From: forrest whitcher <fw@fwsystems.com>
To: selinux@tycho.nsa.gov
Cc: openafs-info@openafs.org
Subject: selinux afs domain v 0.2
Date: Mon, 20 Jan 2003 20:07:18 -0500 [thread overview]
Message-ID: <20030120200718.57f30b5f.fw@fwsystems.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2316 bytes --]
With thanks to Russell Coker, I've got an improved - doubtless still far
from perfect - policy for afs client operation.
I've attached from /etc/security/selinux/src/policy
domains/program/afsd.te # the bulk of the policy
file_contexts/program/afsd.fc # define the /usr/sbin/afsd type
types/afs.te # provide policy distinctions for /afs
# and local / non-local domains
Additionally, note the following changes:
genfs_contexts # provides labeling to non-PSID filesystems
# afs
genfscon afs / system_u:object_r:afs_t
# local afs files (httpd_t is not allowed outside this)
genfscon afs /afsdomain.org.dom system_u:object_r:afs_loc_t
# (e.g.) a place where trusted binaries might reside
genfscon afs /afsdomain.org.dom/usr/local/bin system_u:object_r:afs_loc_tbin_t
-----
domains/program/mount.te #added:
allow mount_t kernel_t:process { sigkill };
# when /afs is unmounted I assume VFS is providing the magic for the kill to
# be sent to afsd. Would it be better (possible?) to limit this to only killing
# the afsd_t process?
-----
types/file.te: #afsd needs to write /usr/etc/openafs/AFSLog
# usr_etc_log_t is created primarily for afsd which
# wants to keep a log in /usr/etc/openafs
type usr_etc_log_t, file_type, sysadmfile;
------
Fixes vs. prior email.
usr_etc_log_t type removes error allowing afsd write-permission to most of /etc
Having corrected the policy (using every_domain() macro) the incorrect initrc.te
hack is now fixed.
Added exemplar site-specific types and policy enforcements for local and remote
afs data.
Next steps:
1. Running volume location and fileserver under the selinux kernel.
The creation of the .../security directory and the included inode index files
has a fairly high chance of breaking the fileserver volume operation.
Afs volume partitions on linux are in ext2fs but must never be treated
as regular filesystems, and fsck will destroy the volume data.
2. Possible generation of a policy for AFS tokens stored in kernel memory.
Currently all selinux roles will have the same access to the afs tokens. This
is workable but providing a TE policy might be useful.
[-- Attachment #2: afsd.te --]
[-- Type: application/octet-stream, Size: 3454 bytes --]
# Domain for afsd executable
#
# Author: Forrest Whitcher <fw@fwsystems.com>
#
# Copyright 2002, 2003 FW Systems llc
# All Rights Reserved.
#
type afsd_t, domain, privlog;
role system_r types afsd_t;
every_domain(afsd_t)
type afsd_exec_t, file_type, sysadmfile,exec_type;
domain_auto_trans(initrc_t, afsd_exec_t, afsd_t)
allow afsd_t root_t:dir mounton;
allow afsd_t afs_t:filesystem { mount };
allow afsd_t kernel_t:process { sigkill };
allow kernel_t afsd_t:udp_socket { read write };
allow afsd_t afsd_t:capability { sys_admin sys_nice };
allow afsd_t afsd_t:process { fork setsched };
allow afsd_t afsd_t:udp_socket { create ioctl write };
allow afsd_t any_socket_t:udp_socket { sendto };
allow afsd_t etc_runtime_t:file { append getattr read };
allow afsd_t etc_t:dir { search };
allow afsd_t etc_t:file { getattr read };
allow afsd_t usr_etc_log_t:file { getattr read write };
allow afsd_t fs_t:filesystem { getattr };
allow afsd_t ld_so_cache_t:file { getattr read };
allow afsd_t lib_t:dir { search };
allow afsd_t netif_eth0_t:netif { udp_send };
allow afsd_t netmsg_eth0_t:udp_socket { recvfrom };
allow afsd_t newrole_t:fd { use };
allow afsd_t node_t:node { udp_send };
allow afsd_t root_t:dir { search };
allow afsd_t shlib_t:file { execute getattr read };
allow afsd_t shlib_t:lnk_file { read };
allow afsd_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
allow afsd_t sysadm_tmp_t:dir { create setattr getattr read search };
allow afsd_t sysadm_tmp_t:file { create };
allow afsd_t tmp_t:dir { search };
allow afsd_t usr_t:dir { search };
#
# required to give any access to users
#
allow sysadm_t afsd_t:udp_socket { write };
allow user_t afsd_t:udp_socket { write };
allow httpd_t afsd_t:udp_socket { write };
#
# required for full client access
#
allow user_t afs_t:dir { getattr search read write};
allow user_t afs_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_t:lnk_file { read write setattr getattr };
allow user_t afs_t:udp_socket { read write };
allow user_t afs_loc_t:dir { getattr search read write};
allow user_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_t:udp_socket { read write };
allow user_t afs_loc_tbin_t:dir { getattr search read write};
allow user_t afs_loc_tbin_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_tbin_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_tbin_t:udp_socket { read write };
allow httpd_t afs_t:dir { getattr search read };
allow httpd_t afs_t:lnk_file { read write setattr getattr };
allow httpd_t afs_t:udp_socket { read write };
allow httpd_t afs_loc_t:dir { getattr search read write};
allow httpd_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow httpd_t afs_loc_t:lnk_file { read write setattr getattr };
allow httpd_t afs_loc_t:udp_socket { read write };
allow sysadm_t afs_t:dir { getattr search read };
allow sysadm_t afs_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_t:udp_socket { read write };
allow sysadm_t afs_loc_t:dir { getattr search read write};
allow sysadm_t afs_loc_t:file { read write setattr getattr };
allow sysadm_t afs_loc_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_loc_t:udp_socket { read write };
allow sysadm_t afs_loc_tbin_t:file { execute execute_no_trans };
[-- Attachment #3: afsd.fc --]
[-- Type: application/octet-stream, Size: 63 bytes --]
# afsd
/usr/sbin/afsd system_u:object_r:afsd_exec_t
[-- Attachment #4: afs.te --]
[-- Type: application/octet-stream, Size: 462 bytes --]
#
# Author: Forrest Whitcher <fw@fwsystems.com>
#
###########################################
#
# afs types
# copied slavishly from nfs.te
#
type afs_t, fs_type, root_dir_type;
type afs_loc_t, file_type, sysadmfile;
type afs_loc_tbin_t, file_type, sysadmfile;
#
# Allow AFS files to be associated with an AFS file system.
#
allow afs_t afs_t:filesystem associate;
allow afs_loc_t afs_t:filesystem associate;
allow afs_loc_tbin_t afs_t:filesystem associate;
next reply other threads:[~2003-01-21 1:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-21 1:07 forrest whitcher [this message]
2003-01-21 2:01 ` selinux afs domain v 0.2 Russell Coker
[not found] ` <20030121094847.A6403@informatik.tu-chemnitz.de>
2003-03-17 20:41 ` [OpenAFS] " forrest whitcher
2003-03-17 22:05 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030120200718.57f30b5f.fw@fwsystems.com \
--to=fw@fwsystems.com \
--cc=openafs-info@openafs.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.