policies for DJ Bernstein tools

policies for DJ Bernstein tools

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]



Hi,

I have searched for selinux policies for daemontools, ucspi-tcp, publicfile and clockspeed. 
Failing to find them ment that I shoud try to create them. I'm not an expert in these matters, but I'm more than willing to try to become one ;)

I would really like to see these policies in the '{domains/file_contexts}/program/unused' sf.net cvs repo, and if I can help make this true, I would be honored.

An early test version can be found here:

http://team.rav.ro/peter/policy.tar.gz

I'll update this package from time to time.

Feedback is more than welcome.

bye,
peter


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: policies for DJ Bernstein tools

[Russell Coker]

On Sat, 29 Nov 2003 03:46, Petre Rodan <petre.rodan@ravantivirus.com> wrote:
> I have searched for selinux policies for daemontools, ucspi-tcp, publicfile
> and clockspeed. Failing to find them ment that I shoud try to create them.
> I'm not an expert in these matters, but I'm more than willing to try to
> become one ;)

I have added your changes to qmail.te and qmail.fc to my tree, it'll be on my 
site in a few minutes.  I have modified them slightly so you will want to 
check that they still do what you require.  I removed the user_home_t label 
for the qmail alias directory as I don't think that's an appropriate type.  
Maybe etc_qmail_t will work.

What is clockspeed?

I don't think that we want mua in it's current form.  It doesn't support 
running a mua from a console login.  It allows entering mua_t from staff_t 
and sysadm_t and allows writing to a pty from either.  This means that if you 
can exploit the mua program (changing the $EDITOR variable appropriately 
should do it) then someone as staff_r can read/write to the pty of sysadm_t, 
this permits them to take over a sysadm_t session by inserting key strokes in 
the buffer.

Any time you have a single domain that can talk to the pty's from multiple 
roles then it could be exploited to do some damage.  Currently we only allow 
this for newrole_t, system_chkpwd_t, and passwd_t (all of which can break the 
system entirely if they are exploited regardless of what we do).

What is publicfile?  Some sort of ftp-like service?

For the ucspi-tcp service, why does it have so much access to qmail files and 
programs?  Why not just domain_auto_trans() to the appropriate qmail 
domain(s)?

Also isn't ucspi-tcp is conceptually another version of inetd?  If that is a 
currect summary then perhaps the correct solution would be to macroise the 
inetd policy to support multiple versions of inetd and consider ucspi-tcp 
just another version of inetd (with a different set of ports that it is 
permitted to bind to).

What is svc?


Finally it would make things a little easier to manage if you used the macros 
more.  For example this:
allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write };
Could be changed to this:
allow svc_t svc_svc_t:dir rw_dir_perms;

Using the macro makes it much easier to read the policy.  In this example the 
macro also adds ioctl and lock access, but I don't think that this does any 
harm with all the access that is already granted.  Similarly using can_exec() 
makes things easier to read.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policies for DJ Bernstein tools

[Brian Hatch]

[-- Attachment #1: Type: text/plain, Size: 1694 bytes --]



> What is clockspeed?

clock skewer.  Think ntpd.

> What is publicfile?  Some sort of ftp-like service?

publicfile's ftpd is a chrooted read-only anonymous FTP server.
  (not pizza-thief enabled)

publicfile's httpd is a virtual-host-aware read-only
  (only GET/HEAD supported) chrooted HTTP server with
  no bangs or whistles.

> Also isn't ucspi-tcp is conceptually another version of inetd?

tcpserver is like a single-port inetd.  ucspi-tcp also
includes tcpclient, which connects to a host and runs a
program to talk to the peer (read/writing on fd's 6/7, IIRC)
A few other helper programs are in there too, I think.

> currect summary then perhaps the correct solution would be to macroise the 
> inetd policy to support multiple versions of inetd and consider ucspi-tcp 
> just another version of inetd (with a different set of ports that it is 
> permitted to bind to).
> 
> What is svc?

used to start/stop/etc a service being monitored by supervise processes.

And, before you ask:

What's supervise?  Like a single-process init.  Watches/spawns only
one process.

Supervise prcoesses are spawed by svcscan. Svscan looks through /service
for symlinks that indicate supervise processes to be run.

IE svsscan is akin to /sbin/init (with /service directory instead of
/etc/inittab), supervise is like a single-process-watching init,
and svc is used to start/stop those supervise processes, akin to
'vi /etc/inittab; kill -HUP 1'




--
Brian Hatch                  "You do not make history.
   Systems and                You can only hope to survive it."
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: policies for DJ Bernstein tools

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 6159 bytes --]


thank you for your comments.

On Sat, Nov 29, 2003 at 09:47:58PM +1100, Russell Coker wrote:
> On Sat, 29 Nov 2003 03:46, Petre Rodan <petre.rodan@ravantivirus.com> wrote:
> > I have searched for selinux policies for daemontools, ucspi-tcp, publicfile
> > and clockspeed. Failing to find them ment that I shoud try to create them.
> > I'm not an expert in these matters, but I'm more than willing to try to
> > become one ;)
> 
> I have added your changes to qmail.te and qmail.fc to my tree, it'll be on my 
> site in a few minutes.  I have modified them slightly so you will want to 
> check that they still do what you require.  I removed the user_home_t label 
> for the qmail alias directory as I don't think that's an appropriate type.  
> Maybe etc_qmail_t will work.

acording to Dave Sill's 'life with qmail' install guide (the best one out there)
alias is a pseudo-user that gets the mails that did not have a valid recipient on the server.
I gave him a user_home_t so he gets mail without other modifications done to qmail_local_t.

for details:
http://www.lifewithqmail.org/lwq.html#aliases

there is also a list manager, called ezmlm (used on bugtraq for instance) that creates
.qmail files and maildirs by default in ~alias (/var/qmail/alias). Then it will receive posts 
in that location.

> What is clockspeed?

it's a SNTP client available here:
http://cr.yp.to/clockspeed.html

the big difference between clockspeed and ntpd is the number of exploits ...

> I don't think that we want mua in it's current form.  It doesn't support 
> running a mua from a console login.  It allows entering mua_t from staff_t 
> and sysadm_t and allows writing to a pty from either.  This means that if you 
> can exploit the mua program (changing the $EDITOR variable appropriately 
> should do it) then someone as staff_r can read/write to the pty of sysadm_t, 
> this permits them to take over a sysadm_t session by inserting key strokes in 
> the buffer.

I understand, I will definitely rewrite that part somehow.
The reason I made this context is because I have a lot of scripts (eighter run 
through ssh or by crond_t) that send mail with attachments using mutt.

These scripts run in different contexts and I had to add to each of them a lot of 
qmail_inject, qmail_queue related rules.

I will check out if a domain_auto_trans to qmail_inject_t will do the trick.
I will also remove the mua.te and mua.fc from my selinux wishlist ;)

> Any time you have a single domain that can talk to the pty's from multiple 
> roles then it could be exploited to do some damage.  Currently we only allow 
> this for newrole_t, system_chkpwd_t, and passwd_t (all of which can break the 
> system entirely if they are exploited regardless of what we do).

thanks for the tip.

> What is publicfile?  Some sort of ftp-like service?

it's a simple http and ftp daemon with no known exploits until now.
it runs out of tcpserver or from initrc_t.

URL:
http://cr.yp.to/publicfile.html

> For the ucspi-tcp service, why does it have so much access to qmail files and 
> programs?  Why not just domain_auto_trans() to the appropriate qmail 
> domain(s)?

you are perfectly right. I made the change you requested. much cleaner this way.
just download again http://team.rav.ro/peter/policy.tar.gz


> Also isn't ucspi-tcp is conceptually another version of inetd?  If that is a 
> currect summary then perhaps the correct solution would be to macroise the 
> inetd policy to support multiple versions of inetd and consider ucspi-tcp 
> just another version of inetd (with a different set of ports that it is 
> permitted to bind to).

This would be a great idea, but I'm still making my way through Stephen's documentation
and his macros. I don't know if I will be able to make this macro stuff in the next 
few days.

> What is svc?

it's a great `service manipulator`. his features are covered in
http://cr.yp.to/daemontools/faq/create.html#why

i use it on 15 servers and all my linux desktops. if one is not using them, well, he should ;)

it can supervise use any daemon you can think of (ssh, apache, proftpd, tcpserver, squid, etc).

> Finally it would make things a little easier to manage if you used the macros 
> more.  For example this:
> allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write };
> Could be changed to this:
> allow svc_t svc_svc_t:dir rw_dir_perms;

yes, reading those m4 macros is my number one priority

> Using the macro makes it much easier to read the policy.  In this example the 
> macro also adds ioctl and lock access, but I don't think that this does any 
> harm with all the access that is already granted.  Similarly using can_exec() 
> makes things easier to read.

this is exactly why i'm somewhat afraid to use them.

also please keep in mind that my fc files reflect the file locations given by
the gentoo distro. if support for other distro (or default file location) is needed, 
please inform me, and I'll make the needed aditions.

BTW,
you use the cvs.sourceforge.net:/cvsroot/selinux repository?
just to make sure we use the same source ...

best regards and happy weekend,
peter


> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 

-- 

Petre Rodan
Senior Network Engineer
GeCAD Software - RAV Division

----------------------------------------------------------------------
Tel/Fax: +40-21-321-7803
Hotline:  +40-21-321-7859

This message is confidential. It may also be privileged or otherwise 
protected by work product immunity or other legal rules. It may contain
personal views which are not the views of the GeCAD unless specifically
stated. 
If you have received it in error, please delete it from your system. 
Do not use, copy or disclose the information in any way nor act in 
reliance on it and notify the sender immediately.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: policies for DJ Bernstein tools

[Russell Coker]

On Sun, 30 Nov 2003 00:21, Petre Rodan <petre.rodan@ravantivirus.com> wrote:
> > I have added your changes to qmail.te and qmail.fc to my tree, it'll be
> > on my site in a few minutes.  I have modified them slightly so you will
> > want to check that they still do what you require.  I removed the
> > user_home_t label for the qmail alias directory as I don't think that's
> > an appropriate type. Maybe etc_qmail_t will work.
>
> acording to Dave Sill's 'life with qmail' install guide (the best one out
> there) alias is a pseudo-user that gets the mails that did not have a valid
> recipient on the server. I gave him a user_home_t so he gets mail without
> other modifications done to qmail_local_t.

This will require more investigation.  However ~alias is different from a 
regular user home directory, and it seems unlikely that you would want user_r 
to write to it.  So therefore user_home_t seems like the wrong type for it.

We could create a new qmail_home_t type which has attributes home_type and 
user_home_type to allow qmail to access it.

> > What is clockspeed?
>
> it's a SNTP client available here:
> http://cr.yp.to/clockspeed.html
>
> the big difference between clockspeed and ntpd is the number of exploits
> ...

So why not have clockspeed run in ntpd_t?

> I understand, I will definitely rewrite that part somehow.
> The reason I made this context is because I have a lot of scripts (eighter
> run through ssh or by crond_t) that send mail with attachments using mutt.

Doesn't mutt just run "sendmail -t"?  If not why not?  If so then why doesn't 
it get staff_mail_t for the sendmail process?

> you use the cvs.sourceforge.net:/cvsroot/selinux repository?
> just to make sure we use the same source ...

I maintain my own policy tree based on the NSA release plus all patches that 
flow through this list and other sources.  It often varies significantly from 
the CVS, but at the moment there is not much difference.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policies for DJ Bernstein tools

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 4191 bytes --]

On Sun, Nov 30, 2003 at 12:41:15AM +1100, Russell Coker wrote:
> On Sun, 30 Nov 2003 00:21, Petre Rodan <petre.rodan@ravantivirus.com> wrote:
> > > I have added your changes to qmail.te and qmail.fc to my tree, it'll be
> > > on my site in a few minutes.  I have modified them slightly so you will
> > > want to check that they still do what you require.  I removed the
> > > user_home_t label for the qmail alias directory as I don't think that's
> > > an appropriate type. Maybe etc_qmail_t will work.
> >
> > acording to Dave Sill's 'life with qmail' install guide (the best one out
> > there) alias is a pseudo-user that gets the mails that did not have a valid
> > recipient on the server. I gave him a user_home_t so he gets mail without
> > other modifications done to qmail_local_t.
> 
> This will require more investigation.  However ~alias is different from a 
> regular user home directory, and it seems unlikely that you would want user_r 
> to write to it.  So therefore user_home_t seems like the wrong type for it.
> 
> We could create a new qmail_home_t type which has attributes home_type and 
> user_home_type to allow qmail to access it.

qmail_home_t sounds just perfect to me.

my only requirement would be that sysadm_t should be able to have full access there.
ezmlm (http://www.ezmlm.org) has a lot of binaries that fool around with files in ~alias.
the manager of the list (usualy sysadm_t) should be able to make his job inside
~alias without new policy rules. maybe it would be even simpler to make ~alias a
sysadm_home_t. just a thought.

> > > What is clockspeed?
> >
> > it's a SNTP client available here:
> > http://cr.yp.to/clockspeed.html
> >
> > the big difference between clockspeed and ntpd is the number of exploits
> > ...
> 
> So why not have clockspeed run in ntpd_t?

clockspeed uses some files (cs_atto_t, cs_etc_t) and a cs_adjust_t fifo that kinda 
makes him unique (or maybe I am wrong?)

anyhow, I'm still investigating the usefulness of some of the rules i wrote.
the locations of some of the files should be also changed in the distro.
his adition should be postponed.

> > I understand, I will definitely rewrite that part somehow.
> > The reason I made this context is because I have a lot of scripts (eighter
> > run through ssh or by crond_t) that send mail with attachments using mutt.
> 
> Doesn't mutt just run "sendmail -t"?  If not why not?  If so then why doesn't 
> it get staff_mail_t for the sendmail process?

i use qmail on all my machines. he comes with a sendmail of his own located in 
/var/qmail/bin/sendmail. 
/usr/sbin/sendmail is a symlink to /var/qmail/bin/sendmail, and both are labeled as
system_u:object_r:bin_t
so there is no domain_auto_trans to staff_mail_t.

maybe we should label them the way sendmail is labeled on your machine and 
voila, no more problems.

> > you use the cvs.sourceforge.net:/cvsroot/selinux repository?
> > just to make sure we use the same source ...
> 
> I maintain my own policy tree based on the NSA release plus all patches that 
> flow through this list and other sources.  It often varies significantly from 
> the CVS, but at the moment there is not much difference.

ok, got that.

thanks for your help,
peter

> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 

-- 

Petre Rodan
Senior Network Engineer
GeCAD Software - RAV Division

----------------------------------------------------------------------
Tel/Fax: +40-21-321-7803
Hotline:  +40-21-321-7859

This message is confidential. It may also be privileged or otherwise 
protected by work product immunity or other legal rules. It may contain
personal views which are not the views of the GeCAD unless specifically
stated. 
If you have received it in error, please delete it from your system. 
Do not use, copy or disclose the information in any way nor act in 
reliance on it and notify the sender immediately.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]