Re: SELinux Policy patches

[Russell Coker <russell@coker.com.au>]

On Fri, 16 Jul 2004 10:22, Erich Schubert <erich@debian.org> wrote:
> # can be a link, too - maybe dontaudit, since this is the "build" link
> # in my case, which it does not need to read...
> allow initrc_t modules_object_t:lnk_file read;

I think that dontaudit is the correct thing to do.

> # spamd going for a link in the perl dirs (5.8 -> 5.8.1 or so)
> allow spamd_t usr_t:lnk_file read;

OK, I've put it in my tree.

> # not sure if this is still needed with the recent path changes:
> allow load_policy_t policy_src_t:lnk_file read;

Should not be needed.

> # I also added (don't remember what that was needed for):
> can_exec(logrotate_t, logrotate_exec_t)

Can you find out what it is needed for?

> # Newer versions of pppd can update the utmp file:
> allow pppd_t initrc_var_run_t:file rw_file_perms;

Is it really updating the utmp file or just inappropriately opening the file 
read/write for a read operation?  Please tell me where this is documented.

> Then a small change for the file_contexts/program/named.fc
> -/etc/bind/rndc\.key    --  system_u:object_r:rndc_conf_t
> +/etc/bind/rndc.*   --  system_u:object_r:rndc_conf_t
> (debian default installation included rndc.conf i think)

What version of the package is this?

> I have a couple of access violation with applications of
>   foo var_lib_t:dir search;
>   foo var_lib_t:lnk_file read;
> for example syslogd, inetd, postfix_masteri, staff_ssh_t.
> Should i allow these or use dontaudit, and should i submit patches for
> such? Is there a known reason for such behaviour?

What are they trying to access under /var/lib?

> /bin/mountpoint gets access violations for "tmpfs_t", "devpts_t".
> Should i add these to fsadm_t or make a new mountpoint_t?

Add them to fsadm_t.

> Any idea what this is "good" for, what is modprobe trying to do:
> denied  { write } for  pid=281 exe=/sbin/modprobe name=8390.ko
> scontext=system_u:system_r:insmod_t
> tcontext=system_u:object_r:modules_object_t tclass=file

That's a bug in modprobe, there is already a Debian bug report about it.

> "amavis.te" is causing two violations (consider dontaudit)
> # allow amavis to search clamd socket in /var/run/clamav
> allow amavisd_t clamd_var_run_t:dir search;
> # cron job trying to search /var/lib/amavis
> allow crond_t amavisd_lib_t:dir search;

Brian, what do you think?

> "spamd.te" similar:
> -allow spamd_t { etc_t etc_runtime_t }:file { getattr read };
> +allow spamd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
> -allow spamd_t usr_t:file { getattr ioctl read };
> +allow spamd_t usr_t:{ lnk_file file } { getattr ioctl read };

OK, added to my tree.

> "clamav.te" needs log file support here:
> +# for log files
> +log_domain(clamd)
> +rw_dir_file(clamd_t, clamd_log_t)

logdir_domain(clamd) does this.  Added to my tree.

> "clamav.fc" needs the following:
> +/var/log/clamav(/.*)? --       system_u:object_r:clamd_log_t
> +/var/run/clamav(/.*)?          system_u:object_r:clamd_var_run_t

Added to my tree.

> Should i keep such rules in my local.te file, or should i also publish
> them somehow? Some things like the dhcpd-failover or named-log thing
> could be of general interest.

The dhcpd-failover thing sounds useful.

Also for the attached files please send another message describing the changes 
with diffs.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.