Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 677 bytes --]

On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
> Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
> kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
> now boots in strict/enforcing.

I've attached a diff against the CVS policy as well as the .te and .fc files 
for udev changes which fix this and address some other issues as well.

Please try it out and let me know how it goes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: udev.diff --]
[-- Type: text/x-diff, Size: 3514 bytes --]

--- /usr/src/se/policy/domains/program/unused/udev.te	2004-08-28 12:05:05.000000000 +1000
+++ domains/program/unused/udev.te	2004-08-29 17:32:55.000000000 +1000
@@ -16,7 +16,6 @@
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-r_dir_file(udev_t, udev_helper_exec_t)
 can_exec(udev_t, udev_helper_exec_t)
 
 #
@@ -32,19 +31,20 @@
 allow udev_t device_t:blk_file create_file_perms;
 allow udev_t device_t:chr_file create_file_perms;
 allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+allow udev_t { selinux_config_t default_context_t }:dir search;
+allow udev_t default_context_t:file { getattr read };
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };
@@ -52,6 +52,9 @@
 # Get security policy decisions.
 can_getsecurity(udev_t)
 
+# set file system create context
+can_setfscreate(udev_t)
+
 allow udev_t kernel_t:fd { use };
 allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
@@ -61,7 +64,9 @@
 domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-allow restorecon_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
 allow udev_t devpts_t:dir { search };
 allow udev_t etc_runtime_t:file { getattr read };
 allow udev_t etc_t:file { ioctl };
@@ -79,12 +84,11 @@
 can_exec(udev_t, consoletype_exec_t)
 ')
 domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
 
 dontaudit udev_t file_t:dir search;
-allow udev_t device_t:lnk_file create_file_perms;
-allow udev_t var_lock_t:dir { search };
-allow udev_t var_lock_t:file { getattr read };
 ifdef(`dhcpc.te', `
 domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
 ')
--- /usr/src/se/policy/file_contexts/program/udev.fc	2004-08-28 12:05:11.000000000 +1000
+++ file_contexts/program/udev.fc	2004-08-29 17:26:29.000000000 +1000
@@ -3,7 +3,8 @@
 /sbin/udev	--	system_u:object_r:udev_exec_t
 /sbin/udevd	--	system_u:object_r:udev_exec_t
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
-/etc/dev\.d(/.*)? 	system_u:object_r:udev_helper_exec_t
-/etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
+/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
+/etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
+/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t

[-- Attachment #3: udev.te --]
[-- Type: text/plain, Size: 3044 bytes --]

#DESC udev - Linux configurable dynamic device naming support
#
# Author:  Dan Walsh dwalsh@redhat.com
#

#################################
#
# Rules for the udev_t domain.
#
# udev_exec_t is the type of the udev executable.
#
daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd, dbus_client_domain')

general_domain_access(udev_t)

etc_domain(udev)
typealias udev_etc_t alias etc_udev_t;
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
can_exec(udev_t, udev_helper_exec_t)

#
# Rules used for udev
#
type udev_tbl_t, file_type, sysadmfile;
file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
allow udev_t device_t:blk_file create_file_perms;
allow udev_t device_t:chr_file create_file_perms;
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t etc_t:file { getattr read };
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
allow udev_t { sbin_t bin_t }:lnk_file read;
allow udev_t bin_t:lnk_file read;
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
r_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
	
# to read the file_contexts file
allow udev_t { selinux_config_t default_context_t }:dir search;
allow udev_t default_context_t:file { getattr read };

allow udev_t policy_config_t:dir { search };
allow udev_t proc_t:file { read };

# Get security policy decisions.
can_getsecurity(udev_t)

# set file system create context
can_setfscreate(udev_t)

allow udev_t kernel_t:fd { use };
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };

allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;

domain_auto_trans(initrc_t, udev_exec_t, udev_t)
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
ifdef(`hide_broken_symptoms', `
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
')
allow udev_t devpts_t:dir { search };
allow udev_t etc_runtime_t:file { getattr read };
allow udev_t etc_t:file { ioctl };
allow udev_t proc_t:file { getattr };
ifdef(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read };
')

ifdef(`hotplug.te', `
r_dir_file(udev_t, hotplug_etc_t)
')
allow udev_t var_log_t:dir { search };

ifdef(`consoletype.te', `
can_exec(udev_t, consoletype_exec_t)
')
domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
ifdef(`hide_broken_symptoms', `
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
')

dontaudit udev_t file_t:dir search;
ifdef(`dhcpc.te', `
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
')

[-- Attachment #4: udev.fc --]
[-- Type: text/plain, Size: 477 bytes --]

# udev
/sbin/udevsend	--	system_u:object_r:udev_exec_t
/sbin/udev	--	system_u:object_r:udev_exec_t
/sbin/udevd	--	system_u:object_r:udev_exec_t
/usr/bin/udevinfo --	system_u:object_r:udev_exec_t
/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
/etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
/dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Luke Kenneth Casson Leighton]

btw i didn't see an acknowledgement from the person who sent the
last udev patch (dan was it you?)

the use of the "mode" argument it is clear has not been used,
to call i think it was matchpathcon.

instead, because i had three near-identical code portions all
of which had different S_IFXXX thingies, dan-i-think-it-was
moved the near-identical code into a function with a "mode"
argument...

... and forgot to use the "mode" argument such that matchpathcon
is called with S_IFDIR.

given that i haven't seen an acknowledgement of this issue
either in my inbox or on the mailing lists (which i am checking
manually) i thought it best to hassle people until i know it's
been spotted.

this is IMPORTANT because it will impact the contexts on
inodes and stuff created in /dev: the "optimising" argument
"mode" passed to matchpathcon and setfscreatecon, if wrong,
results in relevant (and correct!) file_context entries being
skipped!

l.

On Sun, Aug 29, 2004 at 05:37:17PM +1000, Russell Coker wrote:

> On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
> > Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
> > kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
> > now boots in strict/enforcing.
> 
> I've attached a diff against the CVS policy as well as the .te and .fc files 
> for udev changes which fix this and address some other issues as well.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

Luke Kenneth Casson Leighton wrote:

>btw i didn't see an acknowledgement from the person who sent the
>last udev patch (dan was it you?)
>
>the use of the "mode" argument it is clear has not been used,
>to call i think it was matchpathcon.
>
>instead, because i had three near-identical code portions all
>of which had different S_IFXXX thingies, dan-i-think-it-was
>moved the near-identical code into a function with a "mode"
>argument...
>
>... and forgot to use the "mode" argument such that matchpathcon
>is called with S_IFDIR.
>
>given that i haven't seen an acknowledgement of this issue
>either in my inbox or on the mailing lists (which i am checking
>manually) i thought it best to hassle people until i know it's
>been spotted.
>
>this is IMPORTANT because it will impact the contexts on
>inodes and stuff created in /dev: the "optimising" argument
>"mode" passed to matchpathcon and setfscreatecon, if wrong,
>results in relevant (and correct!) file_context entries being
>skipped!
>
>l.
>
>On Sun, Aug 29, 2004 at 05:37:17PM +1000, Russell Coker wrote:
>
>  
>
>>On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
>>    
>>
>>>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
>>>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
>>>now boots in strict/enforcing.
>>>      
>>>
>>I've attached a diff against the CVS policy as well as the .te and .fc files 
>>for udev changes which fix this and address some other issues as well.
>>    
>>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list@redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
Yes it was me and I modified out udev rpm, but I guess I never 
responded.  Sorry about that.

Luke thanks for the fix.

Dan

[-- Attachment #2: udev-030-selinux.patch --]
[-- Type: text/plain, Size: 4512 bytes --]

--- udev-030/Makefile.selinux	2004-07-09 13:59:09.000000000 -0400
+++ udev-030/Makefile	2004-08-27 09:28:25.000000000 -0400
@@ -25,6 +25,8 @@
 # Leave this set to `false' for production use.
 DEBUG = false
 
+# Set this to compile with Security-Enhanced Linux support.
+USE_SELINUX = true
 
 ROOT =		udev
 DAEMON =	udevd
@@ -172,6 +174,11 @@
 
 CFLAGS += -I$(PWD)/libsysfs
 
+ifeq ($(strip $(USE_SELINUX)),true)
+	CFLAGS += -DUSE_SELINUX
+	LIB_OBJS += -lselinux
+endif
+
 all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER)
 	@extras="$(EXTRAS)" ; for target in $$extras ; do \
 		echo $$target ; \
@@ -216,6 +223,7 @@
 		udevdb.h	\
 		klibc_fixups.h	\
 		logging.h	\
+		selinux.h	\
 		list.h
 
 ifeq ($(strip $(USE_KLIBC)),true)
--- udev-030/selinux.h.selinux	2004-08-27 15:27:32.211405217 -0400
+++ udev-030/selinux.h	2004-08-27 15:26:31.620370476 -0400
@@ -0,0 +1,80 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+#ifndef USE_SELINUX
+
+static inline void selinux_setfilecon(char *file, unsigned int mode) { }
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {}
+static inline void selinux_init(void) {}
+static inline void selinux_restore(void) {}
+
+#else
+
+#include <selinux/selinux.h>
+
+static int selinux_enabled=-1;
+static security_context_t prev_scontext=NULL;
+
+static inline int is_selinux_running(void) {
+	if ( selinux_enabled==-1 ) 
+		return selinux_enabled=is_selinux_enabled()>0;
+	return selinux_enabled;
+}
+static inline void selinux_setfilecon(char *file, unsigned int mode) { 
+	if (is_selinux_running()) {
+		security_context_t scontext=NULL;
+		if (matchpathcon(file, mode, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			
+			if (setfilecon(file, scontext) < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {
+	int retval = 0;
+	security_context_t scontext=NULL;
+
+	if (is_selinux_running()) {
+		if (matchpathcon(file, mode, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			retval=setfscreatecon(scontext);
+			if (retval < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+static inline void selinux_init(void) {
+	/* record the present security context, for file-creation
+	 * restoration creation purposes.
+	 *
+	 */
+
+	if (is_selinux_running())
+	{
+		if (getfscreatecon(&prev_scontext) < 0) {
+			dbg("getfscreatecon failed\n");
+		}
+		prev_scontext=NULL;
+	}
+}
+static inline void selinux_restore(void) {
+	if (is_selinux_running()) {
+		/* reset the file create context to its former glory */
+		if ( setfscreatecon(prev_scontext) < 0 )
+			dbg("setfscreatecon failed\n");
+		if (prev_scontext) {
+			freecon(prev_scontext);
+			prev_scontext=NULL;
+		}
+	}
+}
+#endif /* USE_SELINUX */
+#endif /* SELINUX_H */
--- udev-030/udev-add.c.selinux	2004-08-26 13:06:56.000000000 -0400
+++ udev-030/udev-add.c	2004-08-26 14:16:05.000000000 -0400
@@ -50,6 +50,8 @@
 
 #define LOCAL_USER "$local"
 
+#include "selinux.h"
+
 /* 
  * Right now the major/minor of a device is stored in a file called
  * "dev" in sysfs.
@@ -92,6 +94,7 @@
 			break;
 		*pos = 0x00;
 		if (stat(p, &stats)) {
+			selinux_setfscreatecon(p, S_IFDIR);
 			retval = mkdir(p, 0755);
 			if (retval != 0) {
 				dbg("mkdir(%s) failed with error '%s'",
@@ -117,6 +120,7 @@
 	if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) &&
 	    (stats.st_rdev == makedev(major, minor))) {
 		dbg("preserve file '%s', cause it has correct dev_t", file);
+		selinux_setfilecon(file,stats.st_mode);
 		if (udev_preserve_owner)
 		  goto exit;
 		else
@@ -129,6 +133,7 @@
 		dbg("already present file '%s' unlinked", file);
 
 create:
+	selinux_setfscreatecon(file, mode);
 	retval = mknod(file, mode, makedev(major, minor));
 	if (retval != 0) {
 		dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
@@ -307,6 +312,7 @@
 
 		dbg("symlink(%s, %s)", linktarget, filename);
 		if (!fake) {
+			selinux_setfscreatecon(filename, S_IFLNK);
 			unlink(filename);
 			if (symlink(linktarget, filename) != 0)
 				dbg("symlink(%s, %s) failed with error '%s'",
@@ -441,6 +447,7 @@
 
 	dbg("name='%s'", dev.name);
 
+	selinux_init();
 	switch (dev.type) {
 	case 'b':
 	case 'c':
@@ -478,6 +485,7 @@
 	}
 
 exit:
+	selinux_restore();
 	sysfs_close_class_device(class_dev);
 
 	return retval;

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Tom London]

Russell,

Thanks, but it didn't quite work. The following change to dbusd.te seems
to make graphical login work under strict/enforcing.

Please correct/improve... :)
   tom

--- /root/src.package/policy/domains/program/dbusd.te   2004-08-29 
11:38:27.000000000 -0700
+++ dbusd.te    2004-08-29 12:19:25.000000000 -0700
@@ -32,3 +32,7 @@

 # SE-DBus specific permissions
 allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
+
+allow user_t etc_dbusd_t:dir { search };
+allow user_t etc_dbusd_t:file { getattr read };
+allow user_t user_t:netlink_selinux_socket { bind create };


Russell Coker wrote:

>On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
>  
>
>>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
>>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
>>now boots in strict/enforcing.
>>    
>>
>
>I've attached a diff against the CVS policy as well as the .te and .fc files 
>for udev changes which fix this and address some other issues as well.
>
>Please try it out and let me know how it goes.
>
>  
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

On Sun, 2004-08-29 at 12:32 -0700, Tom London wrote:
> Russell,
> 
> Thanks, but it didn't quite work. The following change to dbusd.te seems
> to make graphical login work under strict/enforcing.

I think we need to rework the dbusd.te to break it into dbusd_system_t
and dbusd_{user,staff}_t.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Russell Coker]

On Mon, 30 Aug 2004 05:32, Tom London <selinux@comcast.net> wrote:
> --- /root/src.package/policy/domains/program/dbusd.te   2004-08-29
> 11:38:27.000000000 -0700
> +++ dbusd.te    2004-08-29 12:19:25.000000000 -0700
> @@ -32,3 +32,7 @@
>
>  # SE-DBus specific permissions
>  allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg
> }; +
> +allow user_t etc_dbusd_t:dir { search };
> +allow user_t etc_dbusd_t:file { getattr read };
> +allow user_t user_t:netlink_selinux_socket { bind create };

One thing to remember is that any time you see user_t in policy it's a local 
customisation or a bug.

In this case it seems to me that one correct way of writing policy for this is 
the following:
allow { dbus_client_domain userdomain } etc_dbusd_t:dir { search };
allow { dbus_client_domain userdomain } etc_dbusd_t:file { getattr read };
allow { dbus_client_domain userdomain } user_t:netlink_selinux_socket { bind 
create };

But then we are granting almost every domain that has any significance in the 
security of the system read access.  So why not just label the files as etc_t 
and remove the etc_dbusd_t type entirely?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Stephen Smalley]

On Wed, 2004-09-01 at 02:37, Russell Coker wrote:
> One thing to remember is that any time you see user_t in policy it's a local 
> customisation or a bug.
> 
> In this case it seems to me that one correct way of writing policy for this is 
> the following:
> allow { dbus_client_domain userdomain } etc_dbusd_t:dir { search };
> allow { dbus_client_domain userdomain } etc_dbusd_t:file { getattr read };
> allow { dbus_client_domain userdomain } user_t:netlink_selinux_socket { bind 
> create };
> 
> But then we are granting almost every domain that has any significance in the 
> security of the system read access.  So why not just label the files as etc_t 
> and remove the etc_dbusd_t type entirely?

These permissions shouldn't be granted directly to the user domains.  We
need per-userdomain dbusd domains defined via a macro for the
per-session message bus.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Stephen Smalley]

On Wed, 2004-09-01 at 07:33, Stephen Smalley wrote:
> These permissions shouldn't be granted directly to the user domains.  We
> need per-userdomain dbusd domains defined via a macro for the
> per-session message bus.  

BTW, note that in the rawhide policy, Dan (or someone) has added a
domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t) to dbusd.te as a
workaround so that the per-session bus daemons also run in dbusd_t, but
that isn't truly what we want in the long term.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Tom London]

Russell,

The following changes to udev.te seem needed....
(If udev shouldn't be reading file_contexts, then dontaudit?)

Please correct/improve,
   tom

--- /tmp/patches/udev.te        2004-08-29 11:35:48.000000000 -0700
+++ udev.te     2004-08-29 12:40:58.000000000 -0700
@@ -44,7 +44,9 @@

 # to read the file_contexts file
 allow udev_t { selinux_config_t default_context_t }:dir search;
-allow udev_t default_context_t:file { getattr read };
+allow udev_t { selinux_config_t default_context_t }:file { getattr read };
+allow udev_t file_context_t:dir { search };
+allow udev_t file_context_t:file { getattr read };

 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };


Russell Coker wrote:

>On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
>  
>
>>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
>>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
>>now boots in strict/enforcing.
>>    
>>
>
>I've attached a diff against the CVS policy as well as the .te and .fc files 
>for udev changes which fix this and address some other issues as well.
>
>Please try it out and let me know how it goes.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Daniel J Walsh]

Tom London wrote:

> Russell,
>
> The following changes to udev.te seem needed....
> (If udev shouldn't be reading file_contexts, then dontaudit?)
>
udev needs to read file_contexts.  It is doing a matchpathcon in order 
to setup the devices with the correct context.

> Please correct/improve,
>   tom
>
> --- /tmp/patches/udev.te        2004-08-29 11:35:48.000000000 -0700
> +++ udev.te     2004-08-29 12:40:58.000000000 -0700
> @@ -44,7 +44,9 @@
>
> # to read the file_contexts file
> allow udev_t { selinux_config_t default_context_t }:dir search;
> -allow udev_t default_context_t:file { getattr read };
> +allow udev_t { selinux_config_t default_context_t }:file { getattr 
> read };
> +allow udev_t file_context_t:dir { search };
> +allow udev_t file_context_t:file { getattr read };
>
> allow udev_t policy_config_t:dir { search };
> allow udev_t proc_t:file { read };
>
>
> Russell Coker wrote:
>
>> On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
>>  
>>
>>> Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
>>> kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
>>> now boots in strict/enforcing.
>>>   
>>
>>
>> I've attached a diff against the CVS policy as well as the .te and 
>> .fc files for udev changes which fix this and address some other 
>> issues as well.
>>
>> Please try it out and let me know how it goes.
>>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Luke Kenneth Casson Leighton]

On Mon, Aug 30, 2004 at 02:20:32PM -0400, Daniel J Walsh wrote:
> Tom London wrote:
> 
> >Russell,
> >
> >The following changes to udev.te seem needed....
> >(If udev shouldn't be reading file_contexts, then dontaudit?)
> >
> udev needs to read file_contexts.  It is doing a matchpathcon in order 
> to setup the devices with the correct context.
 
 dan, dan, you MUST fix the bug in that patch before making changes to
 the selinux policy files for udev!!!

 matchpathcon() is being called with S_IFDIR not with the mode argument!

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[James Carter]

Thanks Russell and Tom.  Merged into sourceforge policy using
r_dir_file() for selinux_config_t, file_context_t, and
default_context_t.

Showing only the part changed from Russell's patch:

--- domains/program/unused/udev.te	27 Aug 2004 13:14:05 -0000	1.17
+++ domains/program/unused/udev.te	30 Aug 2004 19:36:44 -0000
@@ -32,19 +31,19 @@
 allow udev_t device_t:blk_file create_file_perms;
 allow udev_t device_t:chr_file create_file_perms;
 allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };

On Sun, 2004-08-29 at 15:53, Tom London wrote:
> Russell,
> 
> The following changes to udev.te seem needed....
> (If udev shouldn't be reading file_contexts, then dontaudit?)
> 
> Please correct/improve,
>    tom
> 
> --- /tmp/patches/udev.te        2004-08-29 11:35:48.000000000 -0700
> +++ udev.te     2004-08-29 12:40:58.000000000 -0700
> @@ -44,7 +44,9 @@
> 
>  # to read the file_contexts file
>  allow udev_t { selinux_config_t default_context_t }:dir search;
> -allow udev_t default_context_t:file { getattr read };
> +allow udev_t { selinux_config_t default_context_t }:file { getattr read };
> +allow udev_t file_context_t:dir { search };
> +allow udev_t file_context_t:file { getattr read };
> 
>  allow udev_t policy_config_t:dir { search };
>  allow udev_t proc_t:file { read };
> 
> 
> Russell Coker wrote:
> 
> >On Sun, 29 Aug 2004 04:29, Tom London <selinux@comcast.net> wrote:
> >  
> >
> >>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
> >>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
> >>now boots in strict/enforcing.
> >>    
> >>
> >
> >I've attached a diff against the CVS policy as well as the .te and .fc files 
> >for udev changes which fix this and address some other issues as well.
> >
> >Please try it out and let me know how it goes.
> >
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.