From: Russell Coker <russell@coker.com.au>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: policy patch
Date: Tue, 24 Aug 2004 18:18:40 +1000 [thread overview]
Message-ID: <200408241818.40064.russell@coker.com.au> (raw)
[-- Attachment #1: Type: text/plain, Size: 1898 bytes --]
diff1 removes some unnecessary dontaudit lines from syslogd.te, if there is to
be one single domain accessing devpts_t:chr_file then syslogd_t is not it,
and if a log file gets type unlabeled_t then it's something we want audited.
httpd_t does not need search access to devpts_t (it is not granted access to
any device node under /dev/pts). httpd_suexec_t does not need
net_bind_service (all it does it call setuid() and execute a script), it's
access attempts of /var/run are the usual nscd stuff that gets a dontaudit
rule.
It seems that only Red Hat has bootloader_t needing access to
modules_object_t:lnk_file.
cpucontrol_t sometimes needs getattr access to a sym-link in /dev, no harm in
granting it.
There should never be a printer_device_t:fifo_file object, there is no
file_contexts entry assigning printer_device_t to a fifo_file object, so I
remove the access to this invalid combination.
dovecot_cert_t is used for SSL certificates. If there are any certificates
labeled as usr_t then that's a bug in the file_contexts file. I'll change
the contexts of the files to use bin_t for sub-binaries on Debian as well as
Red Hat (as well as putting some conditionals into the .fc file).
I changed ftpd.te to have the domain_auto_trans(inetd, part inside
if(!ftpd_is_daemon).
Change hald.te to work with the latest version in Fedora. I didn't want to
give it read access to hard disks, but it seems that's he way things are
going.
Changed hotplug.te to allow it to run arping on Red Hat, and to be a hald
client (maybe we need a hald_client_domain attribute).
Allows lvm_t to create unix_dgram_socket objects.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff1 --]
[-- Type: text/x-diff, Size: 11250 bytes --]
diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te 2004-08-24 16:01:13.000000000 +1000
+++ ./domains/program/syslogd.te 2004-07-08 21:30:48.000000000 +1000
@@ -94,6 +94,3 @@
#
dontaudit syslogd_t file_t:dir search;
allow syslogd_t devpts_t:dir { search };
-dontaudit syslogd_t devpts_t:chr_file { read write };
-
-dontaudit syslogd_t unlabeled_t:file { read };
diff -ru /usr/src/se/policy/domains/program/unused/apache.te ./domains/program/unused/apache.te
--- /usr/src/se/policy/domains/program/unused/apache.te 2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/apache.te 2004-08-24 16:07:09.000000000 +1000
@@ -68,7 +69,6 @@
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
-allow httpd_t devpts_t:dir { search };
allow httpd_t sysctl_kernel_t:dir search;
allow httpd_t sysctl_kernel_t:file read;
@@ -88,11 +88,10 @@
# Permissions for running child processes and scripts
##########################################################
-allow httpd_suexec_t self:capability { setuid setgid net_bind_service };
+allow httpd_suexec_t self:capability { setuid setgid };
-allow httpd_suexec_t var_run_t:dir { search };
-allow httpd_suexec_t var_t:dir { search };
-allow httpd_suexec_t var_log_t:dir search;
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
allow httpd_suexec_t httpd_log_t:dir search;
@@ -122,7 +121,10 @@
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file read;
+allow httpd_t usr_t:lnk_file { getattr read };
+
+# for apache2 memory mapped files
+var_lib_domain(httpd)
# for tomcat
r_dir_file(httpd_t, var_lib_t)
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te 2004-08-24 16:01:17.000000000 +1000
+++ ./domains/program/unused/bootloader.te 2004-08-24 16:07:33.000000000 +1000
@@ -65,7 +65,9 @@
allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
allow bootloader_t modules_object_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
allow bootloader_t modules_object_t:lnk_file { getattr read };
+')
# for ldd
ifdef(`fsadm.te', `
diff -ru /usr/src/se/policy/domains/program/unused/cpucontrol.te ./domains/program/unused/cpucontrol.te
--- /usr/src/se/policy/domains/program/unused/cpucontrol.te 2004-08-24 16:01:19.000000000 +1000
+++ ./domains/program/unused/cpucontrol.te 2004-08-22 19:08:10.000000000 +1000
@@ -9,8 +9,8 @@
# Access cpu devices.
allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow cpucontrol_t device_t:lnk_file { getattr read };
allow initrc_t cpu_device_t:chr_file getattr;
-allow cpucontrol_t device_t:lnk_file { read };
allow cpucontrol_t self:capability sys_rawio;
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te 2004-08-02 16:59:48.000000000 +1000
+++ ./domains/program/unused/cups.te 2004-08-24 16:10:02.000000000 +1000
@@ -152,11 +152,10 @@
allow ptal_t printer_device_t:chr_file { ioctl read write };
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr } ;
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket { connectto };
allow cupsd_t ptal_var_run_t:dir { search };
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-allow cupsd_t printer_device_t:fifo_file rw_file_perms;
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/dovecot.te ./domains/program/unused/dovecot.te
--- /usr/src/se/policy/domains/program/unused/dovecot.te 2004-06-30 13:03:13.000000000 +1000
+++ ./domains/program/unused/dovecot.te 2004-08-24 16:19:10.000000000 +1000
@@ -11,20 +11,15 @@
type dovecot_cert_t, file_type, sysadmfile;
-allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process { setrlimit };
can_network(dovecot_t)
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dovecot_t, self)
-# For SSL certificates
-allow dovecot_t usr_t:file { getattr read };
-
allow dovecot_t etc_t:file { getattr read };
allow dovecot_t initrc_var_run_t:file { getattr };
-# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
-allow dovecot_t lib_t:file { execute execute_no_trans };
allow dovecot_t bin_t:dir { getattr search };
can_exec(dovecot_t, bin_t)
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te 2004-08-08 22:16:26.000000000 +1000
+++ ./domains/program/unused/ftpd.te 2004-08-24 16:32:22.000000000 +1000
@@ -24,6 +24,7 @@
allow ftpd_t bin_t:dir search;
can_exec(ftpd_t, bin_t)
+allow ftpd_t bin_t:lnk_file read;
allow ftpd_t { sysctl_t sysctl_kernel_t }:dir search;
allow ftpd_t sysctl_kernel_t:file { getattr read };
@@ -32,14 +33,11 @@
ifdef(`crond.te', `
system_crond_entry(ftpd_exec_t, ftpd_t)
can_exec(ftpd_t, { sbin_t shell_exec_t })
+allow ftpd_t usr_t:file { getattr read };
')
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
-ifdef(`inetd.te', `
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-')
-
# Allow ftpd to run directly without inetd.
bool ftpd_is_daemon false;
if (ftpd_is_daemon) {
@@ -47,10 +45,10 @@
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
}
-
ifdef(`inetd.te', `
if (!ftpd_is_daemon) {
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
@@ -87,11 +85,12 @@
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t krb5_conf_t:file { write };
+dontaudit ftpd_t selinux_config_t:dir search;
allow ftpd_t krb5_conf_t:file { getattr read };
ifdef(`automount.te', `
allow ftpd_t autofs_t:dir { search };
')
-allow ftpd_t self:file { read };
+allow ftpd_t self:file { getattr read };
tmp_domain(ftpd)
# Allow ftp to read/write files in the user home directories.
@@ -101,4 +100,4 @@
allow ftpd_t nfs_t:dir r_dir_perms;
allow ftpd_t nfs_t:file r_file_perms;
}
-')
+')dnl end if nfs_home_dirs
diff -ru /usr/src/se/policy/domains/program/unused/hald.te ./domains/program/unused/hald.te
--- /usr/src/se/policy/domains/program/unused/hald.te 2004-08-18 22:42:50.000000000 +1000
+++ ./domains/program/unused/hald.te 2004-08-23 20:35:07.000000000 +1000
@@ -10,14 +10,15 @@
#
# hald_exec_t is the type of the hald executable.
#
-daemon_domain(hald, `, dbus_client_domain')
+daemon_domain(hald, `, dbus_client_domain, fs_domain')
-allow hald_t etc_t:file { getattr read };
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t dbusd_t:dbus { acquire_svc };
-allow hald_t self:file { getattr read };
+allow hald_t { self proc_t }:file { getattr read };
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t hald_t:fifo_file rw_file_perms;
@@ -28,8 +29,14 @@
allow hald_t self:capability { net_admin sys_admin };
can_network(hald_t)
+allow hald_t fixed_disk_device_t:blk_file { getattr read };
+allow hald_t event_device_t:chr_file { getattr read };
+
ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
-ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te 2004-08-21 13:19:07.000000000 +1000
+++ ./domains/program/unused/hotplug.te 2004-08-23 16:37:52.000000000 +1000
@@ -17,14 +17,13 @@
')
etcdir_domain(hotplug)
-typealias hotplug_etc_t alias etc_hotplug_t;
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
-allow hotplug_t sysctl_net_t:dir search;
+allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
@@ -43,12 +42,16 @@
allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-')
+ifdef(`hostname.te', `can_exec(hotplug_t, hostname_exec_t)')
+ifdef(`netutils.te', `
+ifdef(`distro_redhat', `
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+')dnl end if distro_redhat
+')dnl end if netutils.te
allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read };
+allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };
@@ -64,6 +67,10 @@
allow hotplug_t var_lock_t:file getattr;
')
+ifdef(`hald.te', `
+allow hotplug_t hald_t:unix_dgram_socket sendto;
+')
+
# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
@@ -129,8 +136,7 @@
allow hotplug_t sound_device_t:chr_file { setattr };
ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, udev_exec_t, udev_t)
-domain_auto_trans(hotplug_t, udev_helper_exec_t, udev_t)
+domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
@@ -143,7 +149,7 @@
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
-allow restorecon_t hotplug_t:fd { use };
+allow restorecon_t hotplug_t:fd use;
ifdef(`unlimitedUtils', `
unconfined_domain(hotplug_t)
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te 2004-08-19 17:10:36.000000000 +1000
+++ ./domains/program/unused/lvm.te 2004-08-18 19:00:03.000000000 +1000
@@ -32,6 +32,7 @@
allow lvm_t self:process { setsched };
allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
r_dir_file(lvm_t, proc_t)
allow lvm_t self:file r_file_perms;
next reply other threads:[~2004-08-24 8:18 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-24 8:18 Russell Coker [this message]
2004-08-24 12:23 ` policy patch Stephen Smalley
2004-08-24 16:54 ` Russell Coker
2004-08-27 20:58 ` James Carter
2004-08-28 13:46 ` Russell Coker
2004-08-30 20:24 ` James Carter
2004-09-02 12:46 ` Latest Patches Daniel J Walsh
2004-09-02 12:54 ` Stephen Smalley
2004-09-02 15:23 ` Daniel J Walsh
2004-09-02 15:46 ` Stephen Smalley
2004-09-02 15:53 ` Daniel J Walsh
2004-09-02 16:48 ` Stephen Smalley
2004-09-02 16:57 ` Stephen Smalley
2004-09-02 19:48 ` Luke Kenneth Casson Leighton
2004-09-02 19:42 ` Daniel J Walsh
2004-09-02 20:23 ` Luke Kenneth Casson Leighton
2004-09-02 13:10 ` Stephen Smalley
2004-09-02 13:38 ` Russell Coker
2004-09-02 14:46 ` Stephen Smalley
2004-09-02 15:52 ` Proposed Hardware File Context file Daniel J Walsh
2004-09-02 19:38 ` Stephen Smalley
2004-09-02 19:48 ` Daniel J Walsh
2004-09-02 19:59 ` Stephen Smalley
2004-09-02 20:08 ` Daniel J Walsh
2004-09-02 20:09 ` Stephen Smalley
2004-09-02 20:15 ` Daniel J Walsh
2004-09-02 23:30 ` Colin Walters
2004-09-03 11:28 ` Stephen Smalley
2004-09-03 13:17 ` Luke Kenneth Casson Leighton
2004-09-03 13:33 ` Stephen Smalley
2004-09-03 14:38 ` Luke Kenneth Casson Leighton
2004-09-03 16:28 ` Stephen Smalley
2004-09-03 17:03 ` Luke Kenneth Casson Leighton
2004-09-09 16:52 ` Daniel J Walsh
2004-09-02 22:45 ` Luke Kenneth Casson Leighton
2004-09-02 20:11 ` Please review openssh patch for selinux Daniel J Walsh
2004-09-03 12:48 ` Stephen Smalley
2004-09-04 11:21 ` Daniel J Walsh
2004-09-07 19:14 ` Stephen Smalley
2004-09-06 18:23 ` Nigel Kukard
2004-09-07 16:28 ` Nigel Kukard
2004-09-02 22:59 ` Proposed Hardware File Context file Luke Kenneth Casson Leighton
2004-09-02 19:54 ` Luke Kenneth Casson Leighton
2004-09-02 19:51 ` Daniel J Walsh
2004-09-02 15:38 ` Latest Patches Daniel J Walsh
2004-09-02 17:15 ` Luke Kenneth Casson Leighton
2004-09-02 18:56 ` James Carter
2004-09-02 13:27 ` Russell Coker
2004-09-02 16:30 ` Joshua Brindle
2004-09-02 16:40 ` Stephen Smalley
2004-09-02 18:00 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2005-08-18 7:31 policy patch Russell Coker
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
2005-04-01 20:28 ` James Carter
2004-11-25 13:27 policy patch Russell Coker
2004-11-25 16:32 ` Luke Kenneth Casson Leighton
2004-11-25 19:05 ` Russell Coker
2004-11-25 20:34 ` Luke Kenneth Casson Leighton
2004-11-29 19:23 ` James Carter
2004-11-29 21:47 ` Daniel J Walsh
2004-11-30 16:42 ` Daniel J Walsh
2004-10-13 5:55 Russell Coker
2004-10-13 20:17 ` James Carter
2004-07-12 14:12 Russell Coker
2004-07-12 19:46 ` Luke Kenneth Casson Leighton
2004-07-11 7:59 Russell Coker
2004-07-12 13:30 ` Stephen Smalley
2004-07-04 5:04 Russell Coker
2004-07-07 20:47 ` Stephen Smalley
2002-12-03 14:47 Stephen D. Smalley
2002-11-29 11:45 Russell Coker
2002-09-21 4:39 Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200408241818.40064.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.