SELinux Policy patches

SELinux Policy patches

[Erich Schubert]

[-- Attachment #1: Type: text/plain, Size: 3408 bytes --]

Hi,
heres a couple of diffs from my SELinux installation for the policy
files. I'm not sure in every case if this is the correct thing to do.

Some are local installation things (= Debian default usually) where
programs are allowed to read a dir/file, but not a link.

----
# can be a link, too - maybe dontaudit, since this is the "build" link
# in my case, which it does not need to read...
allow initrc_t modules_object_t:lnk_file read;
# spamd going for a link in the perl dirs (5.8 -> 5.8.1 or so)
allow spamd_t usr_t:lnk_file read;
# not sure if this is still needed with the recent path changes:
allow load_policy_t policy_src_t:lnk_file read;

# I also added (don't remember what that was needed for):
can_exec(logrotate_t, logrotate_exec_t)

# Newer versions of pppd can update the utmp file:
allow pppd_t initrc_var_run_t:file rw_file_perms;
----

Then a small change for the file_contexts/program/named.fc
-/etc/bind/rndc\.key    --  system_u:object_r:rndc_conf_t
+/etc/bind/rndc.*   --  system_u:object_r:rndc_conf_t
(debian default installation included rndc.conf i think)


Attached is a set of rule files i've written. Please correct the obvious
errors i made, i'm new to SELinux...
It contains: swapon, pptpd and nsupdate
(probably to come: famd, maildrop, dracd)


I have a couple of access violation with applications of
  foo var_lib_t:dir search;
  foo var_lib_t:lnk_file read;
for example syslogd, inetd, postfix_masteri, staff_ssh_t.
Should i allow these or use dontaudit, and should i submit patches for
such? Is there a known reason for such behaviour?


/bin/mountpoint gets access violations for "tmpfs_t", "devpts_t".
Should i add these to fsadm_t or make a new mountpoint_t?


Any idea what this is "good" for, what is modprobe trying to do:
denied  { write } for  pid=281 exe=/sbin/modprobe name=8390.ko
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:modules_object_t tclass=file


"amavis.te" is causing two violations (consider dontaudit)
# allow amavis to search clamd socket in /var/run/clamav
allow amavisd_t clamd_var_run_t:dir search;
# cron job trying to search /var/lib/amavis
allow crond_t amavisd_lib_t:dir search;


"spamd.te" similar:
-allow spamd_t { etc_t etc_runtime_t }:file { getattr read };
+allow spamd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
-allow spamd_t usr_t:file { getattr ioctl read };
+allow spamd_t usr_t:{ lnk_file file } { getattr ioctl read };

"clamav.te" needs log file support here:
+# for log files
+log_domain(clamd)
+rw_dir_file(clamd_t, clamd_log_t)

"clamav.fc" needs the following:
+/var/log/clamav(/.*)? --       system_u:object_r:clamd_log_t
+/var/run/clamav(/.*)?          system_u:object_r:clamd_var_run_t

Another question:
I added "nsupdate" support to my local pppd using a small script.
I use dhcpd failover, thus requring dhcp to bind to additional ports.
I have split logfiles for named.

Should i keep such rules in my local.te file, or should i also publish
them somehow? Some things like the dhcpd-failover or named-log thing
could be of general interest.

Greetings,
Erich Schubert
-- 
    erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C    (o_
     Go away or i'll replace you with a very small shell script.    //\
    Wer keinen Mut zum Träumen hat, hat keine Kraft zum Kämpfen!    V_/_

[-- Attachment #2: nsupdate.fc --]
[-- Type: text/plain, Size: 61 bytes --]

/usr/bin/nsupdate      	--	system_u:object_r:nsupdate_exec_t

[-- Attachment #3: nsupdate.te --]
[-- Type: text/plain, Size: 968 bytes --]

#DESC NSUPDATE - dynamic zone updates for bind
#
# Authors:  Erich Schubert
# X-Debian-Packages: bind bind9
# 

user_application_domain(nsupdate)

# to access keys stored there
allow nsupdate_t named_zone_t:dir { search };
allow nsupdate_t named_zone_t:file r_file_perms;

can_network(nsupdate_t)
allow nsupdate_t self:netlink_socket create_socket_perms;
# allow UDP transfer to/from any program
can_udp_send(named_t, nsupdate_t)
can_udp_send(nsupdate_t, named_t)
can_tcp_connect(nsupdate_t, named_t)

read_locale(nsupdate_t)

# read basic config files
allow nsupdate_t etc_t:file { getattr read };

allow nsupdate_t self:process { fork signal };
allow nsupdate_t self:capability { net_admin };
allow nsupdate_t self:fifo_file rw_file_perms;

# allow a _local_ named to write its zone files
# needed for dynamic updates
# a better solution would be to make a new time
# for example in a subdir "dynamic"
ifdef(`named.te',`
rw_dir_create_file(named_t, named_zone_t)
')

[-- Attachment #4: pptp.fc --]
[-- Type: text/plain, Size: 270 bytes --]

# pptpd
/usr/sbin/pptpd		--	system_u:object_r:pptpd_exec_t
/usr/sbin/pptpctrl	--	system_u:object_r:pptpd_exec_t
/usr/sbin/bcrelay	--	system_u:object_r:pptpd_exec_t
/etc/pptpd.conf		--	system_u:object_r:pptpd_etc_t
/var/run/pptpd.pid	--	system_u:object_r:pptpd_var_run_t

[-- Attachment #5: pptp.te --]
[-- Type: text/plain, Size: 1284 bytes --]

#DESC poptop - PPTP daemon
#
# Author:  Erich Schubert
# X-Debian-Packages: pptp
#

#################################
#
# Rules for the pptpd_t domain, et al.
#
# pptpd_t is the domain for the pppd program.
# pptpd_exec_t is the type of the pppd executable.
#
daemon_domain(pptpd)
etc_domain(pptpd)

# can execute own apps (pptpctrl)
can_exec(pptpd_t, pptpd_exec_t)

# Use the network.
can_network(pptpd_t)
allow pptpd_t self:capability { net_raw };
allow pptpd_t pptpd_t:unix_dgram_socket create_socket_perms;
allow pptpd_t { node_t pptpd_t }:rawip_socket { create_socket_perms node_bind };
allow pptpd_t { pptpd_t port_t}:tcp_socket { create_socket_perms name_bind };

can_create_pty(pptpd)

# find and execute pppd
allow pptpd_t sbin_t:dir { search };
can_exec(pptpd_t, pppd_exec_t)
domain_auto_trans(pptpd_t, pppd_exec_t, pppd_t)
allow pptpd_t pppd_t:process signal;

# allow pppd to access the pptp ptys
allow pppd_t pptpd_devpts_t:chr_file rw_file_perms;

# allow to read pppd options file
allow pptpd_t { pppd_etc_rw_t pppd_etc_t }:file { read getattr };
allow pptpd_t pppd_etc_t:dir { search };

# search /var/lib (what for?)
allow pptpd_t var_lib_t:dir { search };

# allow reading of nsswitch.conf etc.
allow pptpd_t etc_t:dir search;
allow pptpd_t etc_t:file r_file_perms;

[-- Attachment #6: swapon.fc --]
[-- Type: text/plain, Size: 104 bytes --]

# Swapon
/bin/swapon			--	system_u:object_r:swap_exec_t
/bin/swapoff			--	system_u:object_r:swap_exec_t

[-- Attachment #7: swapon.te --]
[-- Type: text/plain, Size: 687 bytes --]

#DESC Swapon, Swapoff - Swap partition management
#
# Author:  Erich Schubert
# X-Debian-Packages: mount
#
type swap_t, domain, privlog , fs_domain;
type swap_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types swap_t;
role system_r types swap_t;

allow swap_t { initrc_devpts_t console_device_t }:chr_file { read write };

domain_auto_trans(initrc_t, swap_exec_t, swap_t)
allow swap_t init_t:fd use;
allow swap_t privfd:fd use;

allow swap_t self:capability { ipc_lock dac_override };

allow swap_t file_type:dir search;

# Access disk devices.
allow swap_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow swap_t removable_device_t:devfile_class_set rw_file_perms;

Re: SELinux Policy patches

[Russell Coker]

On Fri, 16 Jul 2004 10:22, Erich Schubert <erich@debian.org> wrote:
> # can be a link, too - maybe dontaudit, since this is the "build" link
> # in my case, which it does not need to read...
> allow initrc_t modules_object_t:lnk_file read;

I think that dontaudit is the correct thing to do.

> # spamd going for a link in the perl dirs (5.8 -> 5.8.1 or so)
> allow spamd_t usr_t:lnk_file read;

OK, I've put it in my tree.

> # not sure if this is still needed with the recent path changes:
> allow load_policy_t policy_src_t:lnk_file read;

Should not be needed.

> # I also added (don't remember what that was needed for):
> can_exec(logrotate_t, logrotate_exec_t)

Can you find out what it is needed for?

> # Newer versions of pppd can update the utmp file:
> allow pppd_t initrc_var_run_t:file rw_file_perms;

Is it really updating the utmp file or just inappropriately opening the file 
read/write for a read operation?  Please tell me where this is documented.

> Then a small change for the file_contexts/program/named.fc
> -/etc/bind/rndc\.key    --  system_u:object_r:rndc_conf_t
> +/etc/bind/rndc.*   --  system_u:object_r:rndc_conf_t
> (debian default installation included rndc.conf i think)

What version of the package is this?

> I have a couple of access violation with applications of
>   foo var_lib_t:dir search;
>   foo var_lib_t:lnk_file read;
> for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> Should i allow these or use dontaudit, and should i submit patches for
> such? Is there a known reason for such behaviour?

What are they trying to access under /var/lib?

> /bin/mountpoint gets access violations for "tmpfs_t", "devpts_t".
> Should i add these to fsadm_t or make a new mountpoint_t?

Add them to fsadm_t.

> Any idea what this is "good" for, what is modprobe trying to do:
> denied  { write } for  pid=281 exe=/sbin/modprobe name=8390.ko
> scontext=system_u:system_r:insmod_t
> tcontext=system_u:object_r:modules_object_t tclass=file

That's a bug in modprobe, there is already a Debian bug report about it.

> "amavis.te" is causing two violations (consider dontaudit)
> # allow amavis to search clamd socket in /var/run/clamav
> allow amavisd_t clamd_var_run_t:dir search;
> # cron job trying to search /var/lib/amavis
> allow crond_t amavisd_lib_t:dir search;

Brian, what do you think?

> "spamd.te" similar:
> -allow spamd_t { etc_t etc_runtime_t }:file { getattr read };
> +allow spamd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
> -allow spamd_t usr_t:file { getattr ioctl read };
> +allow spamd_t usr_t:{ lnk_file file } { getattr ioctl read };

OK, added to my tree.

> "clamav.te" needs log file support here:
> +# for log files
> +log_domain(clamd)
> +rw_dir_file(clamd_t, clamd_log_t)

logdir_domain(clamd) does this.  Added to my tree.

> "clamav.fc" needs the following:
> +/var/log/clamav(/.*)? --       system_u:object_r:clamd_log_t
> +/var/run/clamav(/.*)?          system_u:object_r:clamd_var_run_t

Added to my tree.

> Should i keep such rules in my local.te file, or should i also publish
> them somehow? Some things like the dhcpd-failover or named-log thing
> could be of general interest.

The dhcpd-failover thing sounds useful.

Also for the attached files please send another message describing the changes 
with diffs.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Luke Kenneth Casson Leighton]

> > I have a couple of access violation with applications of
> >   foo var_lib_t:dir search;
> >   foo var_lib_t:lnk_file read;
> > for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> > Should i allow these or use dontaudit, and should i submit patches for
> > such? Is there a known reason for such behaviour?
> 
> What are they trying to access under /var/lib?
 
 i've seen this too - related to nsswitch iirc correctly.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Russell Coker]

On Fri, 16 Jul 2004 18:19, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > I have a couple of access violation with applications of
> > >   foo var_lib_t:dir search;
> > >   foo var_lib_t:lnk_file read;
> > > for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> > > Should i allow these or use dontaudit, and should i submit patches for
> > > such? Is there a known reason for such behaviour?
> >
> > What are they trying to access under /var/lib?
>
>  i've seen this too - related to nsswitch iirc correctly.

The db module?

I never bothered writing policy for that because the Linux implementation 
really isn't any good.  If I had a lot of spare time I'd consider 
contributing some code to make it as good as the AIX equivalent which would 
make it usable enough to be useful.

With the Linux db module the db file gets precedence over /etc/passwd.  This 
means that if the db file is out of date (there is no automatic mechanism for 
running /bin/passwd, useradd, etc to automatically update the db so it's 
often out of date) then you get the wrong data.

In AIX the time stamps on the db file and the source file are checked, if they 
are the same then the db is used, if the source file is newer it is used.  
Therefore if the db file creation processes gets forgotten (unlikely as all 
the tools know to update it - but it may happen if you wrote your own tool to 
do such things) then the only problem is that performance goes down.  No 
incorrect operation.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Luke Kenneth Casson Leighton]

On Fri, Jul 16, 2004 at 09:19:24AM +0100, Luke Kenneth Casson Leighton wrote:
> > > I have a couple of access violation with applications of
> > >   foo var_lib_t:dir search;
> > >   foo var_lib_t:lnk_file read;
> > > for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> > > Should i allow these or use dontaudit, and should i submit patches for
> > > such? Is there a known reason for such behaviour?
> > 
> > What are they trying to access under /var/lib?
>  
>  i've seen this too - related to nsswitch iirc correctly.
 
 strace shows ssh-keygen doing this sort of thing:

	connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
	ENOENT (No such file or directory)
 
 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Russell Coker]

On Fri, 16 Jul 2004 20:55, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > What are they trying to access under /var/lib?
> >
> >  i've seen this too - related to nsswitch iirc correctly.
>
>  strace shows ssh-keygen doing this sort of thing:
>
> 	connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
> 	ENOENT (No such file or directory)

Heaps of programs do that.  Most times that you see a search access on 
var_run_t:dir you can just put in a dontaudit rule.

But var_lib_t is a different issue.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Erich Schubert]

Hi,

BTW: can someone tell the listmaster's admins that their network is
misconfigured, the list server is not reachable with ECN enabled.

> > # can be a link, too - maybe dontaudit, since this is the "build" link
> > # in my case, which it does not need to read...
> > allow initrc_t modules_object_t:lnk_file read;
> 
> I think that dontaudit is the correct thing to do.

For me for sure, but maybe someone else has a case where this does make
sense? OTOH: modules are small and should reside on the primary
partition. One should copy them there, not link them.

> > # spamd going for a link in the perl dirs (5.8 -> 5.8.1 or so)
> > allow spamd_t usr_t:lnk_file read;
> 
> OK, I've put it in my tree.

I think there were some more things wron with spamd, but i can't check
now. I think my spamd was unable to read the /etc/spamassassin/local.cf
config file (and probably other spam filter files stored there)

> > # I also added (don't remember what that was needed for):
> > can_exec(logrotate_t, logrotate_exec_t)
> 
> Can you find out what it is needed for?

I'll check, but maybe this is gone by now, too.

> > # Newer versions of pppd can update the utmp file:
> > allow pppd_t initrc_var_run_t:file rw_file_perms;
> 
> Is it really updating the utmp file or just inappropriately opening the file 
> read/write for a read operation?  Please tell me where this is documented.

Oh, sorry. Actually this belongs to pptpd. It is a pppd plugin included
with pptpd that stores the remote login in wtmp.
pptpd: /usr/lib/pptpd/pptpd-logwtmp.so

Maybe this rules should go into the pptpd.te file then.

> > Then a small change for the file_contexts/program/named.fc
> > -/etc/bind/rndc\.key    --  system_u:object_r:rndc_conf_t
> > +/etc/bind/rndc.*   --  system_u:object_r:rndc_conf_t
> > (debian default installation included rndc.conf i think)
> 
> What version of the package is this?

The config file is not shipped by default, there is only the man page
for it: rdnc.conf and the tool "rndc-confgen" to generate it.
Basically "named.conf" contains the information for named, and
"rndc.conf" contains the remote-control-tool configuration.

> > I have a couple of access violation with applications of
> >   foo var_lib_t:dir search;
> >   foo var_lib_t:lnk_file read;
> > for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> > Should i allow these or use dontaudit, and should i submit patches for
> > such? Is there a known reason for such behaviour?
> 
> What are they trying to access under /var/lib?

I think they just want to scan the directory. I havn't written
additional rules, just the "dir search" and not gotten additional
violations, which surprises me a bit.

> > "amavis.te" is causing two violations (consider dontaudit)
> > # allow amavis to search clamd socket in /var/run/clamav
> > allow amavisd_t clamd_var_run_t:dir search;
> > # cron job trying to search /var/lib/amavis
> > allow crond_t amavisd_lib_t:dir search;
> 
> Brian, what do you think?

Recent versions of clamd in Debian have moved the clamd sockets into a
subdir (see the other changes i submitted). The first is related to
that, amavisd needs to access the new socket location.

I'm not sure what crond_t is doing. I havn't checked if it is the
cron.d/ or the cron.daily/ job, but i think the first.
The inline entry was just checking if the amavis binaries are
executable/existent. (usual thing to do, in case the package gets
uninstalled but the config files remain)

> logdir_domain(clamd) does this.  Added to my tree.

Ah, thanks. BTW: is there a good overview for all these macros and the
proper way to use them?

> > Should i keep such rules in my local.te file, or should i also publish
> > them somehow? Some things like the dhcpd-failover or named-log thing
> > could be of general interest.
> 
> The dhcpd-failover thing sounds useful.

It just two lines, maybe they should be made something like "examples"
or "snippets" kindof. I wouldn't put them in a separate rule file; but i
would also avoid enabling them by default and i dislike modifying the
"upstream" rule files when unneeded.

Maybe the could be added as comments to the dhcpd.te file, kind of

# Copy these lines to your local.te file or uncomment them
# to enable DHCPD failover communication
# allow dhcpd_t port_t:tcp_socket { send_msg recv_msg };
# allow dhcpd_t port_t:tcp_socket name_bind;

Note that there is no standard port for DHCP failover. You can choose an
arbitrary port, making the configuration more difficult.
The example configuration could of course include defining which port is
being used for dhcp-failover and employing dhcp_failover_port_t.
Note that two hosts don't have to use the same port here.
I don't know if SELinux rules also apply for outgoing ports, maybe one
would have to allow dhcpd_t to send to an arbitrary port, but bind only
the local listen port.

I'd like to have a "local.te" file, where i can do thinks like
define(`feature: amavis_uses_ldap')
define(`feature: nss_ldap')
define(`feature: named_dyndns')

to customize rule files without actually changing the files.

> Also for the attached files please send another message describing the
> changes with diffs.

The attached files were new, unless someone submitted the same policies
recently. ;-)

How about adding support for /var/log/named.* ?
It's not enabled by default but i find it very useful, especially if you
have a big amout of logging data such as dynamic DNS updates.
I think it won't do any harm if enabled by default?

Greetings,
Erich
-- 
      erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
    Wenn zwei gute Freunde sind, die einander kennen, Sonn' und Mond   V_/_
     begegnen sich, ehe sie sich trennen. --- Clemens von Brentano

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Erich Schubert]

> allow nsupdate_t self:netlink_socket create_socket_perms;

Maybe due to changes from policy 17 to 18 this could be
"netlink_route_socket" by now. Was this class split?

Gruss,
Erich Schubert
-- 
      erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
   Wer nicht zuweilen zuviel empfindet, der empfindet immer zuwenig.   V_/_

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Stephen Smalley]

On Fri, 2004-07-16 at 07:57, Erich Schubert wrote:
> > allow nsupdate_t self:netlink_socket create_socket_perms;
> 
> Maybe due to changes from policy 17 to 18 this could be
> "netlink_route_socket" by now. Was this class split?

Yes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Russell Coker]

On Fri, 16 Jul 2004 21:57, Erich Schubert <erich@debian.org> wrote:
> > allow nsupdate_t self:netlink_socket create_socket_perms;
>
> Maybe due to changes from policy 17 to 18 this could be
> "netlink_route_socket" by now. Was this class split?

Yes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Erich Schubert]

Hi,

> > # I also added (don't remember what that was needed for):
> > can_exec(logrotate_t, logrotate_exec_t)
> 
> Can you find out what it is needed for?

For executing /usr/bin/savelog:

denied  { execute_no_trans } for  pid=21289 exe=/bin/dash
path=/usr/bin/savelog dev=sda3 ino=299540
scontext=system_u:system_r:logrotate_t
tcontext=system_u:object_r:logrotate_exec_t tclass=file

I do have some weird behaviour with logrotate OR logcheck on this box:

denied  { search } for  pid=21251 exe=/usr/sbin/logrotate name=selinux
dev=sda3 ino=274182 scontext=system_u:system_r:logrotate_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

denied  { search } for  pid=21251 exe=/usr/sbin/logrotate name=root
dev=sda3 ino=318865 scontext=system_u:system_r:logrotate_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

Seems like some logrotate cron job is doing a "find"?

Also i do get this error message frequently:

denied  { relabelfrom } for  pid=4768 exe=/bin/cp name=checked dev=md0
ino=160726 scontext=system_u:system_r:logrotate_t
tcontext=system_u:object_r:logrotate_tmp_t tclass=file
denied  { relabelto } for  pid=4768 exe=/bin/cp name=checked dev=md0
ino=160726 scontext=system_u:system_r:logrotate_t
tcontext=system_u:object_r:logrotate_tmp_t tclass=file

What is happening here?
This appears to be logcheck, which currently is running in the
"logrotate" domain. Has some written a policy for logcheck yet?
OTOH,
/usr/sbin/logcheck      --      system_u:object_r:logrotate_exec_t
appears to be intentional.

Greetings,
Erich Schubert
-- 
    erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C     (o_
           There are only 10 types of people in the world:           //\
           Those who understand binary and those who don't           V_/_
  Wenn zwei gute Freunde sind, die einander kennen, Sonn' und Mond
    begegnen sich, ehe sie sich trennen. --- Clemens von Brentano

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Policy patches

[Russell Coker]

On Tue, 20 Jul 2004 00:38, Erich Schubert <erich@debian.org> wrote:
> Hi,
>
> > > # I also added (don't remember what that was needed for):
> > > can_exec(logrotate_t, logrotate_exec_t)
> >
> > Can you find out what it is needed for?
>
> For executing /usr/bin/savelog:
>
> denied  { execute_no_trans } for  pid=21289 exe=/bin/dash
> path=/usr/bin/savelog dev=sda3 ino=299540
> scontext=system_u:system_r:logrotate_t
> tcontext=system_u:object_r:logrotate_exec_t tclass=file

OK, I've added that to my tree.

> I do have some weird behaviour with logrotate OR logcheck on this box:
>
> denied  { search } for  pid=21251 exe=/usr/sbin/logrotate name=selinux
> dev=sda3 ino=274182 scontext=system_u:system_r:logrotate_t
> tcontext=system_u:object_r:selinux_config_t tclass=dir

I think that we can dontaudit that one, that would be from SE Linux library 
calls.

> denied  { search } for  pid=21251 exe=/usr/sbin/logrotate name=root
> dev=sda3 ino=318865 scontext=system_u:system_r:logrotate_t
> tcontext=root:object_r:staff_home_dir_t tclass=dir
>
> Seems like some logrotate cron job is doing a "find"?

As discussed on IRC that would be from cron setting the current directory to 
the home directory.

> Also i do get this error message frequently:
>
> denied  { relabelfrom } for  pid=4768 exe=/bin/cp name=checked dev=md0
> ino=160726 scontext=system_u:system_r:logrotate_t
> tcontext=system_u:object_r:logrotate_tmp_t tclass=file
> denied  { relabelto } for  pid=4768 exe=/bin/cp name=checked dev=md0
> ino=160726 scontext=system_u:system_r:logrotate_t
> tcontext=system_u:object_r:logrotate_tmp_t tclass=file
>
> What is happening here?

That's a bug in cp.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.