile;
+dontaudit userdomain exports_t:file getattr;
 
 # rpcd_t is the domain of rpc daemons.
 # rpcd_exec_t is the type of rpc daemon programs.
diff -ru /usr/src/se/policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- /usr/src/se/policy/domains/program/unused/rpm.te	2004-08-19 17:10:36.000000000 +1000
+++ ./domains/program/unused/rpm.te	2004-08-23 17:32:01.000000000 +1000
@@ -145,7 +144,7 @@
 can_exec_any(rpm_script_t)
 
 # Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override fowner fsetid setgid setuid ipc_lock sys_chroot mknod };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot mknod };
 
 # ideally we would not need this
 allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
diff -ru /usr/src/se/policy/domains/program/unused/xdm.te ./domains/program/unused/xdm.te
--- /usr/src/se/policy/domains/program/unused/xdm.te	2004-08-19 17:10:37.000000000 +1000
+++ ./domains/program/unused/xdm.te	2004-07-08 16:05:36.000000000 +1000
@@ -106,7 +104,15 @@
 allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
 
 # Run helper programs.
-can_exec_any(xdm_t)
+allow xdm_t etc_t:file { getattr read };
+allow xdm_t bin_t:dir { getattr search };
+# lib_t is for running cpp
+can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
+allow xdm_t { bin_t sbin_t }:lnk_file read;
+ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
+ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
+allow xdm_t xdm_xserver_t:process sigkill;
+allow xdm_t xdm_xserver_tmp_t:file unlink;
 
 # Access devices.
 allow xdm_t device_t:dir { read search };
diff -ru /usr/src/se/policy/domains/program/unused/xprint.te ./domains/program/unused/xprint.te
--- /usr/src/se/policy/domains/program/unused/xprint.te	2004-06-17 15:10:41.000000000 +1000
+++ ./domains/program/unused/xprint.te	2004-08-18 22:38:19.000000000 +1000
@@ -15,6 +15,7 @@
 allow initrc_t readable_t:dir r_dir_perms;
 allow initrc_t fonts_t:dir r_dir_perms;
 
+allow xprint_t var_lib_t:dir search;
 allow xprint_t fonts_t:dir r_dir_perms;
 allow xprint_t fonts_t:file { getattr read };
 
@@ -22,7 +23,7 @@
 can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t })
 allow xprint_t bin_t:lnk_file { getattr read };
 
-allow xprint_t tmp_t:dir search;
+allow xprint_t tmp_t:dir { getattr search };
 ifdef(`xdm.te', `
 allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms;
 allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms;
diff -ru /usr/src/se/policy/file_contexts/program/fsadm.fc ./file_contexts/program/fsadm.fc
--- /usr/src/se/policy/file_contexts/program/fsadm.fc	2004-03-27 00:46:44.000000000 +1100
+++ ./file_contexts/program/fsadm.fc	2004-08-18 15:36:04.000000000 +1000
@@ -26,6 +26,7 @@
 /sbin/blockdev		--	system_u:object_r:fsadm_exec_t
 /sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
 /sbin/jfs_.*		--	system_u:object_r:fsadm_exec_t
+/sbin/lsraid		--	system_u:object_r:fsadm_exec_t
 /usr/sbin/smartctl	--	system_u:object_r:fsadm_exec_t
 /sbin/install-mbr	--	system_u:object_r:fsadm_exec_t
 /usr/bin/scsi_unique_id	--	system_u:object_r:fsadm_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/initrc.fc ./file_contexts/program/initrc.fc
--- /usr/src/se/policy/file_contexts/program/initrc.fc	2004-07-15 10:22:53.000000000 +1000
+++ ./file_contexts/program/initrc.fc	2004-07-08 21:22:51.000000000 +1000
@@ -16,5 +16,3 @@
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
-/halt                  --      system_u:object_r:etc_runtime_t
-/\.autofsck            --      system_u:object_r:etc_runtime_t
diff -ru /usr/src/se/policy/file_contexts/program/mailman.fc ./file_contexts/program/mailman.fc
--- /usr/src/se/policy/file_contexts/program/mailman.fc	2004-08-24 16:01:27.000000000 +1000
+++ ./file_contexts/program/mailman.fc	2004-08-21 13:22:58.000000000 +1000
@@ -4,6 +4,7 @@
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
@@ -13,6 +14,8 @@
 ifdef(`distro_redhat', `
 /var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
+/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
+/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
 /var/mailman/cron		-d system_u:object_r:bin_t
 /var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/udev.fc ./file_contexts/program/udev.fc
--- /usr/src/se/policy/file_contexts/program/udev.fc	2004-08-19 17:10:44.000000000 +1000
+++ ./file_contexts/program/udev.fc	2004-08-17 13:24:19.000000000 +1000
@@ -5,5 +5,5 @@
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
-/etc/dev.d(/.*)? 	system_u:object_r:udev_helper_exec_t
+/etc/dev\.d(/.*)? 	system_u:object_r:udev_helper_exec_t
 /etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
diff -ru /usr/src/se/policy/file_contexts/types.fc ./file_contexts/types.fc
--- /usr/src/se/policy/file_contexts/types.fc	2004-08-24 16:01:25.000000000 +1000
+++ ./file_contexts/types.fc	2004-08-10 17:40:15.000000000 +1000
@@ -150,7 +150,6 @@
 /u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/mdsp.*		-c	system_u:object_r:fixed_disk_device_t
 /u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
 /u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
diff -ru /usr/src/se/policy/genfs_contexts ./genfs_contexts
--- /usr/src/se/policy/genfs_contexts	2004-07-08 13:09:32.000000000 +1000
+++ ./genfs_contexts	2004-07-06 22:52:53.000000000 +1000
@@ -81,8 +82,8 @@
 genfscon ntfs /				system_u:object_r:dosfs_t
 
 # samba
-genfscon cifs /				system_u:object_r:sambafs_t
-genfscon smbfs /			system_u:object_r:sambafs_t
+genfscon cifs /				system_u:object_r:cifs_t
+genfscon smbfs /			system_u:object_r:cifs_t
 
 # nfs
 genfscon nfs /				system_u:object_r:nfs_t
diff -ru /usr/src/se/policy/macros/base_user_macros.te ./macros/base_user_macros.te
--- /usr/src/se/policy/macros/base_user_macros.te	2004-08-15 15:45:18.000000000 +1000
+++ ./macros/base_user_macros.te	2004-08-20 15:04:59.000000000 +1000
@@ -190,14 +192,9 @@
 
 # Gnome pannel binds to the following
 ifdef(`cups.te', `
-allow $1_t ipp_port_t:tcp_socket { name_bind };
 allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
 ')
 
-ifdef(`use_pop', `
-allow $1_t pop_port_t:tcp_socket { name_bind };
-')
-
 # for perl
 dontaudit $1_t net_conf_t:file ioctl;
 

Re: more policy patches

[James Carter]

Merged.

In policy/types/file.te, I have made sambafs_t as an alias for cifs_t
instead of the otherway around.


I also, didn't merge the following:

diff -ru /usr/src/se/policy/file_contexts/program/initrc.fc
./file_contexts/program/initrc.fc
--- /usr/src/se/policy/file_contexts/program/initrc.fc  2004-07-15
10:22:53.000000000 +1000
+++ ./file_contexts/program/initrc.fc   2004-07-08 21:22:51.000000000
+1000
@@ -16,5 +16,3 @@
 /usr/sbin/open_init_pty        --      system_u:object_r:initrc_exec_t
 /etc/nologin.*         --      system_u:object_r:etc_runtime_t
 /etc/nohotplug         --      system_u:object_r:etc_runtime_t
-/halt                  --      system_u:object_r:etc_runtime_t
-/\.autofsck            --      system_u:object_r:etc_runtime_t

Why remove these?


On Tue, 2004-08-24 at 05:37, Russell Coker wrote:
> The attached patch removes some more bogus access to devpts_t:chr_file.
> 
> prelink_t is not permitted to create sym-links of type bin_t or lib_t, so it 
> makes no sense to allow it to unlink them AFAIK.  If for some strange reason 
> this is not a silly thing to do then we need a comment in the policy to 
> explain it.
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120620
> The above URL shows the resolution to the allow procmail_t mqueue_spool_t 
> issue.  The user had stuffed up their procmail configuration.  It is quite 
> fortunate for them that SE Linux revealed this error to them and allowed them 
> to fix it.
> 
> Added a dontaudit in rpcd.te to stop "ls -l /etc" filling the logs with 
> entries about exports_t.
> 
> Removed can_exec_any from xdm.te.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: more policy patches

[Russell Coker]

On Sat, 28 Aug 2004 07:05, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> I also, didn't merge the following:
>
> diff -ru /usr/src/se/policy/file_contexts/program/initrc.fc
> ./file_contexts/program/initrc.fc
> --- /usr/src/se/policy/file_contexts/program/initrc.fc  2004-07-15
> 10:22:53.000000000 +1000
> +++ ./file_contexts/program/initrc.fc   2004-07-08 21:22:51.000000000
> +1000
> @@ -16,5 +16,3 @@
>  /usr/sbin/open_init_pty        --      system_u:object_r:initrc_exec_t
>  /etc/nologin.*         --      system_u:object_r:etc_runtime_t
>  /etc/nohotplug         --      system_u:object_r:etc_runtime_t
> -/halt                  --      system_u:object_r:etc_runtime_t
> -/\.autofsck            --      system_u:object_r:etc_runtime_t
>
> Why remove these?

I had moved them to rpm.fc.  But it would probably be more appropriate to have 
ifdef(`distro_redhat' around those two lines and leave them in the same file.

Debian doesn't have such files, and I suspect that Gentoo doesn't either.  
Those lines would be either Red Hat specific or Red Hat and SUSE specific.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: more policy patches

[Stephen torri]

On Fri, 2004-08-27 at 22:04, Russell Coker wrote:
> On Sat, 28 Aug 2004 07:05, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> > I also, didn't merge the following:
> >
> > diff -ru /usr/src/se/policy/file_contexts/program/initrc.fc
> > ./file_contexts/program/initrc.fc
> > --- /usr/src/se/policy/file_contexts/program/initrc.fc  2004-07-15
> > 10:22:53.000000000 +1000
> > +++ ./file_contexts/program/initrc.fc   2004-07-08 21:22:51.000000000
> > +1000
> > @@ -16,5 +16,3 @@
> >  /usr/sbin/open_init_pty        --      system_u:object_r:initrc_exec_t
> >  /etc/nologin.*         --      system_u:object_r:etc_runtime_t
> >  /etc/nohotplug         --      system_u:object_r:etc_runtime_t
> > -/halt                  --      system_u:object_r:etc_runtime_t
> > -/\.autofsck            --      system_u:object_r:etc_runtime_t
> >
> > Why remove these?
> 
> I had moved them to rpm.fc.  But it would probably be more appropriate to have 
> ifdef(`distro_redhat' around those two lines and leave them in the same file.
> 
> Debian doesn't have such files, and I suspect that Gentoo doesn't either.  
> Those lines would be either Red Hat specific or Red Hat and SUSE specific.

Your are right. There is no binary called halt in the root directory /.
There were no files starting with .autofsck either. The only place I
found a binary called halt was in /sbin/halt.

Stephen
-- 
Email: storri@torri.org


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: more policy patches

[Russell Coker]

On Sat, 28 Aug 2004 14:45, Stephen torri <storri@torri.org> wrote:
> Your are right. There is no binary called halt in the root directory /.
> There were no files starting with .autofsck either. The only place I
> found a binary called halt was in /sbin/halt.

/halt is different from /sbin/halt.  /halt is a zero byte flag file created 
when the system is being halted.

The below policy which is surrounded by ifdef(`distro_redhat' permits the 
creation of such files.

# for /halt /.autofsck and other flag files
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.