From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l32DtSfG003728 for ; Mon, 2 Apr 2007 09:55:28 -0400 Received: from exchange.columbia.tresys.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with SMTP id l32DtQd2020974 for ; Mon, 2 Apr 2007 13:55:26 GMT Subject: Re: Some disable_trans stuff was missed in selinux-policy update From: "Christopher J. PeBenito" To: Daniel J Walsh Cc: SE Linux In-Reply-To: <4607E8AD.1010304@redhat.com> References: <4607E8AD.1010304@redhat.com> Content-Type: text/plain Date: Mon, 02 Apr 2007 13:56:05 +0000 Message-Id: <1175522165.14681.33.camel@sgc> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Mon, 2007-03-26 at 11:37 -0400, Daniel J Walsh wrote: > Mainly man pages and http, ppp. Applied man page fixes. The stray disable_trans pieces were fixed by the time you posted the patch. > > > > > > > differences > between files > attachment > (disable_trans.patch), "disable_trans.patch" > > --- nsaserefpolicy/man/man8/ftpd_selinux.8 2006-11-16 17:15:28.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/ftpd_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -39,14 +39,10 @@ > ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. > .TP > setsebool -P ftpd_is_daemon 1 > -.TP > -You can disable SELinux protection for the ftpd daemon by executing: > -.TP > -setsebool -P ftpd_disable_trans 1 > .br > service vsftpd restart > .TP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/httpd_selinux.8 2007-02-19 11:32:55.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/httpd_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -110,22 +110,7 @@ > .EE > > .PP > -You can disable suexec transition, set httpd_suexec_disable_trans deny this > - > -.EX > -setsebool -P httpd_suexec_disable_trans 1 > -.EE > - > -.PP > -You can disable SELinux protection for the httpd daemon by executing: > - > -.EX > -setsebool -P httpd_disable_trans 1 > -service httpd restart > -.EE > - > -.PP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/kerberos_selinux.8 2007-02-26 14:42:44.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/kerberos_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -18,16 +18,9 @@ > You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. > .EX > setsebool -P allow_kerberos 1 > -.EE > -If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans. > -.EX > -setsebool -P krb5kdc_disable_trans 1 > -service krb5kdc restart > -setsebool -P kadmind_disable_trans 1 > -service kadmind restart > .EE > .PP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/named_selinux.8 2007-02-19 11:32:55.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/named_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -20,13 +20,7 @@ > setsebool -P named_write_master_zones 1 > .EE > .PP > -You can disable SELinux protection for the named daemon by executing: > -.EX > -setsebool -P named_disable_trans 1 > -service named restart > -.EE > -.PP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/nfs_selinux.8 2006-11-16 17:15:28.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/nfs_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -22,7 +22,7 @@ > .TP > setsebool -P use_nfs_home_dirs 1 > .TP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/rsync_selinux.8 2007-02-19 11:32:55.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/rsync_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -36,13 +36,7 @@ > > .SH BOOLEANS > .TP > -You can disable SELinux protection for the rsync daemon by executing: > -.EX > -setsebool -P rsync_disable_trans 1 > -service xinetd restart > -.EE > -.TP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/man/man8/samba_selinux.8 2006-11-16 17:15:28.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/samba_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -41,17 +41,7 @@ > > setsebool -P use_samba_home_dirs 1 > .TP > -You can disable SELinux protection for the samba daemon by executing: > -.br > - > -setsebool -P smbd_disable_trans 1 > -.br > -service smb restart > -.TP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > - > - > - > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > > .SH AUTHOR > This manual page was written by Dan Walsh . > --- nsaserefpolicy/man/man8/ypbind_selinux.8 2006-11-16 17:15:28.000000000 -0500 > +++ serefpolicy-2.5.11/man/man8/ypbind_selinux.8 2007-03-26 11:09:16.000000000 -0400 > @@ -11,7 +11,7 @@ > .TP > setsebool -P allow_ypbind 1 > .TP > -system-config-securitylevel is a GUI tool available to customize SELinux policy settings. > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > .SH AUTHOR > This manual page was written by Dan Walsh . > > --- nsaserefpolicy/policy/modules/services/apache.fc 2007-02-23 16:50:01.000000000 -0500 > +++ serefpolicy-2.5.11/policy/modules/services/apache.fc 2007-03-26 11:09:17.000000000 -0400 > @@ -1,10 +1,5 @@ > # temporary hack till genhomedircon is fixed > -ifdef(`targeted_policy',` > -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) > -',` > HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) > -') > - > /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > @@ -21,7 +16,6 @@ > > /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0) > /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) > /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) > /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) > @@ -78,3 +72,11 @@ > /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > + > +#Bugzilla file context > +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) > +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) > +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0) > +#viewvc file context > +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0) > + > --- nsaserefpolicy/policy/modules/services/apache.if 2007-03-26 10:39:04.000000000 -0400 > +++ serefpolicy-2.5.11/policy/modules/services/apache.if 2007-03-26 11:09:17.000000000 -0400 > @@ -268,6 +268,9 @@ > ') > > apache_content_template($1) > + manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) > + manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) > + manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) > > typeattribute httpd_$1_content_t httpd_script_domains; > userdom_user_home_content($1,httpd_$1_content_t) > @@ -434,6 +437,24 @@ > > ######################################## > ## > +## getattr apache.process > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_getattr',` > + gen_require(` > + type httpd_t; > + ') > + > + allow $1 httpd_t:process getattr; > +') > + > +######################################## > +## > ## Inherit and use file descriptors from Apache. > ## > ## > @@ -752,6 +773,7 @@ > ') > > allow $1 httpd_modules_t:dir list_dir_perms; > + read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) > ') > > ######################################## > @@ -1000,3 +1022,140 @@ > > allow $1 httpd_sys_script_t:dir search_dir_perms; > ') > + > +######################################## > +## > +## Allow the specified domain to manage > +## apache modules. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_manage_modules',` > + gen_require(` > + type httpd_modules_t; > + ') > + > + manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t) > + manage_files_pattern($1,httpd_modules_t,httpd_modules_t) > + manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) > +') > + > +######################################## > +## > +## Allow the specified domain to create > +## apache lock file > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_manage_lock',` > + gen_require(` > + type httpd_lock_t; > + ') > + allow $1 httpd_lock_t:file manage_file_perms; > + files_lock_filetrans($1, httpd_lock_t, file) > +') > + > +######################################## > +## > +## Allow the specified domain to manage > +## apache pid file > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_manage_pid',` > + gen_require(` > + type httpd_var_run_t; > + ') > + manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t) > + files_pid_filetrans($1,httpd_var_run_t, file) > +') > + > +######################################## > +## > +##f Read apache system state > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`apache_read_state',` > + gen_require(` > + type httpd_t; > + ') > + kernel_search_proc($1) > + allow $1 httpd_t:dir list_dir_perms; > + read_files_pattern($1,httpd_t,httpd_t) > + read_lnk_files_pattern($1,httpd_t,httpd_t) > + dontaudit $1 httpd_t:process ptrace; > +') > + > +######################################## > +## > +##f allow domain to signal apache > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`apache_signal',` > + gen_require(` > + type httpd_t; > + ') > + allow $1 httpd_t:process signal; > +') > + > +######################################## > +## > +## allow domain to relabel apache content > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`apache_relabel',` > + gen_require(` > + attribute httpdcontent; > + attribute httpd_script_exec_type; > + ') > + > + allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom }; > + allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom }; > +') > + > +######################################## > +## > +## Allow the specified domain to search > +## apache bugzilla directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_search_bugzilla_dirs',` > + gen_require(` > + type httpd_bugzilla_content_t; > + ') > + > + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; > +') > + > --- nsaserefpolicy/policy/modules/services/apache.te 2007-03-26 10:39:04.000000000 -0400 > +++ serefpolicy-2.5.11/policy/modules/services/apache.te 2007-03-26 11:09:54.000000000 -0400 > @@ -507,13 +520,7 @@ > allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; > allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; > > -ifdef(`targeted_policy',` > - gen_tunable(httpd_suexec_disable_trans,false) > - > - tunable_policy(`httpd_suexec_disable_trans',`',` > - domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) > - ') > -') > +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) > > create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) > append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) > --- nsaserefpolicy/policy/modules/services/ppp.te 2007-03-26 10:39:04.000000000 -0400 > +++ serefpolicy-2.5.11/policy/modules/services/ppp.te 2007-03-26 11:09:55.000000000 -0400 > @@ -173,19 +173,10 @@ > term_dontaudit_use_generic_ptys(pppd_t) > files_dontaudit_read_root_files(pppd_t) > > - optional_policy(` > - gen_require(` > - bool postfix_disable_trans; > - ') > - > - if(!postfix_disable_trans) { > - postfix_domtrans_master(pppd_t) > - } > - ') > -',` > - optional_policy(` > - postfix_domtrans_master(pppd_t) > - ') > +') > + > +optional_policy(` > + postfix_domtrans_master(pppd_t) > ') > > optional_policy(` > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.