policy to allow upgrade of nfs-utils

policy to allow upgrade of nfs-utils

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 368 bytes --]

The attached policy patch is needed to allow nfs-utils to be upgraded to the 
latest version on a rawhide system.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 1468 bytes --]

diff -ru policy/domains/program/unused/rpcd.te ./domains/program/unused/rpcd.te
--- policy/domains/program/unused/rpcd.te	2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/rpcd.te	2004-07-08 13:15:55.000000000 +1000
@@ -51,6 +51,8 @@
 
 ifdef(`rpm.te', `
 allow rpcd_t self:capability { chown dac_override setgid setuid };
+# for /etc/rc.d/init.d/nfs to create /etc/exports
+allow initrc_t etc_t:file rw_file_perms;
 ')
 
 allow rpcd_t self:file { getattr read };
diff -ru policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- policy/domains/program/unused/rpm.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/rpm.te	2004-07-08 13:11:32.000000000 +1000
@@ -69,6 +69,9 @@
 # for a bug in rm
 dontaudit initrc_t pidfile:file write;
 
+# bash tries to access a block device in the initrd
+dontaudit initrc_t unlabeled_t:blk_file getattr;
+
 # bash tries ioctl for some reason
 dontaudit initrc_t pidfile:file ioctl;
 
@@ -93,7 +96,9 @@
 allow rpm_t sysfs_t:filesystem getattr;
 allow rpm_t tmpfs_t:filesystem getattr;
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t fs_type:dir getattr;
+# needs rw permission to the directory for an rpm package that includes a mount
+# point
+allow rpm_t fs_type:dir { setattr rw_dir_perms };
 allow rpm_t fs_type:filesystem getattr;
 
 # allow compiling and loading new policy

Re: policy to allow upgrade of nfs-utils

[Stephen Smalley]

On Wed, 2004-07-07 at 23:19, Russell Coker wrote:
> The attached policy patch is needed to allow nfs-utils to be upgraded to the 
> latest version on a rawhide system.

Should /etc/exports get its own type?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy to allow upgrade of nfs-utils

[Russell Coker]

On Thu, 8 Jul 2004 23:14, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Wed, 2004-07-07 at 23:19, Russell Coker wrote:
> > The attached policy patch is needed to allow nfs-utils to be upgraded to
> > the latest version on a rawhide system.
>
> Should /etc/exports get its own type?

I guess so.  nfsd_etc_t or exports_t?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy to allow upgrade of nfs-utils

[Stephen Smalley]

On Fri, 2004-07-09 at 08:52, Russell Coker wrote:
> On Thu, 8 Jul 2004 23:14, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > On Wed, 2004-07-07 at 23:19, Russell Coker wrote:
> > > The attached policy patch is needed to allow nfs-utils to be upgraded to
> > > the latest version on a rawhide system.
> >
> > Should /etc/exports get its own type?
> 
> I guess so.  nfsd_etc_t or exports_t?

Doesn't matter to me, but it could be problematic to preserve the type
on the file, given that it is directly edited.  But directly allowing
initrc_t to write to etc_t violates an assertion (unless you have
unlimitedServices enabled, which renders the allow rule duplicative
anyway).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy to allow upgrade of nfs-utils

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1186 bytes --]

On Sat, 10 Jul 2004 02:53, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Fri, 2004-07-09 at 08:52, Russell Coker wrote:
> > On Thu, 8 Jul 2004 23:14, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > > On Wed, 2004-07-07 at 23:19, Russell Coker wrote:
> > > > The attached policy patch is needed to allow nfs-utils to be upgraded
> > > > to the latest version on a rawhide system.
> > >
> > > Should /etc/exports get its own type?
> >
> > I guess so.  nfsd_etc_t or exports_t?
>
> Doesn't matter to me, but it could be problematic to preserve the type
> on the file, given that it is directly edited.

A patched version of vi should solve that.  In any case if the file gets etc_t 
then it is just readable to everyone which isn't so bad.  The only potential 
problem is if you edit the file with an unpatched editor and delete all 
content so that initrc_t will want to append "#" to it.

What do you think of the attached patch?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 1205 bytes --]

diff -ru /usr/src/se/policy/domains/program/unused/rpcd.te ./domains/program/unused/rpcd.te
--- /usr/src/se/policy/domains/program/unused/rpcd.te	2004-07-11 17:37:11.000000000 +1000
+++ ./domains/program/unused/rpcd.te	2004-07-11 17:04:51.000000000 +1000
@@ -23,6 +23,8 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 ')
 
+type exports_t, file_type, sysadmfile;
+
 # rpcd_t is the domain of rpc daemons.
 # rpcd_exec_t is the type of rpc daemon programs.
 #
@@ -51,6 +53,8 @@
 
 ifdef(`rpm.te', `
 allow rpcd_t self:capability { chown dac_override setgid setuid };
+# for /etc/rc.d/init.d/nfs to create /etc/exports
+allow initrc_t exports_t:file rw_file_perms;
 ')
 
 allow rpcd_t self:file { getattr read };
diff -ru /usr/src/se/policy/file_contexts/program/rpcd.fc ./file_contexts/program/rpcd.fc
--- /usr/src/se/policy/file_contexts/program/rpcd.fc	2004-01-24 12:15:53.000000000 +1100
+++ ./file_contexts/program/rpcd.fc	2004-07-11 17:05:33.000000000 +1000
@@ -6,3 +6,4 @@
 /usr/sbin/rpc\.mountd	--	system_u:object_r:nfsd_exec_t
 /var/run/rpc.statd.pid	--	system_u:object_r:rpcd_var_run_t
 /var/run/rpc.statd(/.*)?	system_u:object_r:rpcd_var_run_t
+/etc/exports		--	system_u:object_r:exports_t

Re: policy to allow upgrade of nfs-utils

[Stephen Smalley]

On Sun, 2004-07-11 at 05:04, Russell Coker wrote:
> A patched version of vi should solve that.  In any case if the file gets etc_t 
> then it is just readable to everyone which isn't so bad.  The only potential 
> problem is if you edit the file with an unpatched editor and delete all 
> content so that initrc_t will want to append "#" to it.
> 
> What do you think of the attached patch?

Looks ok, but is it sufficient, i.e. does it only require permission to
write to the existing /etc/exports, or does it need to be able to unlink
and re-create the file?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy to allow upgrade of nfs-utils

[Russell Coker]

On Mon, 12 Jul 2004 22:58, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Sun, 2004-07-11 at 05:04, Russell Coker wrote:
> > A patched version of vi should solve that.  In any case if the file gets
> > etc_t then it is just readable to everyone which isn't so bad.  The only
> > potential problem is if you edit the file with an unpatched editor and
> > delete all content so that initrc_t will want to append "#" to it.
> >
> > What do you think of the attached patch?
>
> Looks ok, but is it sufficient, i.e. does it only require permission to
> write to the existing /etc/exports, or does it need to be able to unlink
> and re-create the file?

The init script only requires append permission.  Of course other programs 
need read access which my patch didn't grant, so it's not complete in that 
regard.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy to allow upgrade of nfs-utils

[Stephen Smalley]

On Sun, 2004-07-11 at 05:04, Russell Coker wrote:
> A patched version of vi should solve that.  In any case if the file gets etc_t 
> then it is just readable to everyone which isn't so bad.  The only potential 
> problem is if you edit the file with an unpatched editor and delete all 
> content so that initrc_t will want to append "#" to it.
> 
> What do you think of the attached patch?

Ok, merged.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.