* policies for DJ Bernstein tools
@ 2003-11-28 16:46 Petre Rodan
2003-11-29 10:47 ` Russell Coker
0 siblings, 1 reply; 6+ messages in thread
From: Petre Rodan @ 2003-11-28 16:46 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 599 bytes --]
Hi,
I have searched for selinux policies for daemontools, ucspi-tcp, publicfile and clockspeed.
Failing to find them ment that I shoud try to create them. I'm not an expert in these matters, but I'm more than willing to try to become one ;)
I would really like to see these policies in the '{domains/file_contexts}/program/unused' sf.net cvs repo, and if I can help make this true, I would be honored.
An early test version can be found here:
http://team.rav.ro/peter/policy.tar.gz
I'll update this package from time to time.
Feedback is more than welcome.
bye,
peter
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: policies for DJ Bernstein tools 2003-11-28 16:46 policies for DJ Bernstein tools Petre Rodan @ 2003-11-29 10:47 ` Russell Coker 2003-11-29 12:03 ` Brian Hatch 2003-11-29 13:21 ` Petre Rodan 0 siblings, 2 replies; 6+ messages in thread From: Russell Coker @ 2003-11-29 10:47 UTC (permalink / raw) To: Petre Rodan, SELinux On Sat, 29 Nov 2003 03:46, Petre Rodan <petre.rodan@ravantivirus.com> wrote: > I have searched for selinux policies for daemontools, ucspi-tcp, publicfile > and clockspeed. Failing to find them ment that I shoud try to create them. > I'm not an expert in these matters, but I'm more than willing to try to > become one ;) I have added your changes to qmail.te and qmail.fc to my tree, it'll be on my site in a few minutes. I have modified them slightly so you will want to check that they still do what you require. I removed the user_home_t label for the qmail alias directory as I don't think that's an appropriate type. Maybe etc_qmail_t will work. What is clockspeed? I don't think that we want mua in it's current form. It doesn't support running a mua from a console login. It allows entering mua_t from staff_t and sysadm_t and allows writing to a pty from either. This means that if you can exploit the mua program (changing the $EDITOR variable appropriately should do it) then someone as staff_r can read/write to the pty of sysadm_t, this permits them to take over a sysadm_t session by inserting key strokes in the buffer. Any time you have a single domain that can talk to the pty's from multiple roles then it could be exploited to do some damage. Currently we only allow this for newrole_t, system_chkpwd_t, and passwd_t (all of which can break the system entirely if they are exploited regardless of what we do). What is publicfile? Some sort of ftp-like service? For the ucspi-tcp service, why does it have so much access to qmail files and programs? Why not just domain_auto_trans() to the appropriate qmail domain(s)? Also isn't ucspi-tcp is conceptually another version of inetd? If that is a currect summary then perhaps the correct solution would be to macroise the inetd policy to support multiple versions of inetd and consider ucspi-tcp just another version of inetd (with a different set of ports that it is permitted to bind to). What is svc? Finally it would make things a little easier to manage if you used the macros more. For example this: allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write }; Could be changed to this: allow svc_t svc_svc_t:dir rw_dir_perms; Using the macro makes it much easier to read the policy. In this example the macro also adds ioctl and lock access, but I don't think that this does any harm with all the access that is already granted. Similarly using can_exec() makes things easier to read. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: policies for DJ Bernstein tools 2003-11-29 10:47 ` Russell Coker @ 2003-11-29 12:03 ` Brian Hatch 2003-11-29 13:21 ` Petre Rodan 1 sibling, 0 replies; 6+ messages in thread From: Brian Hatch @ 2003-11-29 12:03 UTC (permalink / raw) To: Russell Coker; +Cc: Petre Rodan, SELinux [-- Attachment #1: Type: text/plain, Size: 1694 bytes --] > What is clockspeed? clock skewer. Think ntpd. > What is publicfile? Some sort of ftp-like service? publicfile's ftpd is a chrooted read-only anonymous FTP server. (not pizza-thief enabled) publicfile's httpd is a virtual-host-aware read-only (only GET/HEAD supported) chrooted HTTP server with no bangs or whistles. > Also isn't ucspi-tcp is conceptually another version of inetd? tcpserver is like a single-port inetd. ucspi-tcp also includes tcpclient, which connects to a host and runs a program to talk to the peer (read/writing on fd's 6/7, IIRC) A few other helper programs are in there too, I think. > currect summary then perhaps the correct solution would be to macroise the > inetd policy to support multiple versions of inetd and consider ucspi-tcp > just another version of inetd (with a different set of ports that it is > permitted to bind to). > > What is svc? used to start/stop/etc a service being monitored by supervise processes. And, before you ask: What's supervise? Like a single-process init. Watches/spawns only one process. Supervise prcoesses are spawed by svcscan. Svscan looks through /service for symlinks that indicate supervise processes to be run. IE svsscan is akin to /sbin/init (with /service directory instead of /etc/inittab), supervise is like a single-process-watching init, and svc is used to start/stop those supervise processes, akin to 'vi /etc/inittab; kill -HUP 1' -- Brian Hatch "You do not make history. Systems and You can only hope to survive it." Security Engineer http://www.ifokr.org/bri/ Every message PGP signed [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: policies for DJ Bernstein tools 2003-11-29 10:47 ` Russell Coker 2003-11-29 12:03 ` Brian Hatch @ 2003-11-29 13:21 ` Petre Rodan 2003-11-29 13:41 ` Russell Coker 1 sibling, 1 reply; 6+ messages in thread From: Petre Rodan @ 2003-11-29 13:21 UTC (permalink / raw) To: Russell Coker; +Cc: Petre Rodan, SELinux [-- Attachment #1: Type: text/plain, Size: 6159 bytes --] thank you for your comments. On Sat, Nov 29, 2003 at 09:47:58PM +1100, Russell Coker wrote: > On Sat, 29 Nov 2003 03:46, Petre Rodan <petre.rodan@ravantivirus.com> wrote: > > I have searched for selinux policies for daemontools, ucspi-tcp, publicfile > > and clockspeed. Failing to find them ment that I shoud try to create them. > > I'm not an expert in these matters, but I'm more than willing to try to > > become one ;) > > I have added your changes to qmail.te and qmail.fc to my tree, it'll be on my > site in a few minutes. I have modified them slightly so you will want to > check that they still do what you require. I removed the user_home_t label > for the qmail alias directory as I don't think that's an appropriate type. > Maybe etc_qmail_t will work. acording to Dave Sill's 'life with qmail' install guide (the best one out there) alias is a pseudo-user that gets the mails that did not have a valid recipient on the server. I gave him a user_home_t so he gets mail without other modifications done to qmail_local_t. for details: http://www.lifewithqmail.org/lwq.html#aliases there is also a list manager, called ezmlm (used on bugtraq for instance) that creates .qmail files and maildirs by default in ~alias (/var/qmail/alias). Then it will receive posts in that location. > What is clockspeed? it's a SNTP client available here: http://cr.yp.to/clockspeed.html the big difference between clockspeed and ntpd is the number of exploits ... > I don't think that we want mua in it's current form. It doesn't support > running a mua from a console login. It allows entering mua_t from staff_t > and sysadm_t and allows writing to a pty from either. This means that if you > can exploit the mua program (changing the $EDITOR variable appropriately > should do it) then someone as staff_r can read/write to the pty of sysadm_t, > this permits them to take over a sysadm_t session by inserting key strokes in > the buffer. I understand, I will definitely rewrite that part somehow. The reason I made this context is because I have a lot of scripts (eighter run through ssh or by crond_t) that send mail with attachments using mutt. These scripts run in different contexts and I had to add to each of them a lot of qmail_inject, qmail_queue related rules. I will check out if a domain_auto_trans to qmail_inject_t will do the trick. I will also remove the mua.te and mua.fc from my selinux wishlist ;) > Any time you have a single domain that can talk to the pty's from multiple > roles then it could be exploited to do some damage. Currently we only allow > this for newrole_t, system_chkpwd_t, and passwd_t (all of which can break the > system entirely if they are exploited regardless of what we do). thanks for the tip. > What is publicfile? Some sort of ftp-like service? it's a simple http and ftp daemon with no known exploits until now. it runs out of tcpserver or from initrc_t. URL: http://cr.yp.to/publicfile.html > For the ucspi-tcp service, why does it have so much access to qmail files and > programs? Why not just domain_auto_trans() to the appropriate qmail > domain(s)? you are perfectly right. I made the change you requested. much cleaner this way. just download again http://team.rav.ro/peter/policy.tar.gz > Also isn't ucspi-tcp is conceptually another version of inetd? If that is a > currect summary then perhaps the correct solution would be to macroise the > inetd policy to support multiple versions of inetd and consider ucspi-tcp > just another version of inetd (with a different set of ports that it is > permitted to bind to). This would be a great idea, but I'm still making my way through Stephen's documentation and his macros. I don't know if I will be able to make this macro stuff in the next few days. > What is svc? it's a great `service manipulator`. his features are covered in http://cr.yp.to/daemontools/faq/create.html#why i use it on 15 servers and all my linux desktops. if one is not using them, well, he should ;) it can supervise use any daemon you can think of (ssh, apache, proftpd, tcpserver, squid, etc). > Finally it would make things a little easier to manage if you used the macros > more. For example this: > allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write }; > Could be changed to this: > allow svc_t svc_svc_t:dir rw_dir_perms; yes, reading those m4 macros is my number one priority > Using the macro makes it much easier to read the policy. In this example the > macro also adds ioctl and lock access, but I don't think that this does any > harm with all the access that is already granted. Similarly using can_exec() > makes things easier to read. this is exactly why i'm somewhat afraid to use them. also please keep in mind that my fc files reflect the file locations given by the gentoo distro. if support for other distro (or default file location) is needed, please inform me, and I'll make the needed aditions. BTW, you use the cvs.sourceforge.net:/cvsroot/selinux repository? just to make sure we use the same source ... best regards and happy weekend, peter > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > -- Petre Rodan Senior Network Engineer GeCAD Software - RAV Division ---------------------------------------------------------------------- Tel/Fax: +40-21-321-7803 Hotline: +40-21-321-7859 This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. It may contain personal views which are not the views of the GeCAD unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: policies for DJ Bernstein tools 2003-11-29 13:21 ` Petre Rodan @ 2003-11-29 13:41 ` Russell Coker 2003-11-29 14:06 ` Petre Rodan 0 siblings, 1 reply; 6+ messages in thread From: Russell Coker @ 2003-11-29 13:41 UTC (permalink / raw) To: Petre Rodan; +Cc: SELinux On Sun, 30 Nov 2003 00:21, Petre Rodan <petre.rodan@ravantivirus.com> wrote: > > I have added your changes to qmail.te and qmail.fc to my tree, it'll be > > on my site in a few minutes. I have modified them slightly so you will > > want to check that they still do what you require. I removed the > > user_home_t label for the qmail alias directory as I don't think that's > > an appropriate type. Maybe etc_qmail_t will work. > > acording to Dave Sill's 'life with qmail' install guide (the best one out > there) alias is a pseudo-user that gets the mails that did not have a valid > recipient on the server. I gave him a user_home_t so he gets mail without > other modifications done to qmail_local_t. This will require more investigation. However ~alias is different from a regular user home directory, and it seems unlikely that you would want user_r to write to it. So therefore user_home_t seems like the wrong type for it. We could create a new qmail_home_t type which has attributes home_type and user_home_type to allow qmail to access it. > > What is clockspeed? > > it's a SNTP client available here: > http://cr.yp.to/clockspeed.html > > the big difference between clockspeed and ntpd is the number of exploits > ... So why not have clockspeed run in ntpd_t? > I understand, I will definitely rewrite that part somehow. > The reason I made this context is because I have a lot of scripts (eighter > run through ssh or by crond_t) that send mail with attachments using mutt. Doesn't mutt just run "sendmail -t"? If not why not? If so then why doesn't it get staff_mail_t for the sendmail process? > you use the cvs.sourceforge.net:/cvsroot/selinux repository? > just to make sure we use the same source ... I maintain my own policy tree based on the NSA release plus all patches that flow through this list and other sources. It often varies significantly from the CVS, but at the moment there is not much difference. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: policies for DJ Bernstein tools 2003-11-29 13:41 ` Russell Coker @ 2003-11-29 14:06 ` Petre Rodan 0 siblings, 0 replies; 6+ messages in thread From: Petre Rodan @ 2003-11-29 14:06 UTC (permalink / raw) To: Russell Coker; +Cc: Petre Rodan, SELinux [-- Attachment #1: Type: text/plain, Size: 4191 bytes --] On Sun, Nov 30, 2003 at 12:41:15AM +1100, Russell Coker wrote: > On Sun, 30 Nov 2003 00:21, Petre Rodan <petre.rodan@ravantivirus.com> wrote: > > > I have added your changes to qmail.te and qmail.fc to my tree, it'll be > > > on my site in a few minutes. I have modified them slightly so you will > > > want to check that they still do what you require. I removed the > > > user_home_t label for the qmail alias directory as I don't think that's > > > an appropriate type. Maybe etc_qmail_t will work. > > > > acording to Dave Sill's 'life with qmail' install guide (the best one out > > there) alias is a pseudo-user that gets the mails that did not have a valid > > recipient on the server. I gave him a user_home_t so he gets mail without > > other modifications done to qmail_local_t. > > This will require more investigation. However ~alias is different from a > regular user home directory, and it seems unlikely that you would want user_r > to write to it. So therefore user_home_t seems like the wrong type for it. > > We could create a new qmail_home_t type which has attributes home_type and > user_home_type to allow qmail to access it. qmail_home_t sounds just perfect to me. my only requirement would be that sysadm_t should be able to have full access there. ezmlm (http://www.ezmlm.org) has a lot of binaries that fool around with files in ~alias. the manager of the list (usualy sysadm_t) should be able to make his job inside ~alias without new policy rules. maybe it would be even simpler to make ~alias a sysadm_home_t. just a thought. > > > What is clockspeed? > > > > it's a SNTP client available here: > > http://cr.yp.to/clockspeed.html > > > > the big difference between clockspeed and ntpd is the number of exploits > > ... > > So why not have clockspeed run in ntpd_t? clockspeed uses some files (cs_atto_t, cs_etc_t) and a cs_adjust_t fifo that kinda makes him unique (or maybe I am wrong?) anyhow, I'm still investigating the usefulness of some of the rules i wrote. the locations of some of the files should be also changed in the distro. his adition should be postponed. > > I understand, I will definitely rewrite that part somehow. > > The reason I made this context is because I have a lot of scripts (eighter > > run through ssh or by crond_t) that send mail with attachments using mutt. > > Doesn't mutt just run "sendmail -t"? If not why not? If so then why doesn't > it get staff_mail_t for the sendmail process? i use qmail on all my machines. he comes with a sendmail of his own located in /var/qmail/bin/sendmail. /usr/sbin/sendmail is a symlink to /var/qmail/bin/sendmail, and both are labeled as system_u:object_r:bin_t so there is no domain_auto_trans to staff_mail_t. maybe we should label them the way sendmail is labeled on your machine and voila, no more problems. > > you use the cvs.sourceforge.net:/cvsroot/selinux repository? > > just to make sure we use the same source ... > > I maintain my own policy tree based on the NSA release plus all patches that > flow through this list and other sources. It often varies significantly from > the CVS, but at the moment there is not much difference. ok, got that. thanks for your help, peter > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > -- Petre Rodan Senior Network Engineer GeCAD Software - RAV Division ---------------------------------------------------------------------- Tel/Fax: +40-21-321-7803 Hotline: +40-21-321-7859 This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. It may contain personal views which are not the views of the GeCAD unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-11-29 14:06 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-11-28 16:46 policies for DJ Bernstein tools Petre Rodan 2003-11-29 10:47 ` Russell Coker 2003-11-29 12:03 ` Brian Hatch 2003-11-29 13:21 ` Petre Rodan 2003-11-29 13:41 ` Russell Coker 2003-11-29 14:06 ` Petre Rodan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.