selinux afs domain v 0.2

selinux afs domain v 0.2

[forrest whitcher]

[-- Attachment #1: Type: text/plain, Size: 2316 bytes --]


With thanks to Russell Coker, I've got an improved - doubtless still far
from perfect - policy for afs client operation.

I've attached from /etc/security/selinux/src/policy

domains/program/afsd.te          # the bulk of the policy
file_contexts/program/afsd.fc    # define the /usr/sbin/afsd type
types/afs.te                     # provide policy distinctions for /afs
                                 # and local / non-local domains

Additionally, note the following changes:

genfs_contexts                  # provides labeling to non-PSID filesystems

# afs
genfscon afs /                                   system_u:object_r:afs_t

# local afs files (httpd_t is not allowed outside this)
genfscon afs /afsdomain.org.dom                  system_u:object_r:afs_loc_t

# (e.g.) a place where trusted binaries might reside
genfscon afs /afsdomain.org.dom/usr/local/bin    system_u:object_r:afs_loc_tbin_t

-----

domains/program/mount.te                    #added:

allow mount_t kernel_t:process { sigkill };

# when /afs is unmounted I assume VFS is providing the magic for the kill to
# be sent to afsd. Would it be better (possible?) to limit this to only killing
# the afsd_t process?

-----


types/file.te:                              #afsd needs to write /usr/etc/openafs/AFSLog

# usr_etc_log_t is created primarily for afsd which
# wants to keep a log in /usr/etc/openafs

type usr_etc_log_t, file_type, sysadmfile;

------

Fixes vs. prior email.

usr_etc_log_t type removes error allowing afsd write-permission to most of /etc

Having corrected the policy (using every_domain() macro) the incorrect initrc.te 
hack is now fixed. 

Added exemplar site-specific types and policy enforcements for local and remote
afs data.


Next steps:

1.  Running volume location and fileserver under the selinux kernel.

The creation of the .../security directory and the included inode index files 
has a fairly high chance of breaking the fileserver volume operation.

Afs volume partitions on linux are in ext2fs but must never be treated
as regular filesystems, and fsck will destroy the volume data.

2.  Possible generation of a policy for AFS tokens stored in kernel memory.

Currently all selinux roles will have the same access to the afs tokens. This
is workable but providing a TE policy might be useful.

[-- Attachment #2: afsd.te --]
[-- Type: application/octet-stream, Size: 3454 bytes --]

# Domain for afsd executable
#
# Author:  Forrest Whitcher <fw@fwsystems.com>
#
# Copyright 2002, 2003 FW Systems llc
# All Rights Reserved.
#

type afsd_t, domain, privlog;

role system_r types afsd_t;
every_domain(afsd_t)

type afsd_exec_t, file_type, sysadmfile,exec_type;

domain_auto_trans(initrc_t, afsd_exec_t, afsd_t)

allow afsd_t root_t:dir mounton;
allow afsd_t afs_t:filesystem { mount };
allow afsd_t kernel_t:process { sigkill };

allow kernel_t afsd_t:udp_socket { read write };

allow afsd_t afsd_t:capability { sys_admin sys_nice };
allow afsd_t afsd_t:process { fork setsched };
allow afsd_t afsd_t:udp_socket { create ioctl write };
allow afsd_t any_socket_t:udp_socket { sendto };
allow afsd_t etc_runtime_t:file { append getattr read };
allow afsd_t etc_t:dir { search };

allow afsd_t etc_t:file { getattr read };
allow afsd_t usr_etc_log_t:file { getattr read write };

allow afsd_t fs_t:filesystem { getattr };
allow afsd_t ld_so_cache_t:file { getattr read };
allow afsd_t lib_t:dir { search };
allow afsd_t netif_eth0_t:netif { udp_send };
allow afsd_t netmsg_eth0_t:udp_socket { recvfrom };

allow afsd_t newrole_t:fd { use };

allow afsd_t node_t:node { udp_send };
allow afsd_t root_t:dir { search };
allow afsd_t shlib_t:file { execute getattr read };
allow afsd_t shlib_t:lnk_file { read };
allow afsd_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
allow afsd_t sysadm_tmp_t:dir { create setattr getattr read search };
allow afsd_t sysadm_tmp_t:file { create };

allow afsd_t tmp_t:dir { search };
allow afsd_t usr_t:dir { search };


#
# required to give any access to users
#

allow sysadm_t afsd_t:udp_socket { write };
allow user_t afsd_t:udp_socket { write };
allow httpd_t afsd_t:udp_socket { write };

#
# required for full client access
#

allow user_t afs_t:dir { getattr search read write};
allow user_t afs_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_t:lnk_file { read write setattr getattr };
allow user_t afs_t:udp_socket { read write };
 
allow user_t afs_loc_t:dir { getattr search read write};
allow user_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_t:udp_socket { read write };

allow user_t afs_loc_tbin_t:dir { getattr search read write};
allow user_t afs_loc_tbin_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_tbin_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_tbin_t:udp_socket { read write };

allow httpd_t afs_t:dir { getattr search read };
allow httpd_t afs_t:lnk_file { read write setattr getattr };
allow httpd_t afs_t:udp_socket { read write };

allow httpd_t afs_loc_t:dir { getattr search read write};
allow httpd_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow httpd_t afs_loc_t:lnk_file { read write setattr getattr };
allow httpd_t afs_loc_t:udp_socket { read write };

allow sysadm_t afs_t:dir { getattr search read };
allow sysadm_t afs_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_t:udp_socket { read write };

allow sysadm_t afs_loc_t:dir { getattr search read write};
allow sysadm_t afs_loc_t:file { read write setattr getattr };
allow sysadm_t afs_loc_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_loc_t:udp_socket { read write };
allow sysadm_t afs_loc_tbin_t:file { execute execute_no_trans };


[-- Attachment #3: afsd.fc --]
[-- Type: application/octet-stream, Size: 63 bytes --]

# afsd
/usr/sbin/afsd            system_u:object_r:afsd_exec_t

[-- Attachment #4: afs.te --]
[-- Type: application/octet-stream, Size: 462 bytes --]

#
# Author:  Forrest Whitcher <fw@fwsystems.com>
#

###########################################
#
# afs types
# copied slavishly from nfs.te
#
type afs_t, fs_type, root_dir_type;
type afs_loc_t, file_type, sysadmfile;
type afs_loc_tbin_t, file_type, sysadmfile;

#
# Allow AFS files to be associated with an AFS file system.
#

allow afs_t afs_t:filesystem associate;
allow afs_loc_t afs_t:filesystem associate;
allow afs_loc_tbin_t afs_t:filesystem associate;

Re: selinux afs domain v 0.2

[Russell Coker]

On Tue, 21 Jan 2003 02:07, forrest whitcher wrote:
> types/file.te:                              #afsd needs to write
> /usr/etc/openafs/AFSLog
>
> # usr_etc_log_t is created primarily for afsd which
> # wants to keep a log in /usr/etc/openafs
>
> type usr_etc_log_t, file_type, sysadmfile;

This is a really bad name.

Firstly your AFS package is broken.  It should not put logs under an "etc" 
directory, and even having /usr/etc is bad enough.  I suggest recompiling 
your AFS to put the logs in /var/log/afs* .

Then just do:
log_domain(afsd)

Also look at the rw_dir_create_file() macro and the use of { type types ... } 
for specifying the types of files and directories, using those methods you 
can significantly reduce the size of your policy file without changing the 
result.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [OpenAFS] selinux afs domain v 0.2

[forrest whitcher]

I've run across a problem on an SEL-based filserver that I've not seen or 
been able to replicate elsewhere.

kernel 2.4.19 w/ nsa selinux patches
openafs-1.2.8
/vicepb is a software-raid-1 disk / ext2 (9 gb filesystem)

When this volume got to about 90% of capacity I started getting read errors,
indicating 'no space left on device' Interesting, as I was trying to read
the files, not write.

dmesg gives:
Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630852, limit=9630848
Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630856, limit=9630848

I can't think what would be particular to this instance .. SELinux does
maintain the 'PSID' cache noted below and that is going to have the
following affects:

Uses some indoes    .../security contains:

-rw-------    1 root     root           76 Jan 24 13:06 contexts
-rw-------    1 root     root           36 Jan 24 13:06 index
-rw-------    1 root     root      3648524 Mar 17 14:19 inodes

which isn't using a lot of space, so I'm not at all sure why I'm running 
out with about a gig of space free in this 9g fs.

I think I'll ad an additional test on an available (raid) fs and
see what happens when it fills.


Questions in ref to the use of NAMEI

1. does this mean I now can fsck? ... that I should fsck?

2. So I could be using ext3 or jfs ... journaled filesystems? and
would there be any advantage in doing so?


forrest


On Tue, 21 Jan 2003 09:48:47 +0100 (unchecked - local sync NTPstrat4)
tino.schwarze@informatik.tu-chemnitz.de (Tino Schwarze) did inscribe thusly:

> On Mon, Jan 20, 2003 at 08:07:18PM -0500, forrest whitcher wrote:
> 
> > 1.  Running volume location and fileserver under the selinux kernel.
> > 
> > The creation of the .../security directory and the included inode index files 
> > has a fairly high chance of breaking the fileserver volume operation.
> > 
> > Afs volume partitions on linux are in ext2fs but must never be treated
> > as regular filesystems, and fsck will destroy the volume data.
> 
> This is not true anymore. The Linux fileserver uses the NAMEI interface
> and does not do any fancy things behind the back with the filesystem
> (apart from creating silly names which doesn't count here). The server
> partitions can in fact use any filesystem when using the NAMEI
> interface.
> 
> Bye, Tino.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [OpenAFS] selinux afs domain v 0.2

[Russell Coker]

On Mon, 17 Mar 2003 21:41, forrest whitcher wrote:
> I've run across a problem on an SEL-based filserver that I've not seen or
> been able to replicate elsewhere.
>
> dmesg gives:
> Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
> Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630852, limit=9630848
> Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
> Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630856, limit=9630848

Those errors usually indicate file system corruption.  They were reported 
regularly during the early days of ReiserFS development, and they are still 
reported occasionally.

> I can't think what would be particular to this instance .. SELinux does
> maintain the 'PSID' cache noted below and that is going to have the
> following affects:

SE Linux however uses higher level apis to access that (IE it doesn't do any 
of the disk access itself, it merely calls file system functions).  This is 
why it can operate on Ext2, Ext3, ReiserFS, and JFS without any problems.

Naturally a kernel bug in any module can (in theory at least) corrupt kernel 
memory and cause a symptom in any other module.  However I doubt that this is 
the case here.

I suggest really seriously examining the file system and what it's doing, try 
running fsck even if it doesn't seem necessary.  Also try
"tar cf - . > /dev/null" on the file system to see if that can cause the error 
to re-appear.

I believe that AFS servers run a regular file system such as Ext2 or Ext3 to 
store the data.  I suggest running the fsck program for that file system to 
look for errors.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.