Re: policies for DJ Bernstein tools

[Petre Rodan <petre.rodan@ravantivirus.com>]

[-- Attachment #1: Type: text/plain, Size: 6159 bytes --]


thank you for your comments.

On Sat, Nov 29, 2003 at 09:47:58PM +1100, Russell Coker wrote:
> On Sat, 29 Nov 2003 03:46, Petre Rodan <petre.rodan@ravantivirus.com> wrote:
> > I have searched for selinux policies for daemontools, ucspi-tcp, publicfile
> > and clockspeed. Failing to find them ment that I shoud try to create them.
> > I'm not an expert in these matters, but I'm more than willing to try to
> > become one ;)
> 
> I have added your changes to qmail.te and qmail.fc to my tree, it'll be on my 
> site in a few minutes.  I have modified them slightly so you will want to 
> check that they still do what you require.  I removed the user_home_t label 
> for the qmail alias directory as I don't think that's an appropriate type.  
> Maybe etc_qmail_t will work.

acording to Dave Sill's 'life with qmail' install guide (the best one out there)
alias is a pseudo-user that gets the mails that did not have a valid recipient on the server.
I gave him a user_home_t so he gets mail without other modifications done to qmail_local_t.

for details:
http://www.lifewithqmail.org/lwq.html#aliases

there is also a list manager, called ezmlm (used on bugtraq for instance) that creates
.qmail files and maildirs by default in ~alias (/var/qmail/alias). Then it will receive posts 
in that location.

> What is clockspeed?

it's a SNTP client available here:
http://cr.yp.to/clockspeed.html

the big difference between clockspeed and ntpd is the number of exploits ...

> I don't think that we want mua in it's current form.  It doesn't support 
> running a mua from a console login.  It allows entering mua_t from staff_t 
> and sysadm_t and allows writing to a pty from either.  This means that if you 
> can exploit the mua program (changing the $EDITOR variable appropriately 
> should do it) then someone as staff_r can read/write to the pty of sysadm_t, 
> this permits them to take over a sysadm_t session by inserting key strokes in 
> the buffer.

I understand, I will definitely rewrite that part somehow.
The reason I made this context is because I have a lot of scripts (eighter run 
through ssh or by crond_t) that send mail with attachments using mutt.

These scripts run in different contexts and I had to add to each of them a lot of 
qmail_inject, qmail_queue related rules.

I will check out if a domain_auto_trans to qmail_inject_t will do the trick.
I will also remove the mua.te and mua.fc from my selinux wishlist ;)

> Any time you have a single domain that can talk to the pty's from multiple 
> roles then it could be exploited to do some damage.  Currently we only allow 
> this for newrole_t, system_chkpwd_t, and passwd_t (all of which can break the 
> system entirely if they are exploited regardless of what we do).

thanks for the tip.

> What is publicfile?  Some sort of ftp-like service?

it's a simple http and ftp daemon with no known exploits until now.
it runs out of tcpserver or from initrc_t.

URL:
http://cr.yp.to/publicfile.html

> For the ucspi-tcp service, why does it have so much access to qmail files and 
> programs?  Why not just domain_auto_trans() to the appropriate qmail 
> domain(s)?

you are perfectly right. I made the change you requested. much cleaner this way.
just download again http://team.rav.ro/peter/policy.tar.gz


> Also isn't ucspi-tcp is conceptually another version of inetd?  If that is a 
> currect summary then perhaps the correct solution would be to macroise the 
> inetd policy to support multiple versions of inetd and consider ucspi-tcp 
> just another version of inetd (with a different set of ports that it is 
> permitted to bind to).

This would be a great idea, but I'm still making my way through Stephen's documentation
and his macros. I don't know if I will be able to make this macro stuff in the next 
few days.

> What is svc?

it's a great `service manipulator`. his features are covered in
http://cr.yp.to/daemontools/faq/create.html#why

i use it on 15 servers and all my linux desktops. if one is not using them, well, he should ;)

it can supervise use any daemon you can think of (ssh, apache, proftpd, tcpserver, squid, etc).

> Finally it would make things a little easier to manage if you used the macros 
> more.  For example this:
> allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write };
> Could be changed to this:
> allow svc_t svc_svc_t:dir rw_dir_perms;

yes, reading those m4 macros is my number one priority

> Using the macro makes it much easier to read the policy.  In this example the 
> macro also adds ioctl and lock access, but I don't think that this does any 
> harm with all the access that is already granted.  Similarly using can_exec() 
> makes things easier to read.

this is exactly why i'm somewhat afraid to use them.

also please keep in mind that my fc files reflect the file locations given by
the gentoo distro. if support for other distro (or default file location) is needed, 
please inform me, and I'll make the needed aditions.

BTW,
you use the cvs.sourceforge.net:/cvsroot/selinux repository?
just to make sure we use the same source ...

best regards and happy weekend,
peter


> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 

-- 

Petre Rodan
Senior Network Engineer
GeCAD Software - RAV Division

----------------------------------------------------------------------
Tel/Fax: +40-21-321-7803
Hotline:  +40-21-321-7859

This message is confidential. It may also be privileged or otherwise 
protected by work product immunity or other legal rules. It may contain
personal views which are not the views of the GeCAD unless specifically
stated. 
If you have received it in error, please delete it from your system. 
Do not use, copy or disclose the information in any way nor act in 
reliance on it and notify the sender immediately.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]