* init.te
@ 2004-07-11 7:45 Russell Coker
2004-07-12 13:28 ` init.te Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2004-07-11 7:45 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 770 bytes --]
There should never be a sock_file or fifo_file object labelled as sbin_t or
bin_t, so there is no benefit in granting init_t such access.
I can't think of any reason for granting init_t access to exec_type (except
possibly a gross error in some other part of policy), and booting a rawhide
machine without such access does not give any audit messages.
I have drastically reduced the access of init_t to sbin_t, bin_t, and removed
access to exec_type, the patch is attached.
Steve, please put this in the CVS.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: init.diff --]
[-- Type: text/x-diff, Size: 1029 bytes --]
diff -ru /usr/src/se/policy/domains/program/init.te ./domains/program/init.te
--- /usr/src/se/policy/domains/program/init.te 2004-06-17 15:10:38.000000000 +1000
+++ ./domains/program/init.te 2004-07-11 17:37:09.000000000 +1000
@@ -70,11 +70,8 @@
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
-allow init_t bin_t:dir { read getattr lock search ioctl };
-allow init_t bin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl };
-allow init_t exec_type:{ file lnk_file } { read getattr lock ioctl };
-allow init_t sbin_t:dir { read getattr lock search ioctl };
-allow init_t sbin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl };
+allow init_t { bin_t sbin_t }:dir r_dir_perms;
+allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
@@ -136,4 +133,4 @@
')
r_dir_file(init_t, sysfs_t)
-r_dir_file( init_t, selinux_config_t)
+r_dir_file(init_t, selinux_config_t)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: init.te
2004-07-11 7:45 init.te Russell Coker
@ 2004-07-12 13:28 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2004-07-12 13:28 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Sun, 2004-07-11 at 03:45, Russell Coker wrote:
> There should never be a sock_file or fifo_file object labelled as sbin_t or
> bin_t, so there is no benefit in granting init_t such access.
>
> I can't think of any reason for granting init_t access to exec_type (except
> possibly a gross error in some other part of policy), and booting a rawhide
> machine without such access does not give any audit messages.
>
> I have drastically reduced the access of init_t to sbin_t, bin_t, and removed
> access to exec_type, the patch is attached.
>
> Steve, please put this in the CVS.
Thanks, merged.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-07-12 13:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-11 7:45 init.te Russell Coker
2004-07-12 13:28 ` init.te Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.