* selinux afs domain v 0.2
@ 2003-01-21 1:07 forrest whitcher
2003-01-21 2:01 ` Russell Coker
[not found] ` <20030121094847.A6403@informatik.tu-chemnitz.de>
0 siblings, 2 replies; 4+ messages in thread
From: forrest whitcher @ 2003-01-21 1:07 UTC (permalink / raw)
To: selinux; +Cc: openafs-info
[-- Attachment #1: Type: text/plain, Size: 2316 bytes --]
With thanks to Russell Coker, I've got an improved - doubtless still far
from perfect - policy for afs client operation.
I've attached from /etc/security/selinux/src/policy
domains/program/afsd.te # the bulk of the policy
file_contexts/program/afsd.fc # define the /usr/sbin/afsd type
types/afs.te # provide policy distinctions for /afs
# and local / non-local domains
Additionally, note the following changes:
genfs_contexts # provides labeling to non-PSID filesystems
# afs
genfscon afs / system_u:object_r:afs_t
# local afs files (httpd_t is not allowed outside this)
genfscon afs /afsdomain.org.dom system_u:object_r:afs_loc_t
# (e.g.) a place where trusted binaries might reside
genfscon afs /afsdomain.org.dom/usr/local/bin system_u:object_r:afs_loc_tbin_t
-----
domains/program/mount.te #added:
allow mount_t kernel_t:process { sigkill };
# when /afs is unmounted I assume VFS is providing the magic for the kill to
# be sent to afsd. Would it be better (possible?) to limit this to only killing
# the afsd_t process?
-----
types/file.te: #afsd needs to write /usr/etc/openafs/AFSLog
# usr_etc_log_t is created primarily for afsd which
# wants to keep a log in /usr/etc/openafs
type usr_etc_log_t, file_type, sysadmfile;
------
Fixes vs. prior email.
usr_etc_log_t type removes error allowing afsd write-permission to most of /etc
Having corrected the policy (using every_domain() macro) the incorrect initrc.te
hack is now fixed.
Added exemplar site-specific types and policy enforcements for local and remote
afs data.
Next steps:
1. Running volume location and fileserver under the selinux kernel.
The creation of the .../security directory and the included inode index files
has a fairly high chance of breaking the fileserver volume operation.
Afs volume partitions on linux are in ext2fs but must never be treated
as regular filesystems, and fsck will destroy the volume data.
2. Possible generation of a policy for AFS tokens stored in kernel memory.
Currently all selinux roles will have the same access to the afs tokens. This
is workable but providing a TE policy might be useful.
[-- Attachment #2: afsd.te --]
[-- Type: application/octet-stream, Size: 3454 bytes --]
# Domain for afsd executable
#
# Author: Forrest Whitcher <fw@fwsystems.com>
#
# Copyright 2002, 2003 FW Systems llc
# All Rights Reserved.
#
type afsd_t, domain, privlog;
role system_r types afsd_t;
every_domain(afsd_t)
type afsd_exec_t, file_type, sysadmfile,exec_type;
domain_auto_trans(initrc_t, afsd_exec_t, afsd_t)
allow afsd_t root_t:dir mounton;
allow afsd_t afs_t:filesystem { mount };
allow afsd_t kernel_t:process { sigkill };
allow kernel_t afsd_t:udp_socket { read write };
allow afsd_t afsd_t:capability { sys_admin sys_nice };
allow afsd_t afsd_t:process { fork setsched };
allow afsd_t afsd_t:udp_socket { create ioctl write };
allow afsd_t any_socket_t:udp_socket { sendto };
allow afsd_t etc_runtime_t:file { append getattr read };
allow afsd_t etc_t:dir { search };
allow afsd_t etc_t:file { getattr read };
allow afsd_t usr_etc_log_t:file { getattr read write };
allow afsd_t fs_t:filesystem { getattr };
allow afsd_t ld_so_cache_t:file { getattr read };
allow afsd_t lib_t:dir { search };
allow afsd_t netif_eth0_t:netif { udp_send };
allow afsd_t netmsg_eth0_t:udp_socket { recvfrom };
allow afsd_t newrole_t:fd { use };
allow afsd_t node_t:node { udp_send };
allow afsd_t root_t:dir { search };
allow afsd_t shlib_t:file { execute getattr read };
allow afsd_t shlib_t:lnk_file { read };
allow afsd_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
allow afsd_t sysadm_tmp_t:dir { create setattr getattr read search };
allow afsd_t sysadm_tmp_t:file { create };
allow afsd_t tmp_t:dir { search };
allow afsd_t usr_t:dir { search };
#
# required to give any access to users
#
allow sysadm_t afsd_t:udp_socket { write };
allow user_t afsd_t:udp_socket { write };
allow httpd_t afsd_t:udp_socket { write };
#
# required for full client access
#
allow user_t afs_t:dir { getattr search read write};
allow user_t afs_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_t:lnk_file { read write setattr getattr };
allow user_t afs_t:udp_socket { read write };
allow user_t afs_loc_t:dir { getattr search read write};
allow user_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_t:udp_socket { read write };
allow user_t afs_loc_tbin_t:dir { getattr search read write};
allow user_t afs_loc_tbin_t:file { read write setattr getattr execute execute_no_trans };
allow user_t afs_loc_tbin_t:lnk_file { read write setattr getattr };
allow user_t afs_loc_tbin_t:udp_socket { read write };
allow httpd_t afs_t:dir { getattr search read };
allow httpd_t afs_t:lnk_file { read write setattr getattr };
allow httpd_t afs_t:udp_socket { read write };
allow httpd_t afs_loc_t:dir { getattr search read write};
allow httpd_t afs_loc_t:file { read write setattr getattr execute execute_no_trans };
allow httpd_t afs_loc_t:lnk_file { read write setattr getattr };
allow httpd_t afs_loc_t:udp_socket { read write };
allow sysadm_t afs_t:dir { getattr search read };
allow sysadm_t afs_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_t:udp_socket { read write };
allow sysadm_t afs_loc_t:dir { getattr search read write};
allow sysadm_t afs_loc_t:file { read write setattr getattr };
allow sysadm_t afs_loc_t:lnk_file { read write setattr getattr };
allow sysadm_t afs_loc_t:udp_socket { read write };
allow sysadm_t afs_loc_tbin_t:file { execute execute_no_trans };
[-- Attachment #3: afsd.fc --]
[-- Type: application/octet-stream, Size: 63 bytes --]
# afsd
/usr/sbin/afsd system_u:object_r:afsd_exec_t
[-- Attachment #4: afs.te --]
[-- Type: application/octet-stream, Size: 462 bytes --]
#
# Author: Forrest Whitcher <fw@fwsystems.com>
#
###########################################
#
# afs types
# copied slavishly from nfs.te
#
type afs_t, fs_type, root_dir_type;
type afs_loc_t, file_type, sysadmfile;
type afs_loc_tbin_t, file_type, sysadmfile;
#
# Allow AFS files to be associated with an AFS file system.
#
allow afs_t afs_t:filesystem associate;
allow afs_loc_t afs_t:filesystem associate;
allow afs_loc_tbin_t afs_t:filesystem associate;
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: selinux afs domain v 0.2
2003-01-21 1:07 selinux afs domain v 0.2 forrest whitcher
@ 2003-01-21 2:01 ` Russell Coker
[not found] ` <20030121094847.A6403@informatik.tu-chemnitz.de>
1 sibling, 0 replies; 4+ messages in thread
From: Russell Coker @ 2003-01-21 2:01 UTC (permalink / raw)
To: forrest whitcher, selinux; +Cc: openafs-info
On Tue, 21 Jan 2003 02:07, forrest whitcher wrote:
> types/file.te: #afsd needs to write
> /usr/etc/openafs/AFSLog
>
> # usr_etc_log_t is created primarily for afsd which
> # wants to keep a log in /usr/etc/openafs
>
> type usr_etc_log_t, file_type, sysadmfile;
This is a really bad name.
Firstly your AFS package is broken. It should not put logs under an "etc"
directory, and even having /usr/etc is bad enough. I suggest recompiling
your AFS to put the logs in /var/log/afs* .
Then just do:
log_domain(afsd)
Also look at the rw_dir_create_file() macro and the use of { type types ... }
for specifying the types of files and directories, using those methods you
can significantly reduce the size of your policy file without changing the
result.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread[parent not found: <20030121094847.A6403@informatik.tu-chemnitz.de>]
* Re: [OpenAFS] selinux afs domain v 0.2
[not found] ` <20030121094847.A6403@informatik.tu-chemnitz.de>
@ 2003-03-17 20:41 ` forrest whitcher
2003-03-17 22:05 ` Russell Coker
0 siblings, 1 reply; 4+ messages in thread
From: forrest whitcher @ 2003-03-17 20:41 UTC (permalink / raw)
To: openafs-info; +Cc: tino.schwarze, SELinux
I've run across a problem on an SEL-based filserver that I've not seen or
been able to replicate elsewhere.
kernel 2.4.19 w/ nsa selinux patches
openafs-1.2.8
/vicepb is a software-raid-1 disk / ext2 (9 gb filesystem)
When this volume got to about 90% of capacity I started getting read errors,
indicating 'no space left on device' Interesting, as I was trying to read
the files, not write.
dmesg gives:
Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630852, limit=9630848
Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630856, limit=9630848
I can't think what would be particular to this instance .. SELinux does
maintain the 'PSID' cache noted below and that is going to have the
following affects:
Uses some indoes .../security contains:
-rw------- 1 root root 76 Jan 24 13:06 contexts
-rw------- 1 root root 36 Jan 24 13:06 index
-rw------- 1 root root 3648524 Mar 17 14:19 inodes
which isn't using a lot of space, so I'm not at all sure why I'm running
out with about a gig of space free in this 9g fs.
I think I'll ad an additional test on an available (raid) fs and
see what happens when it fills.
Questions in ref to the use of NAMEI
1. does this mean I now can fsck? ... that I should fsck?
2. So I could be using ext3 or jfs ... journaled filesystems? and
would there be any advantage in doing so?
forrest
On Tue, 21 Jan 2003 09:48:47 +0100 (unchecked - local sync NTPstrat4)
tino.schwarze@informatik.tu-chemnitz.de (Tino Schwarze) did inscribe thusly:
> On Mon, Jan 20, 2003 at 08:07:18PM -0500, forrest whitcher wrote:
>
> > 1. Running volume location and fileserver under the selinux kernel.
> >
> > The creation of the .../security directory and the included inode index files
> > has a fairly high chance of breaking the fileserver volume operation.
> >
> > Afs volume partitions on linux are in ext2fs but must never be treated
> > as regular filesystems, and fsck will destroy the volume data.
>
> This is not true anymore. The Linux fileserver uses the NAMEI interface
> and does not do any fancy things behind the back with the filesystem
> (apart from creating silly names which doesn't count here). The server
> partitions can in fact use any filesystem when using the NAMEI
> interface.
>
> Bye, Tino.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [OpenAFS] selinux afs domain v 0.2
2003-03-17 20:41 ` [OpenAFS] " forrest whitcher
@ 2003-03-17 22:05 ` Russell Coker
0 siblings, 0 replies; 4+ messages in thread
From: Russell Coker @ 2003-03-17 22:05 UTC (permalink / raw)
To: forrest whitcher, openafs-info; +Cc: tino.schwarze, SELinux
On Mon, 17 Mar 2003 21:41, forrest whitcher wrote:
> I've run across a problem on an SEL-based filserver that I've not seen or
> been able to replicate elsewhere.
>
> dmesg gives:
> Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
> Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630852, limit=9630848
> Mar 16 23:25:24 thing kernel: attempt to access beyond end of device
> Mar 16 23:25:24 thing kernel: 09:01: rw=0, want=9630856, limit=9630848
Those errors usually indicate file system corruption. They were reported
regularly during the early days of ReiserFS development, and they are still
reported occasionally.
> I can't think what would be particular to this instance .. SELinux does
> maintain the 'PSID' cache noted below and that is going to have the
> following affects:
SE Linux however uses higher level apis to access that (IE it doesn't do any
of the disk access itself, it merely calls file system functions). This is
why it can operate on Ext2, Ext3, ReiserFS, and JFS without any problems.
Naturally a kernel bug in any module can (in theory at least) corrupt kernel
memory and cause a symptom in any other module. However I doubt that this is
the case here.
I suggest really seriously examining the file system and what it's doing, try
running fsck even if it doesn't seem necessary. Also try
"tar cf - . > /dev/null" on the file system to see if that can cause the error
to re-appear.
I believe that AFS servers run a regular file system such as Ext2 or Ext3 to
store the data. I suggest running the fsck program for that file system to
look for errors.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-03-17 22:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-21 1:07 selinux afs domain v 0.2 forrest whitcher
2003-01-21 2:01 ` Russell Coker
[not found] ` <20030121094847.A6403@informatik.tu-chemnitz.de>
2003-03-17 20:41 ` [OpenAFS] " forrest whitcher
2003-03-17 22:05 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.