policy patch

policy patch

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1898 bytes --]

diff1 removes some unnecessary dontaudit lines from syslogd.te, if there is to 
be one single domain accessing devpts_t:chr_file then syslogd_t is not it, 
and if a log file gets type unlabeled_t then it's something we want audited.

httpd_t does not need search access to devpts_t (it is not granted access to 
any device node under /dev/pts).  httpd_suexec_t does not need 
net_bind_service (all it does it call setuid() and execute a script), it's 
access attempts of /var/run are the usual nscd stuff that gets a dontaudit 
rule.

It seems that only Red Hat has bootloader_t needing access to 
modules_object_t:lnk_file.

cpucontrol_t sometimes needs getattr access to a sym-link in /dev, no harm in 
granting it.

There should never be a printer_device_t:fifo_file object, there is no 
file_contexts entry assigning printer_device_t to a fifo_file object, so I 
remove the access to this invalid combination.

dovecot_cert_t is used for SSL certificates.  If there are any certificates 
labeled as usr_t then that's a bug in the file_contexts file.  I'll change 
the contexts of the files to use bin_t for sub-binaries on Debian as well as 
Red Hat (as well as putting some conditionals into the .fc file).

I changed ftpd.te to have the domain_auto_trans(inetd, part inside 
if(!ftpd_is_daemon).

Change hald.te to work with the latest version in Fedora.  I didn't want to 
give it read access to hard disks, but it seems that's he way things are 
going.

Changed hotplug.te to allow it to run arping on Red Hat, and to be a hald 
client (maybe we need a hald_client_domain attribute).

Allows lvm_t to create unix_dgram_socket objects.


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff1 --]
[-- Type: text/x-diff, Size: 11250 bytes --]

diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te	2004-08-24 16:01:13.000000000 +1000
+++ ./domains/program/syslogd.te	2004-07-08 21:30:48.000000000 +1000
@@ -94,6 +94,3 @@
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t devpts_t:dir { search };
-dontaudit syslogd_t devpts_t:chr_file { read write };
-
-dontaudit syslogd_t unlabeled_t:file { read };
diff -ru /usr/src/se/policy/domains/program/unused/apache.te ./domains/program/unused/apache.te
--- /usr/src/se/policy/domains/program/unused/apache.te	2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/apache.te	2004-08-24 16:07:09.000000000 +1000
@@ -68,7 +69,6 @@
 
 allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
 
-allow httpd_t devpts_t:dir { search };
 allow httpd_t sysctl_kernel_t:dir search;
 allow httpd_t sysctl_kernel_t:file read;
 
@@ -88,11 +88,10 @@
 # Permissions for running child processes and scripts
 ##########################################################
 
-allow httpd_suexec_t self:capability { setuid setgid net_bind_service };
+allow httpd_suexec_t self:capability { setuid setgid };
 
-allow httpd_suexec_t var_run_t:dir { search };
-allow httpd_suexec_t var_t:dir { search };
-allow httpd_suexec_t var_log_t:dir search;
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
 allow httpd_suexec_t home_root_t:dir search;
 
 allow httpd_suexec_t httpd_log_t:dir search;
@@ -122,7 +121,10 @@
 
 uses_shlib(httpd_t)
 allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file read;
+allow httpd_t usr_t:lnk_file { getattr read };
+
+# for apache2 memory mapped files
+var_lib_domain(httpd)
 
 # for tomcat
 r_dir_file(httpd_t, var_lib_t)
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2004-08-24 16:01:17.000000000 +1000
+++ ./domains/program/unused/bootloader.te	2004-08-24 16:07:33.000000000 +1000
@@ -65,7 +65,9 @@
 
 allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
 allow bootloader_t modules_object_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
 allow bootloader_t modules_object_t:lnk_file { getattr read };
+')
 
 # for ldd
 ifdef(`fsadm.te', `
diff -ru /usr/src/se/policy/domains/program/unused/cpucontrol.te ./domains/program/unused/cpucontrol.te
--- /usr/src/se/policy/domains/program/unused/cpucontrol.te	2004-08-24 16:01:19.000000000 +1000
+++ ./domains/program/unused/cpucontrol.te	2004-08-22 19:08:10.000000000 +1000
@@ -9,8 +9,8 @@
 
 # Access cpu devices.
 allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow cpucontrol_t device_t:lnk_file { getattr read };
 allow initrc_t cpu_device_t:chr_file getattr;
-allow cpucontrol_t device_t:lnk_file { read };
 
 allow cpucontrol_t self:capability sys_rawio;
 
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te	2004-08-02 16:59:48.000000000 +1000
+++ ./domains/program/unused/cups.te	2004-08-24 16:10:02.000000000 +1000
@@ -152,11 +152,10 @@
 allow ptal_t printer_device_t:chr_file { ioctl read write };
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr } ;
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket { connectto };
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
-allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/dovecot.te ./domains/program/unused/dovecot.te
--- /usr/src/se/policy/domains/program/unused/dovecot.te	2004-06-30 13:03:13.000000000 +1000
+++ ./domains/program/unused/dovecot.te	2004-08-24 16:19:10.000000000 +1000
@@ -11,20 +11,15 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
 
-# For SSL certificates
-allow dovecot_t usr_t:file { getattr read };
-
 allow dovecot_t etc_t:file { getattr read };
 allow dovecot_t initrc_var_run_t:file { getattr };
-# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
-allow dovecot_t lib_t:file { execute execute_no_trans };
 allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te	2004-08-08 22:16:26.000000000 +1000
+++ ./domains/program/unused/ftpd.te	2004-08-24 16:32:22.000000000 +1000
@@ -24,6 +24,7 @@
 
 allow ftpd_t bin_t:dir search;
 can_exec(ftpd_t, bin_t)
+allow ftpd_t bin_t:lnk_file read;
 allow ftpd_t { sysctl_t sysctl_kernel_t }:dir search;
 allow ftpd_t sysctl_kernel_t:file { getattr read };
 
@@ -32,14 +33,11 @@
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
 can_exec(ftpd_t, { sbin_t shell_exec_t })
+allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 
-ifdef(`inetd.te', `
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-')
-
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
 if (ftpd_is_daemon) {
@@ -47,10 +45,10 @@
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 }
-
 ifdef(`inetd.te', `
 if (!ftpd_is_daemon) {
 ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
 
 # Use sockets inherited from inetd.
 allow ftpd_t inetd_t:fd use;
@@ -87,11 +85,12 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t krb5_conf_t:file { write };
+dontaudit ftpd_t selinux_config_t:dir search;
 allow ftpd_t krb5_conf_t:file { getattr read };
 ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir { search };
 ')
-allow ftpd_t self:file { read };
+allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
 # Allow ftp to read/write files in the user home directories.
@@ -101,4 +100,4 @@
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 }
-')
+')dnl end if nfs_home_dirs
diff -ru /usr/src/se/policy/domains/program/unused/hald.te ./domains/program/unused/hald.te
--- /usr/src/se/policy/domains/program/unused/hald.te	2004-08-18 22:42:50.000000000 +1000
+++ ./domains/program/unused/hald.te	2004-08-23 20:35:07.000000000 +1000
@@ -10,14 +10,15 @@
 #
 # hald_exec_t is the type of the hald executable.
 #
-daemon_domain(hald, `, dbus_client_domain')
+daemon_domain(hald, `, dbus_client_domain, fs_domain')
 
-allow hald_t etc_t:file { getattr read };
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
 allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
 
 allow hald_t dbusd_t:dbus { acquire_svc };
 
-allow hald_t self:file { getattr read };
+allow hald_t { self proc_t }:file { getattr read };
 
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t hald_t:fifo_file rw_file_perms;
@@ -28,8 +29,14 @@
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
 
+allow hald_t fixed_disk_device_t:blk_file { getattr read };
+allow hald_t event_device_t:chr_file { getattr read };
+
 ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
-ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
 
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te	2004-08-21 13:19:07.000000000 +1000
+++ ./domains/program/unused/hotplug.te	2004-08-23 16:37:52.000000000 +1000
@@ -17,14 +17,13 @@
 ')
 
 etcdir_domain(hotplug)
-typealias hotplug_etc_t alias etc_hotplug_t;
 
 allow hotplug_t self:fifo_file { read write getattr ioctl };
 allow hotplug_t self:unix_dgram_socket create_socket_perms;
 allow hotplug_t self:unix_stream_socket create_socket_perms;
 allow hotplug_t self:udp_socket create_socket_perms;
 
-allow hotplug_t sysctl_net_t:dir search;
+allow hotplug_t sysctl_net_t:dir r_dir_perms;
 allow hotplug_t sysctl_net_t:file { getattr read };
 
 # get info from /proc
@@ -43,12 +42,16 @@
 allow hotplug_t { bin_t sbin_t }:dir search;
 allow hotplug_t { bin_t sbin_t }:lnk_file read;
 can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-')
+ifdef(`hostname.te', `can_exec(hotplug_t, hostname_exec_t)')
+ifdef(`netutils.te', `
+ifdef(`distro_redhat', `
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+')dnl end if distro_redhat
+')dnl end if netutils.te
 
 allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read };
+allow initrc_t modules_dep_t:file { getattr read ioctl };
 r_dir_file(hotplug_t, usbdevfs_t)
 allow hotplug_t usbfs_t:dir r_dir_perms;
 allow hotplug_t usbfs_t:file { getattr read };
@@ -64,6 +67,10 @@
 allow hotplug_t var_lock_t:file getattr;
 ')
 
+ifdef(`hald.te', `
+allow hotplug_t hald_t:unix_dgram_socket sendto;
+')
+
 # for killall
 allow hotplug_t self:process { getsession getattr };
 allow hotplug_t self:file getattr;
@@ -129,8 +136,7 @@
 allow hotplug_t sound_device_t:chr_file { setattr };
 
 ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, udev_exec_t, udev_t)
-domain_auto_trans(hotplug_t, udev_helper_exec_t, udev_t)
+domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
 ')
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
@@ -143,7 +149,7 @@
 domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
 ')
 
-allow restorecon_t hotplug_t:fd { use };
+allow restorecon_t hotplug_t:fd use;
 
 ifdef(`unlimitedUtils', `
 unconfined_domain(hotplug_t) 
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te	2004-08-19 17:10:36.000000000 +1000
+++ ./domains/program/unused/lvm.te	2004-08-18 19:00:03.000000000 +1000
@@ -32,6 +32,7 @@
 allow lvm_t self:process { setsched };
 
 allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
 
 r_dir_file(lvm_t, proc_t)
 allow lvm_t self:file r_file_perms;

Re: policy patch

[Stephen Smalley]

On Tue, 2004-08-24 at 04:18, Russell Coker wrote:
> diff1 removes some unnecessary dontaudit lines from syslogd.te, if there is to 
> be one single domain accessing devpts_t:chr_file then syslogd_t is not it, 
> and if a log file gets type unlabeled_t then it's something we want audited.

Both rules were added by Dan, so please coordinate such changes with
him.  The dontaudit rules for devpts_t:chr_file are for the targeted
policy, which has no derived types for ptys or ttys; daemon restart will
trigger such denials.  I think that the dontaudit rule for unlabeled_t
is for the kernel bug that is leaking descriptors to the rootfs to init
and its descendants.  However, SELinux should be closing those
descriptors and re-opening them to the null device anyway.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 973 bytes --]

On Tue, 24 Aug 2004 22:23, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Tue, 2004-08-24 at 04:18, Russell Coker wrote:
> > diff1 removes some unnecessary dontaudit lines from syslogd.te, if there
> > is to be one single domain accessing devpts_t:chr_file then syslogd_t is
> > not it, and if a log file gets type unlabeled_t then it's something we
> > want audited.
>
> Both rules were added by Dan, so please coordinate such changes with
> him.  The dontaudit rules for devpts_t:chr_file are for the targeted
> policy, which has no derived types for ptys or ttys; daemon restart will

In that case we should modify the daemon_core_rules() macro to solve it 
properly.  I've attached a patch which should fix this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 411 bytes --]

--- /usr/src/se/policy/macros/global_macros.te	2004-08-24 16:01:30.000000000 +1000
+++ macros/global_macros.te	2004-08-25 02:52:43.000000000 +1000
@@ -292,6 +292,9 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
+ifdef(`targeted_policy', `
+dontaudit $1_t devpts_t:chr_file { read write };
+')dnl end if targeted_policy
 
 ')dnl end macro daemon_core_rules
 

Re: policy patch

[James Carter]

Merged.

Also added:
	allow hotplug_t udev_helper_exec_t:lnk_file read;
It seems reasonable and I was seeing a lot of denials, but it might be
possible to use a dontaudit.

On Tue, 2004-08-24 at 04:18, Russell Coker wrote:
> diff1 removes some unnecessary dontaudit lines from syslogd.te, if there is to 
> be one single domain accessing devpts_t:chr_file then syslogd_t is not it, 
> and if a log file gets type unlabeled_t then it's something we want audited.
> 
> httpd_t does not need search access to devpts_t (it is not granted access to 
> any device node under /dev/pts).  httpd_suexec_t does not need 
> net_bind_service (all it does it call setuid() and execute a script), it's 
> access attempts of /var/run are the usual nscd stuff that gets a dontaudit 
> rule.
> 
> It seems that only Red Hat has bootloader_t needing access to 
> modules_object_t:lnk_file.
> 
> cpucontrol_t sometimes needs getattr access to a sym-link in /dev, no harm in 
> granting it.
> 
> There should never be a printer_device_t:fifo_file object, there is no 
> file_contexts entry assigning printer_device_t to a fifo_file object, so I 
> remove the access to this invalid combination.
> 
> dovecot_cert_t is used for SSL certificates.  If there are any certificates 
> labeled as usr_t then that's a bug in the file_contexts file.  I'll change 
> the contexts of the files to use bin_t for sub-binaries on Debian as well as 
> Red Hat (as well as putting some conditionals into the .fc file).
> 
> I changed ftpd.te to have the domain_auto_trans(inetd, part inside 
> if(!ftpd_is_daemon).
> 
> Change hald.te to work with the latest version in Fedora.  I didn't want to 
> give it read access to hard disks, but it seems that's he way things are 
> going.
> 
> Changed hotplug.te to allow it to run arping on Red Hat, and to be a hald 
> client (maybe we need a hald_client_domain attribute).
> 
> Allows lvm_t to create unix_dgram_socket objects.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1122 bytes --]

On Sat, 28 Aug 2004 06:58, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> Also added:
>  allow hotplug_t udev_helper_exec_t:lnk_file read;
> It seems reasonable and I was seeing a lot of denials, but it might be
> possible to use a dontaudit.

I think that a better thing to do is to use "--" on the file_contexts entry 
for an executable file and have any sym-links with similar named get bin_t or 
sbin_t.  The contents of a sym-link are almost never of any relevance to the 
security of the system, but adding more rules increases the size of the 
policy and the work for all of us.  Also as a side-affect specifying the 
class of the object to be labelled makes setfiles run faster.

I have attached a patch which adds -- to all types ending in _exec_t.  It also 
fixes some bugs in the spamassasin policy and adds a couple of other file 
contexts things as well.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: fc.diff --]
[-- Type: text/x-diff, Size: 9876 bytes --]

diff -ru /usr/src/se/policy/file_contexts/program/distcc.fc file_contexts/program/distcc.fc
--- /usr/src/se/policy/file_contexts/program/distcc.fc	2004-07-29 06:04:18.000000000 +1000
+++ file_contexts/program/distcc.fc	2004-08-28 23:28:02.000000000 +1000
@@ -1,2 +1,2 @@
 # distcc
-/usr/bin/distccd		system_u:object_r:distccd_exec_t
+/usr/bin/distccd	--	system_u:object_r:distccd_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/dovecot.fc file_contexts/program/dovecot.fc
--- /usr/src/se/policy/file_contexts/program/dovecot.fc	2004-07-13 09:08:03.000000000 +1000
+++ file_contexts/program/dovecot.fc	2004-08-24 18:08:10.000000000 +1000
@@ -1,6 +1,12 @@
 # for Dovecot POP and IMAP server
 /usr/sbin/dovecot		--	system_u:object_r:dovecot_exec_t
+ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	system_u:object_r:dovecot_auth_exec_t
+')
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth	--	system_u:object_r:dovecot_auth_exec_t
+/usr/lib/dovecot/.+		--	system_u:object_r:bin_t
+')
 /usr/share/ssl/certs/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
diff -ru /usr/src/se/policy/file_contexts/program/dpkg.fc file_contexts/program/dpkg.fc
--- /usr/src/se/policy/file_contexts/program/dpkg.fc	2004-08-19 17:10:38.000000000 +1000
+++ file_contexts/program/dpkg.fc	2004-08-28 23:25:01.000000000 +1000
@@ -15,7 +15,7 @@
 /usr/sbin/dpkg-preconfigure --	system_u:object_r:dpkg_exec_t
 /usr/sbin/install-menu	--	system_u:object_r:install_menu_exec_t
 /usr/share/applnk(/.*)?		system_u:object_r:debian_menu_t
-/usr/share/debconf(/.*)?	system_u:object_r:dpkg_exec_t
+/usr/share/debconf/.+	--	system_u:object_r:dpkg_exec_t
 /usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
 /usr/share/lintian/.+	--	system_u:object_r:bin_t
 /usr/share/kernel-package/.+ -- system_u:object_r:bin_t
diff -ru /usr/src/se/policy/file_contexts/program/firstboot.fc file_contexts/program/firstboot.fc
--- /usr/src/se/policy/file_contexts/program/firstboot.fc	2004-04-03 21:37:23.000000000 +1000
+++ file_contexts/program/firstboot.fc	2004-08-28 23:25:18.000000000 +1000
@@ -1,4 +1,4 @@
 # firstboot
 /usr/sbin/firstboot	-- system_u:object_r:firstboot_exec_t
 /usr/share/firstboot	system_u:object_r:firstboot_rw_t
-/usr/share/firstboot/firstboot.py	system_u:object_r:firstboot_exec_t
+/usr/share/firstboot/firstboot.py --	system_u:object_r:firstboot_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/initrc.fc file_contexts/program/initrc.fc
--- /usr/src/se/policy/file_contexts/program/initrc.fc	2004-08-28 12:05:09.000000000 +1000
+++ file_contexts/program/initrc.fc	2004-08-28 23:29:40.000000000 +1000
@@ -13,8 +13,12 @@
 /var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t
 # run_init
 /usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
+ifdef(`distro_debian', `
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
+')
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
+ifdef(`distro_redhat', `
 /halt                   --      system_u:object_r:etc_runtime_t
 /\.autofsck             --      system_u:object_r:etc_runtime_t
+')
diff -ru /usr/src/se/policy/file_contexts/program/jabberd.fc file_contexts/program/jabberd.fc
--- /usr/src/se/policy/file_contexts/program/jabberd.fc	2004-06-17 15:10:43.000000000 +1000
+++ file_contexts/program/jabberd.fc	2004-08-28 23:25:26.000000000 +1000
@@ -1,3 +1,3 @@
 # jabberd
-/usr/sbin/jabberd		system_u:object_r:jabberd_exec_t
+/usr/sbin/jabberd	--	system_u:object_r:jabberd_exec_t
 /var/lib/jabber(/.*)?		system_u:object_r:jabberd_var_lib_t
diff -ru /usr/src/se/policy/file_contexts/program/kerberos.fc file_contexts/program/kerberos.fc
--- /usr/src/se/policy/file_contexts/program/kerberos.fc	2004-06-24 22:50:07.000000000 +1000
+++ file_contexts/program/kerberos.fc	2004-08-28 23:25:48.000000000 +1000
@@ -1,11 +1,11 @@
 # MIT Kerberos krbkdc, kadmind
 /etc/krb5\.keytab       		system_u:object_r:krb5_keytab_t
-/usr(/local)?(/kerberos)?/sbin/krb5kdc 	system_u:object_r:krb5kdc_exec_t
-/usr(/local)?(/kerberos)?/sbin/kadmind	system_u:object_r:kadmind_exec_t
+/usr(/local)?(/kerberos)?/sbin/krb5kdc --	system_u:object_r:krb5kdc_exec_t
+/usr(/local)?(/kerberos)?/sbin/kadmind --	system_u:object_r:kadmind_exec_t
 /var/kerberos/krb5kdc(/.*)?		system_u:object_r:krb5kdc_conf_t
 /usr/local/var/krb5kdc(/.*)?		system_u:object_r:krb5kdc_conf_t
 /var/kerberos/krb5kdc/principal.*	system_u:object_r:krb5kdc_principal_t
 /usr/local/var/krb5kdc/principal.*	system_u:object_r:krb5kdc_principal_t
 /var/log/krb5kdc.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind.log			system_u:object_r:kadmind_log_t
-/usr(/local)?/bin/ksu			system_u:object_r:su_exec_t
+/usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/named.fc file_contexts/program/named.fc
--- /usr/src/se/policy/file_contexts/program/named.fc	2004-08-28 12:05:10.000000000 +1000
+++ file_contexts/program/named.fc	2004-08-28 22:53:56.000000000 +1000
@@ -1,8 +1,10 @@
 # named
+ifdef(`distro_redhat', `
 /var/named(/.*)?		system_u:object_r:named_zone_t
 /var/named/slaves(/.*)?		system_u:object_r:named_cache_t
 /var/named/data(/.*)?		system_u:object_r:named_cache_t
 /etc/named\.conf	--	system_u:object_r:named_conf_t
+') dnl end distro_redhat
 
 ifdef(`distro_debian', `
 /etc/bind(/.*)?			system_u:object_r:named_zone_t
diff -ru /usr/src/se/policy/file_contexts/program/openca-ca.fc file_contexts/program/openca-ca.fc
--- /usr/src/se/policy/file_contexts/program/openca-ca.fc	2004-06-17 15:10:43.000000000 +1000
+++ file_contexts/program/openca-ca.fc	2004-08-28 23:26:09.000000000 +1000
@@ -5,4 +5,4 @@
 /var/lib/openca/crypto/keys(/.*)?	system_u:object_r:openca_var_lib_keys_t
 /usr/share/openca(/.*)?		system_u:object_r:openca_usr_share_t
 /usr/share/openca/htdocs(/.*)?	system_u:object_r:httpd_sys_content_t
-/usr/share/openca/cgi-bin/ca(/.*)?	system_u:object_r:openca_ca_exec_t
+/usr/share/openca/cgi-bin/ca/.+ --	system_u:object_r:openca_ca_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/prelink.fc file_contexts/program/prelink.fc
--- /usr/src/se/policy/file_contexts/program/prelink.fc	2004-02-25 17:05:05.000000000 +1100
+++ file_contexts/program/prelink.fc	2004-08-25 21:42:00.000000000 +1000
@@ -1,5 +1,8 @@
 # prelink - prelink ELF shared libraries and binaries to speed up startup time
 /usr/sbin/prelink		--	system_u:object_r:prelink_exec_t
+ifdef(`distro_debian', `
+/usr/sbin/prelink\.bin		--	system_u:object_r:prelink_exec_t
+')
 /etc/prelink.conf		--	system_u:object_r:etc_prelink_t
 /var/log/prelink.log		--	system_u:object_r:prelink_log_t
 /etc/prelink.cache		--	system_u:object_r:prelink_cache_t
diff -ru /usr/src/se/policy/file_contexts/program/rssh.fc file_contexts/program/rssh.fc
--- /usr/src/se/policy/file_contexts/program/rssh.fc	2004-08-24 05:46:54.000000000 +1000
+++ file_contexts/program/rssh.fc	2004-08-28 23:28:07.000000000 +1000
@@ -1,2 +1,2 @@
 # rssh
-/usr/bin/rssh			system_u:object_r:rssh_exec_t
+/usr/bin/rssh		--	system_u:object_r:rssh_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/seuser.fc file_contexts/program/seuser.fc
--- /usr/src/se/policy/file_contexts/program/seuser.fc	2003-11-27 05:04:46.000000000 +1100
+++ file_contexts/program/seuser.fc	2004-08-28 23:26:21.000000000 +1000
@@ -1,4 +1,4 @@
 # seuser
-/usr/bin/seuser	system_u:object_r:seuser_exec_t
+/usr/bin/seuser	--	system_u:object_r:seuser_exec_t
 /usr/apol/seuser.conf system_u:object_r:seuser_conf_t
 
diff -ru /usr/src/se/policy/file_contexts/program/spamassassin.fc file_contexts/program/spamassassin.fc
--- /usr/src/se/policy/file_contexts/program/spamassassin.fc	2004-05-05 05:35:53.000000000 +1000
+++ file_contexts/program/spamassassin.fc	2004-08-28 23:27:21.000000000 +1000
@@ -1,3 +1,3 @@
-/usr/bin/spamassassin		system_u:object_r:spamassassin_exec_t
-/root/\.spamassassin(/.*)?	system_u:object_r:staff_home_spamassassin_t
-/home/[^/]+/\.spamassassin(/.*)?	system_u:object_r:user_home_spamassassin_t
+# spamassasin
+/usr/bin/spamassassin	--	system_u:object_r:spamassassin_exec_t
+HOME_DIR/\.spamassassin(/.*)?	system_u:object_r:ROLE_home_spamassassin_t
diff -ru /usr/src/se/policy/file_contexts/program/spamc.fc file_contexts/program/spamc.fc
--- /usr/src/se/policy/file_contexts/program/spamc.fc	2004-05-05 05:35:53.000000000 +1000
+++ file_contexts/program/spamc.fc	2004-08-28 23:27:27.000000000 +1000
@@ -1 +1 @@
-/usr/bin/spamc		system_u:object_r:spamc_exec_t
+/usr/bin/spamc	--	system_u:object_r:spamc_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/udev.fc file_contexts/program/udev.fc
--- /usr/src/se/policy/file_contexts/program/udev.fc	2004-08-28 12:05:11.000000000 +1000
+++ file_contexts/program/udev.fc	2004-08-28 23:27:56.000000000 +1000
@@ -3,7 +3,7 @@
 /sbin/udev	--	system_u:object_r:udev_exec_t
 /sbin/udevd	--	system_u:object_r:udev_exec_t
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
-/etc/dev\.d(/.*)? 	system_u:object_r:udev_helper_exec_t
-/etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
+/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
+/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
diff -ru /usr/src/se/policy/file_contexts/program/xfs.fc file_contexts/program/xfs.fc
--- /usr/src/se/policy/file_contexts/program/xfs.fc	2004-01-24 12:15:54.000000000 +1100
+++ file_contexts/program/xfs.fc	2004-08-26 00:11:03.000000000 +1000
@@ -1,3 +1,5 @@
 # xfs
 /tmp/\.font-unix(/.*)?		system_u:object_r:xfs_tmp_t
 /usr/X11R6/bin/xfs	--	system_u:object_r:xfs_exec_t
+/usr/X11R6/bin/xfs-xtt	--	system_u:object_r:xfs_exec_t
+/usr/bin/xfstt		--	system_u:object_r:xfs_exec_t

Re: policy patch

[James Carter]

Thanks.  Merged.

On Sat, 2004-08-28 at 09:46, Russell Coker wrote:
> On Sat, 28 Aug 2004 06:58, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> > Also added:
> >  allow hotplug_t udev_helper_exec_t:lnk_file read;
> > It seems reasonable and I was seeing a lot of denials, but it might be
> > possible to use a dontaudit.
> 
> I think that a better thing to do is to use "--" on the file_contexts entry 
> for an executable file and have any sym-links with similar named get bin_t or 
> sbin_t.  The contents of a sym-link are almost never of any relevance to the 
> security of the system, but adding more rules increases the size of the 
> policy and the work for all of us.  Also as a side-affect specifying the 
> class of the object to be labelled makes setfiles run faster.
> 
> I have attached a patch which adds -- to all types ending in _exec_t.  It also 
> fixes some bugs in the spamassasin policy and adds a couple of other file 
> contexts things as well.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

Include some stuff from Russell,
Critical patch for tmpfs to get udev on tmpfs working

You sent me a note saying some patches conflict with other changes, 
please point those out so I can remove them.

Dan

[-- Attachment #2: policy-20040902.patch --]
[-- Type: text/plain, Size: 30068 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.17.9/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/fsadm.te	2004-09-02 08:15:02.734588923 -0400
@@ -29,6 +29,9 @@
 allow fsadm_t sysctl_kernel_t:file r_file_perms;
 allow fsadm_t sysctl_kernel_t:dir r_dir_perms;
 
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+
 base_file_read_access(fsadm_t)
 
 # Read /etc.
@@ -81,6 +84,7 @@
 # Access disk devices.
 allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
 allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
 
 # Access lost+found.
 allow fsadm_t lost_found_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
@@ -12,12 +12,14 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
 ifdef(`sendmail.te', `
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 allow system_mail_t initrc_t:fd use;
 allow system_mail_t initrc_t:fifo_file write;
+', `
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
 ')
-
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_ypbind(initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.17.9/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/logrotate.te	2004-09-02 08:15:02.735588811 -0400
@@ -41,7 +41,8 @@
 allow logrotate_t etc_runtime_t:file r_file_perms;
 
 # it should not require this
-dontaudit logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { read getattr search };
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+dontaudit logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { read };
 
 # create lock files
 rw_dir_create_file(logrotate_t, var_lock_t)
@@ -140,10 +141,5 @@
 
 domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
 
-r_dir_file(logrotate_t, selinux_config_t)
+dontaudit logrotate_t selinux_config_t:dir search;
 
-#from " logrotate -f /etc/logrotate.conf" while root(sysadm_r)
-allow logrotate_t devpts_t:dir { search };
-allow logrotate_t initrc_t:process { transition };
-dontaudit logrotate_t {sysadm_home_dir_t staff_home_dir_t}:dir { read search };
-allow logrotate_t var_t:file { getattr  read }; 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.17.9/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/setfiles.te	2004-09-02 08:15:02.736588699 -0400
@@ -40,8 +44,7 @@
 allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
 allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
 allow setfiles_t unlabeled_t:dir read;
-allow setfiles_t device_type:{ chr_file blk_file } relabelto;
-allow setfiles_t device_t:{ chr_file blk_file } { getattr relabelfrom read };
+allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
 allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
 
 allow setfiles_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
@@ -41,6 +41,7 @@
 append_logdir_domain(httpd)
 #can read /etc/httpd/logs
 allow httpd_t httpd_log_t:lnk_file { read };
+allow httpd_t httpd_log_t:dir { remove_name };
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
@@ -157,5 +157,6 @@
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.9/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/dovecot.te	2004-09-02 08:15:02.738588475 -0400
@@ -11,7 +11,7 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.9/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/ipsec.te	2004-09-02 08:15:02.739588362 -0400
@@ -127,7 +127,7 @@
 ########## The following rules were added by cvance@tislabs.com ##########
 
 # allow pluto and startup scripts to access /dev/urandom
-allow { ipsec_t ipsec_mgmt_t } random_device_t:chr_file r_file_perms;
+allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
 
 # allow pluto to access /proc/net/ipsec_eroute;
 general_proc_read_access(ipsec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
@@ -113,7 +113,6 @@
 allow ndc_t self:unix_stream_socket create_stream_socket_perms;
 allow ndc_t self:unix_stream_socket connect;
 allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t var_t:dir search;
 allow ndc_t var_run_t:dir search;
 allow ndc_t named_var_run_t:sock_file rw_file_perms;
 allow ndc_t named_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
@@ -33,11 +33,6 @@
 allow insmod_t ramfs_t:file write;
 allow insmod_t rhgb_t:fd use;
 
-allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t root_t:dir { mounton };
-allow rhgb_t rhgb_t:capability { sys_admin };
-dontaudit rhgb_t var_run_t:dir { search };
-
 can_network(rhgb_t)
 can_ypbind(rhgb_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.9/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/rpm.te	2004-09-02 08:15:02.740588250 -0400
@@ -19,10 +19,6 @@
 system_crond_entry(rpm_exec_t, rpm_t)
 role sysadm_r types rpm_t;
 domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
-ifdef(`unlimitedUsers', `
-role staff_r types rpm_t;
-domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
-')
 
 type rpm_file_t, file_type, sysadmfile;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamassassin.te policy-1.17.9/domains/program/unused/spamassassin.te
--- nsapolicy/domains/program/unused/spamassassin.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/spamassassin.te	2004-09-02 08:15:02.741588138 -0400
@@ -6,4 +6,6 @@
 
 type spamassassin_exec_t, file_type, sysadmfile, exec_type;
 
+bool spamassasin_can_network false;
+
 # Everything else is in spamassassin_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
@@ -43,7 +43,8 @@
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
 # to read the file_contexts file
-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
+allow udev_t { selinux_config_t default_context_t }:dir search;
+allow udev_t file_context_t:file { getattr read };
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };
@@ -82,11 +83,6 @@
 ifdef(`consoletype.te', `
 can_exec(udev_t, consoletype_exec_t)
 ')
-ifdef(`pamconsole.te', `
-allow udev_t pam_var_console_t:dir search;
-')
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
 domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
 ifdef(`hide_broken_symptoms', `
 dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.17.9/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/file_contexts/program/ipsec.fc	2004-09-02 08:15:02.743587913 -0400
@@ -5,12 +5,16 @@
 /etc/ipsec\.d(/.*)?		system_u:object_r:ipsec_key_file_t
 /usr/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
 /usr/local/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
+/usr/libexec/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/eroute --	system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/klipsdebug	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/klipsdebug --	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/pluto	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/pluto	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/pluto --	system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
 /usr/sbin/ipsec		--	system_u:object_r:ipsec_mgmt_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
--- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
@@ -8,6 +8,7 @@
 fs_use_xattr ext3 system_u:object_r:fs_t;
 fs_use_xattr xfs system_u:object_r:fs_t;
 fs_use_xattr reiserfs system_u:object_r:fs_t;
+fs_use_xattr tmpfs system_u:object_r:fs_t;
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
@@ -23,7 +24,6 @@
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
 fs_use_trans devpts system_u:object_r:devpts_t;
-fs_use_trans tmpfs system_u:object_r:tmpfs_t;
 fs_use_trans shm system_u:object_r:tmpfs_t;
 
 # The separate genfs_contexts configuration can be used for filesystem 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.17.9/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/admin_macros.te	2004-09-02 08:15:02.744587801 -0400
@@ -73,7 +73,8 @@
 can_sysctl($1_t)
 
 # Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:notdevfile_class_set create_file_perms;
+allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
+allow $1_t sysadmfile:lnk_file create_lnk_perms;
 allow $1_t sysadmfile:dir create_dir_perms;
 
 # Set an exec context, e.g. for runcon.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.9/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.9/macros/base_user_macros.te	2004-09-02 08:15:02.745587689 -0400
@@ -223,6 +223,11 @@
 dontaudit $1_t domain:notdevfile_class_set r_file_perms;
 dontaudit $1_t domain:process { getattr getsession };
 
+ifdef(`xserver.te', `
+# for /tmp/.ICE-unix
+file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+')
+
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
@@ -287,11 +292,6 @@
 allow $1_t default_t:notdevfile_class_set r_file_perms;
 }
 
-ifdef(`unlimitedUsers', `
-allow $1_t unlabeled_t:dir r_dir_perms;
-allow $1_t unlabeled_t:notdevfile_class_set r_file_perms;
-')
-
 allow $1_t sysctl_kernel_t:dir search;
 allow $1_t sysctl_kernel_t:file { getattr read };
 allow $1_t sysctl_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.9/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/apache_macros.te	2004-09-02 08:15:02.746587577 -0400
@@ -21,6 +21,9 @@
 #This type is for webpages
 #
 type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+ifelse($1, sys, `
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+')
 
 # This type is used for .htaccess files
 #
@@ -43,11 +46,13 @@
 uses_shlib(httpd_$1_script_t)
 can_network(httpd_$1_script_t)
 can_ypbind(httpd_$1_script_t)
-allow httpd_$1_script_t { usr_t lib_t }:file { getattr read };
+allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_$1_script_t usr_t:lnk_file { getattr read };
 
 allow httpd_$1_script_t self:process { fork signal_perms };
 
 allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
+allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
 allow httpd_$1_script_t etc_runtime_t:file { getattr read };
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
@@ -59,7 +64,6 @@
 
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
-
 }
 
 # The following are the only areas that 
@@ -90,11 +94,8 @@
 
 allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
 
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_kernel_t:file read;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-dontaudit httpd_$1_script_t var_run_t:dir search;
-allow httpd_$1_script_t var_t:dir { search };
+# for nscd
+dontaudit httpd_$1_script_t var_t:dir search;
 
 ###########################################################################
 # Allow the script interpreters to run the scripts.  So
@@ -111,7 +112,6 @@
 allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
 allow httpd_$1_script_t home_root_t:dir { getattr search };
 allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-allow httpd_$1_script_t httpd_$1_content_t:file r_file_perms;
 
 #############################################################################
 # Allow the scripts to read, read/write, append to the specified directories
@@ -149,7 +149,7 @@
 # Allow the user to create htaccess files
 #####################################################################
 
-allow $1_t httpd_$1_htaccess_t:{ file lnk_file } { create_file_perms relabelto relabelfrom };
+allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
 
 #########################################################################
 # Allow user to create files or directories 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.17.9/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/crond_macros.te	2004-09-02 08:15:02.746587577 -0400
@@ -75,7 +75,7 @@
 allow $1_crond_t etc_runtime_t:file { getattr read };
 allow $1_crond_t self:process { fork signal_perms setsched };
 allow $1_crond_t proc_t:dir r_dir_perms;
-allow $1_crond_t proc_t:file { getattr read };
+allow $1_crond_t proc_t:file { getattr read ioctl };
 read_locale($1_crond_t)
 allow $1_crond_t { sysctl_t sysctl_kernel_t }:dir search;
 allow $1_crond_t sysctl_kernel_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.9/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/mozilla_macros.te	2004-09-02 08:27:27.514998489 -0400
@@ -78,7 +78,6 @@
 #
 if (mozilla_readhome || mozilla_writehome) {
 r_dir_file($1_mozilla_t, $1_home_t)
-r_dir_file($1_mozilla_t, $1_home_dir_t)
 
 ifdef(`gpg.te', `
 dontaudit $1_mozilla_t $1_gpg_secret_t:dir { getattr };
@@ -99,15 +98,7 @@
 file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_rw_t)
 allow $1_mozilla_t $1_home_t:dir setattr;
 allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-}
-
-#
-# Reading /usr/tmp
-#
-allow $1_mozilla_t tmp_t:lnk_file { read };
-#
-# Unlinking .fonts.cache-1
-dontaudit $1_mozilla_t $1_home_t:file { unlink };
+} 
 
 allow $1_mozilla_t $1_t:unix_stream_socket { connectto };
 allow $1_mozilla_t sysctl_net_t:dir { search };
@@ -119,7 +110,6 @@
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
-dontaudit $1_mozilla_t device_t:dir r_dir_perms;
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.17.9/macros/program/slocate_macros.te
--- nsapolicy/macros/program/slocate_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/slocate_macros.te	2004-09-02 08:15:02.748587352 -0400
@@ -57,12 +57,7 @@
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
-ifdef(`unlimitedUsers', `
-allow $1_locate_t { root_dir_type file_type }:dir r_dir_perms;
-allow $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr };
-', `
 dontaudit $1_locate_t { root_dir_type file_type }:dir r_dir_perms;
-')
 dontaudit $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr read };
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.17.9/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/spamassassin_macros.te	2004-09-02 08:15:02.748587352 -0400
@@ -88,10 +88,10 @@
 spamassassin_agent_privs($1_spamassassin_t, $1)
 
 # set tunable if you have spamassassin do DNS lookups
-ifdef(`spamassasin_can_network', `
+if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
 can_ypbind($1_spamassassin_t)
-')
+}
 
 ###
 # Define the domain for /usr/bin/spamc
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.9/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/ssh_agent_macros.te	2004-09-02 08:15:02.749587240 -0400
@@ -86,7 +86,10 @@
 
 ifdef(`xdm.te', `
 allow $1_ssh_agent_t xdm_t:fd { use };
-allow $1_ssh_agent_t xdm_t:fifo_file { write };
+allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+
+# kdm: sigchld
+allow $1_ssh_agent_t xdm_t:process sigchld;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
@@ -89,6 +89,14 @@
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
 
+if (user_tcp_server) {
+# for sshing to a ssh tunnel
+can_tcp_connect($1_ssh_t, $1_ssh_t)
+
+# for other connections to a ssh tunnel
+can_tcp_connect($1_t, $1_ssh_t)
+}
+
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
 
@@ -118,10 +126,21 @@
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:file { getattr read };
+can_exec($1_ssh_t, shell_exec_t)
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
 
+# Connect to sshd.
+ifdef(`inetd.te', `
+ifdef(`run_ssh_inetd', `
+can_tcp_connect($1_ssh_t, inetd_t)
+', `
+can_tcp_connect($1_ssh_t, sshd_t)
+')', `
+can_tcp_connect($1_ssh_t, sshd_t)
+')
+
 # Write to the user domain tty.
 allow $1_ssh_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.17.9/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-09-01 14:00:03.000000000 -0400
+++ policy-1.17.9/macros/program/su_macros.te	2004-09-02 08:15:02.750587128 -0400
@@ -45,7 +45,7 @@
 allow $1_su_t proc_t:lnk_file read;
 r_dir_file($1_su_t, self)
 allow $1_su_t proc_t:file read;
-allow $1_su_t self:process setsched;
+allow $1_su_t self:process { setsched setrlimit };
 allow $1_su_t device_t:dir search;
 allow $1_su_t self:process { fork sigchld };
 can_ypbind($1_su_t)
@@ -102,7 +102,6 @@
 # Relabel ttys and ptys.
 allow $1_su_t { device_t devpts_t }:dir { getattr read search };
 allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-allow $1_su_t console_device_t:chr_file { relabelfrom relabelto };
 
 # Close and re-open ttys and ptys to get the fd into the correct domain.
 allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
@@ -17,7 +17,7 @@
 ifdef(`single_userdomain', `
 typealias $1_t alias $1_userhelper_t;
 ', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.17.9/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/x_client_macros.te	2004-09-02 08:15:02.752586903 -0400
@@ -72,7 +72,8 @@
 # allow $1_t to create dirs and files in the rw type (the auto_trans rule above
 # does it for $1_$2_t)
 allow $1_t $1_$2_rw_t:dir create_dir_perms;
-allow $1_t $1_$2_rw_t:{ file lnk_file } create_file_perms;
+allow $1_t $1_$2_rw_t:file create_file_perms;
+allow $1_t $1_$2_rw_t:lnk_file create_lnk_perms;
 
 r_dir_file($1_$2_t, $1_$2_ro_t)
 allow $1_$2_t $1_$2_ro_t:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.9/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-09-02 08:03:27.267644661 -0400
+++ policy-1.17.9/macros/program/xserver_macros.te	2004-09-02 08:16:31.894582051 -0400
@@ -47,6 +47,7 @@
 ', `
 domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
 ')dnl end ifelse xdm
+can_exec($1_xserver_t, xserver_exec_t)
 
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
@@ -95,6 +96,8 @@
 ')dnl end ifdef userhelper
 ')dnl end ifelse xdm
 
+allow $1_xserver_t self:process setsched;
+
 allow $1_xserver_t fs_t:filesystem getattr;
 
 # Xorg wants to check if kernel is tainted
@@ -127,7 +130,9 @@
 allow $1_xserver_t mtrr_device_t:file rw_file_perms;
 allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
 allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
+ifdef(`redhat', `
 allow $1_xserver_t device_t:lnk_file { getattr read };
+')
 allow $1_xserver_t devtty_t:chr_file rw_file_perms;
 allow $1_xserver_t devtty_t:lnk_file read;
 
@@ -205,7 +210,7 @@
 
 # Run helper programs in $1_xserver_t.
 allow $1_xserver_t { bin_t sbin_t }:dir search;
-allow $1_xserver_t etc_t:file { getattr read };
+allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
 allow $1_xserver_t bin_t:lnk_file read;
 can_exec($1_xserver_t, { bin_t shell_exec_t })
 
@@ -226,7 +231,7 @@
 ifelse($1, xdm, `
 ifdef(`xdm.te', `
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-rw_dir_file(xdm_xserver_t, xdm_tmpfs_t)
+allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 ', `
 allow $1_xserver_t $1_t:shm rw_shm_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.9/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-09-01 14:00:03.000000000 -0400
+++ policy-1.17.9/macros/user_macros.te	2004-09-02 08:15:02.753586791 -0400
@@ -28,7 +28,7 @@
 allow $1_t device_t:dir { getattr };
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
 type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
 
 tmp_domain($1, `, user_tmpfile')
@@ -145,9 +145,7 @@
 define(`full_user_role', `
 
 # user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, privfd, nscd_client_domain
-ifdef(`unlimitedUsers', `,privhome, etc_writer, privmodule, privlog, privowner, admin, fs_domain, privmem, privowner, sysctl_kernel_writer, auth, auth_write')
-;
+type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain;
 
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
@@ -251,9 +249,6 @@
 #
 allow $1_home_t $1_home_t:filesystem associate;
 allow homedirfile $1_home_t:filesystem associate;
-ifdef(`unlimitedUsers', `
-unconfined_domain($1_t) 
-')
 ')
 
 undefine(`in_user_role')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
--- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
+++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
@@ -147,6 +147,7 @@
 	@grep -v "^/root" $@.tmp > $@.root
 	@/usr/sbin/genhomedircon . $@.root  > $@
 	@grep "^/root" $@.tmp >> $@
+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
 	@-rm $@.tmp $@.root
 
 clean:
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.9/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/tunables/distro.tun	2004-09-02 08:15:02.755586567 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.9/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/tunables/tunable.tun	2004-09-02 08:15:02.755586567 -0400
@@ -5,50 +5,47 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow users to unrestricted access
-dnl define(`unlimitedUsers')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working

You can't change fs_use in that manner; it will break the kernel's
internal usage of tmpfs for shared memory.  The situation is similar to
devpts; fs_use_trans will govern the initial setting of the inode
context, then programs can explicitly set and get the context.  

________________________________________________________________________
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
>  
>
>>Include some stuff from Russell,
>>Critical patch for tmpfs to get udev on tmpfs working
>>    
>>
>
>You can't change fs_use in that manner; it will break the kernel's
>internal usage of tmpfs for shared memory.  The situation is similar to
>devpts; fs_use_trans will govern the initial setting of the inode
>context, then programs can explicitly set and get the context.  
>
>________________________________________________________________________
>  
>
We get a discretionary Access control error "Permission Denied" message 
on on a restorecon /dev without making this change
on bootup.  Everything seemed to be working ok Well at least to the 
point of booting the machine and logging in.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 11:23, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> >You can't change fs_use in that manner; it will break the kernel's
> >internal usage of tmpfs for shared memory.  The situation is similar to
> >devpts; fs_use_trans will govern the initial setting of the inode
> >context, then programs can explicitly set and get the context.  
>
> We get a discretionary Access control error "Permission Denied" message 
> on on a restorecon /dev without making this change
> on bootup.  Everything seemed to be working ok Well at least to the 
> point of booting the machine and logging in.

That doesn't make it correct.  You can't just change the existing
labeling behavior and superblock type for the tmpfs internal mount for
shmem.  As per prior discussions on this list with Luke, you want to:
- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
sent Arjan the necessary patch for that along with the xattr handler
based on the earlier patches by Luke)
- adjust the policy accordingly, including the necessary filesystem
associate permissions between device_type and device_t:filesystem.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 11:23, Daniel J Walsh wrote:
>  
>
>>Stephen Smalley wrote:
>>    
>>
>>>You can't change fs_use in that manner; it will break the kernel's
>>>internal usage of tmpfs for shared memory.  The situation is similar to
>>>devpts; fs_use_trans will govern the initial setting of the inode
>>>context, then programs can explicitly set and get the context.  
>>>      
>>>
>>We get a discretionary Access control error "Permission Denied" message 
>>on on a restorecon /dev without making this change
>>on bootup.  Everything seemed to be working ok Well at least to the 
>>point of booting the machine and logging in.
>>    
>>
>
>That doesn't make it correct.  You can't just change the existing
>labeling behavior and superblock type for the tmpfs internal mount for
>shmem.  As per prior discussions on this list with Luke, you want to:
>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
>sent Arjan the necessary patch for that along with the xattr handler
>based on the earlier patches by Luke)
>  
>
We can't do that because the file system is mounted in the initrd before 
context is loaded
We tried to do a remount with the correct context but that is not allowed.

>- adjust the policy accordingly, including the necessary filesystem
>associate permissions between device_type and device_t:filesystem.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 11:53, Daniel J Walsh wrote:
> We can't do that because the file system is mounted in the initrd before 
> context is loaded
> We tried to do a remount with the correct context but that is not allowed.

Pity.  Ok, then you have to make the policy work with tmpfs_t as the
initial type on /dev.  You _cannot_ change the fs_use rule for tmpfs; it
will break all users of shared anonymous mappings and System V shared
memory (leaves their inodes as unlabeled_t rather than computing them
based on type_transition rules).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 12:48, Stephen Smalley wrote:
> On Thu, 2004-09-02 at 11:53, Daniel J Walsh wrote:
> > We can't do that because the file system is mounted in the initrd before 
> > context is loaded
> > We tried to do a remount with the correct context but that is not allowed.
> 
> Pity.  Ok, then you have to make the policy work with tmpfs_t as the
> initial type on /dev.  You _cannot_ change the fs_use rule for tmpfs; it
> will break all users of shared anonymous mappings and System V shared
> memory (leaves their inodes as unlabeled_t rather than computing them
> based on type_transition rules).

Also requires allowing associate between device_type (and any other
types you want under /dev) and tmpfs_t:filesystem.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:

> >That doesn't make it correct.  You can't just change the existing
> >labeling behavior and superblock type for the tmpfs internal mount for
> >shmem.  As per prior discussions on this list with Luke, you want to:
> >- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
> >sent Arjan the necessary patch for that along with the xattr handler
> >based on the earlier patches by Luke)
> > 
> >
> We can't do that because the file system is mounted in the initrd before 
> context is loaded

 um.  why?  *curious*.

 i mean, why mount the /dev filesystem in the initrd ?

 and, also, why before running /sbin/init? [hope i'm right about that]
 
 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Luke Kenneth Casson Leighton wrote:

>On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:
>
>  
>
>>>That doesn't make it correct.  You can't just change the existing
>>>labeling behavior and superblock type for the tmpfs internal mount for
>>>shmem.  As per prior discussions on this list with Luke, you want to:
>>>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
>>>sent Arjan the necessary patch for that along with the xattr handler
>>>based on the earlier patches by Luke)
>>>
>>>
>>>      
>>>
>>We can't do that because the file system is mounted in the initrd before 
>>context is loaded
>>    
>>
>
> um.  why?  *curious*.
>
> i mean, why mount the /dev filesystem in the initrd ?
>
> and, also, why before running /sbin/init? [hope i'm right about that]
> 
> l.
>
>  
>
I am guessing certain devices are required before /sbin/init is started.
Devices required to mount the / file system?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 03:42:43PM -0400, Daniel J Walsh wrote:
> Luke Kenneth Casson Leighton wrote:
> 
> >On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:
> >
> > 
> >
> >>>That doesn't make it correct.  You can't just change the existing
> >>>labeling behavior and superblock type for the tmpfs internal mount for
> >>>shmem.  As per prior discussions on this list with Luke, you want to:
> >>>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
> >>>sent Arjan the necessary patch for that along with the xattr handler
> >>>based on the earlier patches by Luke)
> >>>
> >>>
> >>>     
> >>>
> >>We can't do that because the file system is mounted in the initrd before 
> >>context is loaded
> >>   
> >>
> >
> >um.  why?  *curious*.
> >
> >i mean, why mount the /dev filesystem in the initrd ?
> >
> >and, also, why before running /sbin/init? [hope i'm right about that]
> >
> >l.
> >
> > 
> >
> I am guessing certain devices are required before /sbin/init is started.
> Devices required to mount the / file system?
 
 i'm sure debian's initrd doesn't do that.

 i mean, it _does_ mount /dev, detects what the rootfs _is_, and
 then unmounts /dev.

 yeh.  and it mounts and then unmounts /proc.

 the script linuxrc communicates where the real root device is
 by reading /proc/sys/kernel/real-root-dev.

 it's all quite hairy but it looks like herbert's initrd init script
 mounts devfs twice - _and_ unmounts it twice:

mount_root() {
	mount -nt proc proc proc
	mount -nt ramfs ramfs dev2
	mount -nt devfs devfs devfs
	get_device
	mount_device
	umount -n devfs
	umount -n dev2
	umount -n proc
}


i must be missing something here.

two people (myself and mr lbsd) both have selinux working under debian
with zero modifications to initrd, a few modifications to udev.te and
init.te ...

?

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
> --- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
> @@ -12,12 +12,14 @@
>  # initrc_exec_t is the type of the init program.
>  #
>  # do not use privmail for sendmail as it creates a type transition conflict
> -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
>  ifdef(`sendmail.te', `
> +# do not use privmail for sendmail as it creates a type transition conflict
> +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
>  allow system_mail_t initrc_t:fd use;
>  allow system_mail_t initrc_t:fifo_file write;
> +', `
> +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
>  ')
> -

This reverts a patch from Russell to merge the two initrc_t type
declarations together (using an ifdef embedded in the attribute list for
the sendmail issue) to ease maintenance.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
> @@ -41,6 +41,7 @@
>  append_logdir_domain(httpd)
>  #can read /etc/httpd/logs
>  allow httpd_t httpd_log_t:lnk_file { read };
> +allow httpd_t httpd_log_t:dir { remove_name };
>  
>  # For /etc/init.d/apache2 reload
>  can_tcp_connect(httpd_t, httpd_t)

As before, do you want apache removing log files?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
> @@ -157,5 +157,6 @@
>  allow cupsd_t ptal_var_run_t:dir { search };
>  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>  
> +allow cupsd_t printer_device_t:fifo_file rw_file_perms;
>  dontaudit cupsd_t selinux_config_t:dir search;
>  dontaudit cupsd_t selinux_config_t:file { getattr read };

Does this fifo still exist?  Russell removed this rule earlier.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
> --- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
> @@ -113,7 +113,6 @@
>  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
>  allow ndc_t self:unix_stream_socket connect;
>  allow ndc_t self:capability { dac_override net_admin };
> -allow ndc_t var_t:dir search;
>  allow ndc_t var_run_t:dir search;
>  allow ndc_t named_var_run_t:sock_file rw_file_perms;
>  allow ndc_t named_t:unix_stream_socket connectto;

You can't reach /var/run if you can't search /var.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
> --- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
> @@ -33,11 +33,6 @@
>  allow insmod_t ramfs_t:file write;
>  allow insmod_t rhgb_t:fd use;
>  
> -allow rhgb_t ramfs_t:filesystem { mount unmount };
> -allow rhgb_t root_t:dir { mounton };
> -allow rhgb_t rhgb_t:capability { sys_admin };
> -dontaudit rhgb_t var_run_t:dir { search };
> -
>  can_network(rhgb_t)
>  can_ypbind(rhgb_t)

Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
still work as expected with strict/enforcing?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
> --- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
> @@ -43,7 +43,8 @@
>  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
>  	
>  # to read the file_contexts file
> -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
> +allow udev_t { selinux_config_t default_context_t }:dir search;
> +allow udev_t file_context_t:file { getattr read };

To access the file_contexts file, udev must be able to read
/etc/selinux/config (requires search to selinux_config_t:dir and read to
selinux_config_t:file) and
/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
to default_context_t:dir and file_context_t:dir and read to
file_context_t:file).  Simpler to just express this using the single
r_dir_file() line that is in our policy, even it is a bit more
permissive than strictly necessary (your rules aren't sufficient).

> @@ -82,11 +83,6 @@
>  ifdef(`consoletype.te', `
>  can_exec(udev_t, consoletype_exec_t)
>  ')
> -ifdef(`pamconsole.te', `
> -allow udev_t pam_var_console_t:dir search;
> -')
> -allow udev_t var_lock_t:dir search;
> -allow udev_t var_lock_t:file getattr;
>  domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
>  ifdef(`hide_broken_symptoms', `
>  dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };

These were just added by Russell, I think.

> diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
> --- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
> @@ -8,6 +8,7 @@
>  fs_use_xattr ext3 system_u:object_r:fs_t;
>  fs_use_xattr xfs system_u:object_r:fs_t;
>  fs_use_xattr reiserfs system_u:object_r:fs_t;
> +fs_use_xattr tmpfs system_u:object_r:fs_t;
>  
>  # Use the allocating task SID to label inodes in the following filesystem
>  # types, and label the filesystem itself with the specified context.
> @@ -23,7 +24,6 @@
>  # This is appropriate for pseudo filesystems like devpts and tmpfs
>  # where we want to label objects with a derived type.
>  fs_use_trans devpts system_u:object_r:devpts_t;
> -fs_use_trans tmpfs system_u:object_r:tmpfs_t;
>  fs_use_trans shm system_u:object_r:tmpfs_t;
>  
>  # The separate genfs_contexts configuration can be used for filesystem 

Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
handlers, like devpts.


> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
> --- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
> @@ -89,6 +89,14 @@
>  can_network($1_ssh_t)
>  can_ypbind($1_ssh_t)
>  
> +if (user_tcp_server) {
> +# for sshing to a ssh tunnel
> +can_tcp_connect($1_ssh_t, $1_ssh_t)
> +
> +# for other connections to a ssh tunnel
> +can_tcp_connect($1_t, $1_ssh_t)
> +}
> +
>  # Use capabilities.
>  allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };

Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
the present policy; it was only applicable to the pre-2.6 SELinux with
labeled network buffers.

> +# Connect to sshd.
> +ifdef(`inetd.te', `
> +ifdef(`run_ssh_inetd', `
> +can_tcp_connect($1_ssh_t, inetd_t)
> +', `
> +can_tcp_connect($1_ssh_t, sshd_t)
> +')', `
> +can_tcp_connect($1_ssh_t, sshd_t)
> +')
> +

Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
> --- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
> @@ -17,7 +17,7 @@
>  ifdef(`single_userdomain', `
>  typealias $1_t alias $1_userhelper_t;
>  ', `
> -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
> +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
>  
>  in_user_role($1_userhelper_t)
>  role sysadm_r types $1_userhelper_t;

No, this is a reversion (where are these diffs coming from?).  privuser
is always needed by userhelper with the current code (always switches to
"root").

> @@ -127,7 +130,9 @@
>  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
>  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
>  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> +ifdef(`redhat', `
>  allow $1_xserver_t device_t:lnk_file { getattr read };
> +')
>  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
>  allow $1_xserver_t devtty_t:lnk_file read;
>  

Wrapping such a trivial rule with a distro-specific ifdef is pointless,
IMHO, and makes maintenance a pain.

> diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
> --- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
> +++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
> @@ -147,6 +147,7 @@
>  	@grep -v "^/root" $@.tmp > $@.root
>  	@/usr/sbin/genhomedircon . $@.root  > $@
>  	@grep "^/root" $@.tmp >> $@
> +	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
>  	@-rm $@.tmp $@.root
>  
>  clean:

Requires that the policy be rebuilt on every machine, as it depends on
local /proc information.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Russell Coker]

On Thu, 2 Sep 2004 23:10, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/domains/program/unused/named.te
> > policy-1.17.9/domains/program/unused/named.te ---
> > nsapolicy/domains/program/unused/named.te 2004-08-27 14:44:11.000000000
> > -0400 +++ policy-1.17.9/domains/program/unused/named.te 2004-09-02
> > 08:15:02.739588362 -0400 @@ -113,7 +113,6 @@
> >  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
> >  allow ndc_t self:unix_stream_socket connect;
> >  allow ndc_t self:capability { dac_override net_admin };
> > -allow ndc_t var_t:dir search;
> >  allow ndc_t var_run_t:dir search;
> >  allow ndc_t named_var_run_t:sock_file rw_file_perms;
> >  allow ndc_t named_t:unix_stream_socket connectto;
>
> You can't reach /var/run if you can't search /var.

The mistake here was removing the occurrence of that rule at line 116 instead 
of at line 145.  The rule is included twice if you enable ndc_shell_script.

> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/domains/program/unused/udev.te
> > policy-1.17.9/domains/program/unused/udev.te ---
> > nsapolicy/domains/program/unused/udev.te 2004-09-01 14:00:02.000000000
> > -0400 +++ policy-1.17.9/domains/program/unused/udev.te 2004-09-02
> > 08:15:02.742588026 -0400 @@ -43,7 +43,8 @@
> >  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom
> > relabelto create_file_perms };
> >
> >  # to read the file_contexts file
> > -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t }
> > ) +allow udev_t { selinux_config_t default_context_t }:dir search; +allow
> > udev_t file_context_t:file { getattr read };
>
> To access the file_contexts file, udev must be able to read
> /etc/selinux/config (requires search to selinux_config_t:dir and read to
> selinux_config_t:file) and
> /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
> to default_context_t:dir and file_context_t:dir and read to
> file_context_t:file).  Simpler to just express this using the single
> r_dir_file() line that is in our policy, even it is a bit more
> permissive than strictly necessary (your rules aren't sufficient).

My most recent patch for this is sufficient.  It seems that Dan merged in an 
earlier patch that was in a development stage.

> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/macros/program/ssh_macros.te
> > policy-1.17.9/macros/program/ssh_macros.te ---
> > nsapolicy/macros/program/ssh_macros.te 2004-08-27 14:44:11.000000000
> > -0400 +++ policy-1.17.9/macros/program/ssh_macros.te 2004-09-02
> > 08:22:53.013807132 -0400 @@ -89,6 +89,14 @@
> >  can_network($1_ssh_t)
> >  can_ypbind($1_ssh_t)
> >
> > +if (user_tcp_server) {
> > +# for sshing to a ssh tunnel
> > +can_tcp_connect($1_ssh_t, $1_ssh_t)
> > +
> > +# for other connections to a ssh tunnel
> > +can_tcp_connect($1_t, $1_ssh_t)
> > +}
> > +
> >  # Use capabilities.
> >  allow $1_ssh_t self:capability { setuid setgid dac_override
> > dac_read_search };
>
> Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
> the present policy; it was only applicable to the pre-2.6 SELinux with
> labeled network buffers.

It was in my tree.  When the tunables were converted to booleans I just made 
equivalent changes to the policy in my tree.

> > +# Connect to sshd.
> > +ifdef(`inetd.te', `
> > +ifdef(`run_ssh_inetd', `
> > +can_tcp_connect($1_ssh_t, inetd_t)
> > +', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')
> > +
>
> Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.

I've removed both of them from my tree to avoid further confusion.

 > diff --exclude-from=exclude -N -u -r
> > nsapolicy/macros/program/userhelper_macros.te
> > policy-1.17.9/macros/program/userhelper_macros.te ---
> > nsapolicy/macros/program/userhelper_macros.te 2004-08-27
> > 14:44:11.000000000 -0400 +++
> > policy-1.17.9/macros/program/userhelper_macros.te 2004-09-02
> > 08:15:02.751587016 -0400 @@ -17,7 +17,7 @@
> >  ifdef(`single_userdomain', `
> >  typealias $1_t alias $1_userhelper_t;
> >  ', `
> > -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole,
> > privowner, auth_chkpwd, privfd, privuser; +type $1_userhelper_t, domain,
> > userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd
> > ifdef(`user_canbe_sysadm', `, privuser');
> >
> >  in_user_role($1_userhelper_t)
> >  role sysadm_r types $1_userhelper_t;
>
> No, this is a reversion (where are these diffs coming from?).  privuser
> is always needed by userhelper with the current code (always switches to
> "root").

Probably from my tree.  There's a bunch of differences between my tree and the 
CVS which are because of my tree being outdated.  I am fairly careful about 
what I push, and also about what I accept for my tree.

There are some things in the CVS that I have not yet put in my tree because I 
suspect that there is a better way of achieving the same goal.  There are 
other things in the CVS that aren't in my tree because I haven't had time to 
consider the policy in question.

> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
>
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.

OK, I'll remove that from my tree.

> > diff --exclude-from=exclude -N -u -r nsapolicy/Makefile
> > policy-1.17.9/Makefile --- nsapolicy/Makefile 2004-09-02
> > 08:03:26.130772258 -0400
> > +++ policy-1.17.9/Makefile 2004-09-02 08:15:02.754586679 -0400
> > @@ -147,6 +147,7 @@
> >   @grep -v "^/root" $@.tmp > $@.root
> >   @/usr/sbin/genhomedircon . $@.root  > $@
> >   @grep "^/root" $@.tmp >> $@
> > + @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk
> > -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >>
> > $@ || true; done @-rm $@.tmp $@.root
> >
> >  clean:
>
> Requires that the policy be rebuilt on every machine, as it depends on
> local /proc information.

True.  The general consensus seems to be that Colin Walters has the best idea 
of how to solve this.  But until his solution gets implemented this seems 
like a good work-around.

Also something to note is that we really don't want to use this when producing 
a file_contexts file for distributing to other machines.  It would be likely 
to grant inappropriate access to block devices.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 09:38, Russell Coker wrote:
> Also something to note is that we really don't want to use this when producing 
> a file_contexts file for distributing to other machines.  It would be likely 
> to grant inappropriate access to block devices.

But with the current Makefile patch, this is precisely what will happen
for anyone who does not have policy sources installed, right?  And last
I checked, policy sources are only installed by explicit request, not by
default.  Seems to require separate Makefile targets for local build vs.
rpm build.
  
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Proposed Hardware File Context file.

[Daniel J Walsh]

Collin and I were discussing a way to label hardware devices correctly.

One proposal would be to come up with a new file_contexts file based off 
of path and hardware type.

So we could have a file with

/dev/h

/u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t
/u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom

Then either add a param to matchpathcon or a new function that would 
pass in the hardware type
and get the correct context.

Then tools like udev could use this to create the device with the 
correct context.

ideas??



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Thu, 2004-09-02 at 11:52, Daniel J Walsh wrote:
> Collin and I were discussing a way to label hardware devices correctly.
> 
> One proposal would be to come up with a new file_contexts file based off 
> of path and hardware type.
> 
> So we could have a file with
> 
> /dev/h
> 
> /u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t
> /u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom
> 
> Then either add a param to matchpathcon or a new function that would 
> pass in the hardware type
> and get the correct context.
> 
> Then tools like udev could use this to create the device with the 
> correct context.
> 
> ideas??

This is separate from the main file_contexts configuration used by
setfiles, restorecon, and rpm?  If so, what prevents the device from
being relabeled back to the wrong type by them?  If not, how do they
determine the hardware type to pass in?  

It also isn't clear that you care about the pathname regex or file type
if you know that you are dealing with a particular hardware type (and
unit); you can just map those directly to a context.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 11:52, Daniel J Walsh wrote:
>  
>
>>Collin and I were discussing a way to label hardware devices correctly.
>>
>>One proposal would be to come up with a new file_contexts file based off 
>>of path and hardware type.
>>
>>So we could have a file with
>>
>>/dev/h
>>
>>/u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t
>>/u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom
>>
>>Then either add a param to matchpathcon or a new function that would 
>>pass in the hardware type
>>and get the correct context.
>>
>>Then tools like udev could use this to create the device with the 
>>correct context.
>>
>>ideas??
>>    
>>
>
>This is separate from the main file_contexts configuration used by
>setfiles, restorecon, and rpm?  If so, what prevents the device from
>being relabeled back to the wrong type by them?  If not, how do they
>determine the hardware type to pass in?  
>  
>
Yes we talked about that but did not have a good answer.  I am not sure 
that it would need to be a separate file from the file_contexts file,
if it was the same then the tools would need to be modified to handle 
it.  IE use the one without the fourth parameter.
The other thought would be to use a separate file that would map device 
type to policy
cat hardware_contexts

cdrom system_u:object_r:removable_disk_device_t 

disk system_u:object_r:fixed_disk_device_t

...

But this would still fail the restorecon, rpm and setfiles.

One idea would be to not include /dev in the setfiles stuff.  ( I guess it wouldn't now that it is a tmpfs file system)

>It also isn't clear that you care about the pathname regex or file type
>if you know that you are dealing with a particular hardware type (and
>unit); you can just map those directly to a context.
>
>  
>
We still need a mapping in policy and a libselinux function to give us 
that mapping.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Thu, 2004-09-02 at 15:48, Daniel J Walsh wrote:
> The other thought would be to use a separate file that would map device 
> type to policy
> cat hardware_contexts
> 
> cdrom system_u:object_r:removable_disk_device_t 
> 
> disk system_u:object_r:fixed_disk_device_t

I think I like this better.  But let them also specify unit number or
similar so that multiple devices of the same type can be mapped to
different contexts, please.

> But this would still fail the restorecon, rpm and setfiles.
> 
> One idea would be to not include /dev in the setfiles stuff.  ( I guess it wouldn't now that it is a tmpfs file system)

True, relabel won't include tmpfs mounts.   Not sure about rpm and /dev
nodes, e.g. is dev package obsoleted by udev, and are there other /dev
nodes that are part of other packages?

> We still need a mapping in policy and a libselinux function to give us 
> that mapping.

True.  But much simpler than matchpathcon.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 15:48, Daniel J Walsh wrote:
>  
>
>>The other thought would be to use a separate file that would map device 
>>type to policy
>>cat hardware_contexts
>>
>>cdrom system_u:object_r:removable_disk_device_t 
>>
>>disk system_u:object_r:fixed_disk_device_t
>>    
>>
>
>I think I like this better.  But let them also specify unit number or
>similar so that multiple devices of the same type can be mapped to
>different contexts, please.
>
>  
>
Ok so the original context as specified in the file context file with 
hardware type.   IE
PATH  MODETYPE CONTEXT HARDWARE
/dev/hd.* -b  system_u:object_r:removable_disk_device_t     cdrom
/dev/hd.* -b  system_u:object_r:fixed_disk_device_t              disk

>>But this would still fail the restorecon, rpm and setfiles.
>>
>>One idea would be to not include /dev in the setfiles stuff.  ( I guess it wouldn't now that it is a tmpfs file system)
>>    
>>
>
>True, relabel won't include tmpfs mounts.   Not sure about rpm and /dev
>nodes, e.g. is dev package obsoleted by udev, and are there other /dev
>nodes that are part of other packages?
>
>  
>
>>We still need a mapping in policy and a libselinux function to give us 
>>that mapping.
>>    
>>
>
>True.  But much simpler than matchpathcon.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Thu, 2004-09-02 at 16:08, Daniel J Walsh wrote:
> Ok so the original context as specified in the file context file with 
> hardware type.   IE
> PATH  MODETYPE CONTEXT HARDWARE
> /dev/hd.* -b  system_u:object_r:removable_disk_device_t     cdrom
> /dev/hd.* -b  system_u:object_r:fixed_disk_device_t              disk

No, I meant just a separate config with 'hardware unit context' or
similar.  No pathname regexes or modes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 16:08, Daniel J Walsh wrote:
>  
>
>>Ok so the original context as specified in the file context file with 
>>hardware type.   IE
>>PATH  MODETYPE CONTEXT HARDWARE
>>/dev/hd.* -b  system_u:object_r:removable_disk_device_t     cdrom
>>/dev/hd.* -b  system_u:object_r:fixed_disk_device_t              disk
>>    
>>
>
>No, I meant just a separate config with 'hardware unit context' or
>similar.  No pathname regexes or modes.
>
>  
>
Ok I don't know what you mean by unit then.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

On Thu, 2004-09-02 at 16:15 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> 
> >On Thu, 2004-09-02 at 16:08, Daniel J Walsh wrote:
> >  
> >
> >>Ok so the original context as specified in the file context file with 
> >>hardware type.   IE
> >>PATH  MODETYPE CONTEXT HARDWARE
> >>/dev/hd.* -b  system_u:object_r:removable_disk_device_t     cdrom
> >>/dev/hd.* -b  system_u:object_r:fixed_disk_device_t              disk
> >>    
> >>
> >
> >No, I meant just a separate config with 'hardware unit context' or
> >similar.  No pathname regexes or modes.
> >
> >  
> >
> Ok I don't know what you mean by unit then.

I think "unit" in this context should be a regular expression which can
match an arbitrary identification string.  udev would extract the e.g.
the USB model number for this purpose.  This wouldn't actually be
supplied in the sample policy, but system administrators could use it to
customize the policy at a more granular level than "cdrom".


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Thu, 2004-09-02 at 19:30, Colin Walters wrote:
> I think "unit" in this context should be a regular expression which can
> match an arbitrary identification string.  udev would extract the e.g.
> the USB model number for this purpose.  This wouldn't actually be
> supplied in the sample policy, but system administrators could use it to
> customize the policy at a more granular level than "cdrom".

What granularity does udev currently support for specifying
ownership/mode on device nodes?  We want to at least be equivalent to
that.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Fri, Sep 03, 2004 at 07:28:03AM -0400, Stephen Smalley wrote:
> On Thu, 2004-09-02 at 19:30, Colin Walters wrote:
> > I think "unit" in this context should be a regular expression which can
> > match an arbitrary identification string.  udev would extract the e.g.
> > the USB model number for this purpose.  This wouldn't actually be
> > supplied in the sample policy, but system administrators could use it to
> > customize the policy at a more granular level than "cdrom".
> 
> What granularity does udev currently support for specifying
> ownership/mode on device nodes?  

 ironically, it's scripted - with regexps matching nodes :)

 and then the owner, group and permissions are specified.

 there's also a system for dealing with classes of devices.

 so ide and scsi and also cd symbolic links are dealt with separately,
 with scripts.

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Fri, 2004-09-03 at 09:17, Luke Kenneth Casson Leighton wrote:
>  ironically, it's scripted - with regexps matching nodes :)
> 
>  and then the owner, group and permissions are specified.
> 
>  there's also a system for dealing with classes of devices.
> 
>  so ide and scsi and also cd symbolic links are dealt with separately,
>  with scripts.

It seems desirable to keep the SELinux context mapping approach for udev
consistent with the base udev permissions approach.  Using a separate
config file is reasonable (and allows us to keep it as part of the
policy package), but the syntax should mirror the existing udev
permission syntax as much as possible, I think, and we may even want
udev itself to directly interpret it, just as dbusd is handling its
service->context mapping (iirc).  How does that sound?  Not sure how to
integrate SELinux labeling with the scripts.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Fri, Sep 03, 2004 at 09:33:36AM -0400, Stephen Smalley wrote:
> On Fri, 2004-09-03 at 09:17, Luke Kenneth Casson Leighton wrote:
> >  ironically, it's scripted - with regexps matching nodes :)
> > 
> >  and then the owner, group and permissions are specified.
> > 
> >  there's also a system for dealing with classes of devices.
> > 
> >  so ide and scsi and also cd symbolic links are dealt with separately,
> >  with scripts.
> 
> It seems desirable to keep the SELinux context mapping approach for udev
> consistent with the base udev permissions approach.  Using a separate
> config file is reasonable (and allows us to keep it as part of the
> policy package), but the syntax should mirror the existing udev
> permission syntax as much as possible, I think, and we may even want
> udev itself to directly interpret it, just as dbusd is handling its
> service->context mapping (iirc).  How does that sound?  Not sure how to
> integrate SELinux labeling with the scripts.
  
  what do you think of the idea of
  "run-time enabling of alternative file contexts"?

  because i still think that extending the existing
  file_contexts syntax to have an optional keyword at the
  end, and then providing extended versions of the existing
  libselinux file context related functions, would provide
  the simplest from-here-to-there approach.

  it's a cut/paste job in libselinux.

  it's generic enough to be used by programs other than udev should
  it prove necessary.

  udev can determine what the type of the device is and can simply
  pass the keyword representing that device type to the extended-syntax
  versions of the libselinux fscontext functions.

  for simplicity of coding (in udev), the behaviour of the
  extended-libselinux-fscontext could be that if there doesn't
  happen to _be_ a line matching the keyword, the keyword is ignored
  [and the filecontext matching the regexp, mode_t are used as is
   presently normal].

  alternatively if that could result in undesirable side-effects,
  return an error code if the keyword is not available.

  for example... oh, i dunno... you could set the "default" keyword
  to something different.

  what about postfix's chroot-labelled files: you don't want those
  to be in there under certain circumstances: you certainly don't
  want them activated if the admin decides they don't want to chroot
  postfix.

  ... but they have to _be_ there because at present there's no
  flexibility to disable them - without editing
  file_contexts/programs/postfix.te.

  if you had a keyword "postfix" on the end of the chroot lines
  in file_contexts, you could enable those as required
  (setfiles --keyword "postfix" /etc/selinux/contexts/file_contexts
   /var/lib/postfix/chroot/)

  more if i think of it.

  if you add the keyword argument to setfiles and restorecon, it's
  possible to entirely change, at runtime, all or any part of the
  filesystem to a different configuration - without recompiling the
  policy.

  l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Stephen Smalley]

On Fri, 2004-09-03 at 10:38, Luke Kenneth Casson Leighton wrote:
>   what do you think of the idea of
>   "run-time enabling of alternative file contexts"?
> 
>   because i still think that extending the existing
>   file_contexts syntax to have an optional keyword at the
>   end, and then providing extended versions of the existing
>   libselinux file context related functions, would provide
>   the simplest from-here-to-there approach.

I don't like it.  Rationale:
- programs that don't have device information (or whatever the keyword
is based on) available to them can't provide useful input to the
libselinux function, so they will end up matching the wrong entry. 
Better to completely move device info out of the main file_contexts (and
mark /dev(/.*)? with <<none>>) and maintain it elsewhere for udev and
other potential users that have device information available.
- pathnames are a poor man's way of identifying devices anyway.  Far
better to map actual device ids if we can.

Essentially, udev is an object manager for /dev, and I'd be glad to push
management of the device node contexts into it.  And the closer it
parallels the existing support for ownership/permissions, the better, as
that increases the likelihood of the SELinux support being understood
and maintained properly.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Fri, Sep 03, 2004 at 12:28:41PM -0400, Stephen Smalley wrote:
> On Fri, 2004-09-03 at 10:38, Luke Kenneth Casson Leighton wrote:
> >   what do you think of the idea of
> >   "run-time enabling of alternative file contexts"?
> > 
> >   because i still think that extending the existing
> >   file_contexts syntax to have an optional keyword at the
> >   end, and then providing extended versions of the existing
> >   libselinux file context related functions, would provide
> >   the simplest from-here-to-there approach.
> 
> I don't like it.  Rationale:
> - programs that don't have device information (or whatever the keyword
> is based on) available to them can't provide useful input to the
> libselinux function, so they will end up matching the wrong entry. 

 it's the sort of thing that is only going to be used by programs
 that understand it.

 e.g. the "postfix" keyword to activate the chroot-specific
 file_contexts is specific to postfix.

 the "mozilla download helper" keyword is specific to the mozilla
 download helper.

 as for udev, once udev is written i do not believe that someone would
 wish to write an alternative, but should they choose to do so, the
 keywords could be extended to say udev_cdrom, udev_disk, such that
 another program could do "myotherdevmanagementprogram_cdrom" etc. etc.


> Essentially, udev is an object manager for /dev, and I'd be glad to push
> management of the device node contexts into it.  And the closer it
> parallels the existing support for ownership/permissions, the better, as
> that increases the likelihood of the SELinux support being understood
> and maintained properly.

 understood.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 304 bytes --]

First pass at patches.

libselinux-mediacon.patch adds matchmediapath function to libselinux.
udev-selinux.patch adds selinux support including matchmediapath to udev.

cat /etc/selinux/strict/contexts/files/media
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t




[-- Attachment #2: libselinux-mediacon.patch --]
[-- Type: text/plain, Size: 5453 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.17.9/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-09-02 08:48:12.000000000 -0400
+++ libselinux-1.17.9/include/selinux/selinux.h	2004-09-09 11:56:46.282856298 -0400
@@ -173,6 +173,13 @@
 		 mode_t mode,
 		 security_context_t *con);
 
+/* Match the specified media and against the media contexts 
+   /proc/ide/hdc/media
+   configuration and set *con to refer to the resulting context.
+   Caller must free con via freecon. */
+extern int matchmediacon(const char *path,
+		 security_context_t *con);
+
 /*
   selinux_getenforcemode reads the /etc/selinux/config file and determines 
   whether the machine should be started in enforcing (1), permissive (0) or 
@@ -194,6 +201,7 @@
 extern const char *selinux_default_context_path(void);
 extern const char *selinux_user_contexts_path(void);
 extern const char *selinux_file_context_path(void);
+extern const char *selinux_media_context_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_booleans_path(void);
 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/compat_file_path.h libselinux-1.17.9/src/compat_file_path.h
--- nsalibselinux/src/compat_file_path.h	2004-08-30 11:46:49.000000000 -0400
+++ libselinux-1.17.9/src/compat_file_path.h	2004-09-09 11:50:20.280015702 -0400
@@ -7,3 +7,4 @@
 S_(FAILSAFE_CONTEXT, SECURITYDIR "/failsafe_context")
 S_(DEFAULT_TYPE, SECURITYDIR "/default_type")
 S_(BOOLEANS, SECURITYDIR "/booleans")
+S_(MEDIA_CONTEXTS, SECURITYDIR "/default_media")
diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.17.9/src/file_path_suffixes.h
--- nsalibselinux/src/file_path_suffixes.h	2004-08-30 11:46:50.000000000 -0400
+++ libselinux-1.17.9/src/file_path_suffixes.h	2004-09-09 12:07:15.500872651 -0400
@@ -7,3 +7,4 @@
 S_(FAILSAFE_CONTEXT, "/contexts/failsafe_context")
 S_(DEFAULT_TYPE, "/contexts/default_type")
 S_(BOOLEANS, "/booleans")
+S_(MEDIA_CONTEXTS, "/contexts/files/media")
Binary files nsalibselinux/src/matchmediacon and libselinux-1.17.9/src/matchmediacon differ
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchmediacon.c libselinux-1.17.9/src/matchmediacon.c
--- nsalibselinux/src/matchmediacon.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.9/src/matchmediacon.c	2004-09-09 12:15:34.782753926 -0400
@@ -0,0 +1,65 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <string.h>
+#include "selinux_internal.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <regex.h>
+#include <stdarg.h>
+
+int matchmediacon(const char *media, 
+		 security_context_t *con)
+{
+	const char *path = selinux_media_context_path();
+	FILE *infile;
+	char *ptr, *ptr2;
+	char *target;
+	int found=-1;
+	char current_line[PATH_MAX];
+	if ((infile = fopen(path, "r")) == NULL)
+		return -1;
+	while (!feof_unlocked (infile)) {
+		if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
+			return -1;
+		}
+		if (current_line[strlen(current_line) - 1])
+			current_line[strlen(current_line) - 1] = 0;
+		/* Skip leading whitespace before the partial context. */
+		ptr = current_line;
+		while (*ptr && isspace(*ptr))
+			ptr++;
+		
+		if (!(*ptr))
+			continue;
+
+
+		/* Find the end of the media context. */
+		ptr2 = ptr;
+		while (*ptr2 && !isspace(*ptr2))
+			ptr2++;
+		if (!(*ptr2))
+			continue;
+		
+		*ptr2++=NULL;
+		if (strcmp (media, ptr) == 0) {
+			found = 1;
+			break;
+		}
+	}
+	if (!found) 
+		return -1;
+
+	/* Skip whitespace. */
+	while (*ptr2 && isspace(*ptr2))
+		ptr2++;
+	if (!(*ptr2)) {
+		return -1;
+	}
+	
+	*con = strdup(ptr2);
+	return 0;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.17.9/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2004-09-01 09:20:42.000000000 -0400
+++ libselinux-1.17.9/src/selinux_config.c	2004-09-09 11:51:09.481386978 -0400
@@ -24,7 +24,8 @@
 #define FAILSAFE_CONTEXT  5
 #define DEFAULT_TYPE      6
 #define BOOLEANS          7
-#define NEL               8
+#define MEDIA_CONTEXTS    8
+#define NEL               9
 
 /* New layout is relative to SELINUXDIR/policytype. */
 static char *file_paths[NEL];
@@ -200,6 +201,10 @@
 }
 hidden_def(selinux_file_context_path)
 
+const char *selinux_media_context_path() {
+  return get_path(MEDIA_CONTEXTS);
+}
+
 const char *selinux_contexts_path() {
   return get_path(CONTEXTS_DIR);
 }
Binary files nsalibselinux/utils/a.out and libselinux-1.17.9/utils/a.out differ
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchmediacon.c libselinux-1.17.9/utils/matchmediacon.c
--- nsalibselinux/utils/matchmediacon.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.9/utils/matchmediacon.c	2004-09-09 12:16:05.921191634 -0400
@@ -0,0 +1,28 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char **argv) 
+{
+	char *buf;
+	int rc, i;
+
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s media...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = matchmediacon(argv[i], &buf);
+		if (rc < 0) {
+			fprintf(stderr, "%s:dan  matchmediacon(%s) failed: %s\n", argv[0], argv[i]);
+			exit(2);
+		}
+		printf("%s\t%s\n", argv[i], buf);
+		freecon(buf);
+	}
+	exit(0);
+}

[-- Attachment #3: udev-selinux.patch --]
[-- Type: text/plain, Size: 5478 bytes --]

--- udev-030/Makefile.selinux	2004-07-09 13:59:09.000000000 -0400
+++ udev-030/Makefile	2004-09-09 10:04:38.768495769 -0400
@@ -25,6 +25,8 @@
 # Leave this set to `false' for production use.
 DEBUG = false
 
+# Set this to compile with Security-Enhanced Linux support.
+USE_SELINUX = true
 
 ROOT =		udev
 DAEMON =	udevd
@@ -172,6 +174,11 @@
 
 CFLAGS += -I$(PWD)/libsysfs
 
+ifeq ($(strip $(USE_SELINUX)),true)
+	CFLAGS += -DUSE_SELINUX
+	LIB_OBJS += -lselinux
+endif
+
 all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER)
 	@extras="$(EXTRAS)" ; for target in $$extras ; do \
 		echo $$target ; \
@@ -216,6 +223,7 @@
 		udevdb.h	\
 		klibc_fixups.h	\
 		logging.h	\
+		selinux.h	\
 		list.h
 
 ifeq ($(strip $(USE_KLIBC)),true)
--- /dev/null	2004-09-08 12:05:11.032823824 -0400
+++ udev-030/selinux.h	2004-09-09 12:50:53.526365931 -0400
@@ -0,0 +1,119 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+#ifndef USE_SELINUX
+
+static inline void selinux_setfilecon(char *file, unsigned int mode) { }
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {}
+static inline void selinux_init(void) {}
+static inline void selinux_restore(void) {}
+
+#else
+
+#include <selinux/selinux.h>
+#include <stdio.h>
+#include <limits.h>
+
+
+static int selinux_enabled=-1;
+static security_context_t prev_scontext=NULL;
+
+static inline int is_selinux_running(void) {
+	if ( selinux_enabled==-1 ) 
+		return selinux_enabled=is_selinux_enabled()>0;
+	return selinux_enabled;
+}
+
+static inline int selinux_get_media(char *path, int mode, char **media)
+{
+  FILE *fp;
+  char buf[PATH_MAX];
+  char mediabuf[PATH_MAX];
+  *media=NULL;
+  if (!( mode && S_IFBLK )) {
+	  return -1;
+  }
+  snprintf(buf,sizeof(buf), "/proc/ide/%s/media", basename(path));
+  fp=fopen(buf,"r");
+  if (fp) {
+    if (fgets(mediabuf,sizeof(mediabuf), fp)) 
+      *media=strdup(mediabuf);
+    fclose(fp);
+    return 0;
+  } else {
+    return -1;
+  }
+}
+
+static inline void selinux_setfilecon(char *file, unsigned int mode) { 
+	if (is_selinux_running()) {
+		security_context_t scontext=NULL;
+		char *media;
+		int ret=-1;
+		if (selinux_get_media(file, mode, &media) == 0) {
+			ret = matchmediacon(media, &scontext);
+			free(media);
+		} 
+		if (ret==-1) 
+			if (matchpathcon(file, mode, &scontext) < 0) {
+				dbg("matchpathcon(%s) failed\n", file);
+				return;
+			} 
+		if (setfilecon(file, scontext) < 0)
+			dbg("setfiles %s failed with error '%s'",
+			    file, strerror(errno));
+		freecon(scontext);
+	}
+}
+
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {
+	int retval = 0;
+	security_context_t scontext=NULL;
+
+	if (is_selinux_running()) {
+		char *media;
+		int ret=-1;
+		if (selinux_get_media(file, mode, &media) == 0) {
+			ret = matchmediacon(media, &scontext);
+			free(media);
+		} 
+		if (ret==-1) 
+			if (matchpathcon(file, mode, &scontext) < 0) {
+				dbg("matchpathcon(%s) failed\n", file);
+				return;
+			} 
+
+		retval=setfscreatecon(scontext);
+		if (retval < 0)
+			dbg("setfiles %s failed with error '%s'",
+			    file, strerror(errno));
+		freecon(scontext);
+	}
+}
+static inline void selinux_init(void) {
+	/* record the present security context, for file-creation
+	 * restoration creation purposes.
+	 *
+	 */
+
+	if (is_selinux_running())
+	{
+		if (getfscreatecon(&prev_scontext) < 0) {
+			dbg("getfscreatecon failed\n");
+		}
+		prev_scontext=NULL;
+	}
+}
+static inline void selinux_restore(void) {
+	if (is_selinux_running()) {
+		/* reset the file create context to its former glory */
+		if ( setfscreatecon(prev_scontext) < 0 )
+			dbg("setfscreatecon failed\n");
+		if (prev_scontext) {
+			freecon(prev_scontext);
+			prev_scontext=NULL;
+		}
+	}
+}
+#endif /* USE_SELINUX */
+#endif /* SELINUX_H */
--- udev-030/udev-add.c.selinux	2004-09-09 10:04:38.000000000 -0400
+++ udev-030/udev-add.c	2004-09-09 10:04:38.771495426 -0400
@@ -50,6 +50,8 @@
 
 #define LOCAL_USER "$local"
 
+#include "selinux.h"
+
 /* 
  * Right now the major/minor of a device is stored in a file called
  * "dev" in sysfs.
@@ -92,6 +94,7 @@
 			break;
 		*pos = 0x00;
 		if (stat(p, &stats)) {
+			selinux_setfscreatecon(p, S_IFDIR);
 			retval = mkdir(p, 0755);
 			if (retval != 0) {
 				dbg("mkdir(%s) failed with error '%s'",
@@ -99,6 +102,8 @@
 				return retval;
 			}
 			dbg("created '%s'", p);
+		} else {
+			selinux_setfilecon(p, S_IFDIR);
 		}
 		*pos = '/';
 	}
@@ -117,6 +122,7 @@
 	if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) &&
 	    (stats.st_rdev == makedev(major, minor))) {
 		dbg("preserve file '%s', cause it has correct dev_t", file);
+		selinux_setfilecon(file,stats.st_mode);
 		if (udev_preserve_owner)
 		  goto exit;
 		else
@@ -129,6 +135,7 @@
 		dbg("already present file '%s' unlinked", file);
 
 create:
+	selinux_setfscreatecon(file, mode);
 	retval = mknod(file, mode, makedev(major, minor));
 	if (retval != 0) {
 		dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
@@ -307,6 +314,7 @@
 
 		dbg("symlink(%s, %s)", linktarget, filename);
 		if (!fake) {
+			selinux_setfscreatecon(filename, S_IFLNK);
 			unlink(filename);
 			if (symlink(linktarget, filename) != 0)
 				dbg("symlink(%s, %s) failed with error '%s'",
@@ -441,6 +449,7 @@
 
 	dbg("name='%s'", dev.name);
 
+	selinux_init();
 	switch (dev.type) {
 	case 'b':
 	case 'c':
@@ -478,6 +487,7 @@
 	}
 
 exit:
+	selinux_restore();
 	sysfs_close_class_device(class_dev);
 
 	return retval;

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 04:08:53PM -0400, Daniel J Walsh wrote:

> >>The other thought would be to use a separate file that would map device 
> >>type to policy
> >>cat hardware_contexts
> >>
> >>cdrom system_u:object_r:removable_disk_device_t 
> >>
> >>disk system_u:object_r:fixed_disk_device_t
> >>   
> >>
> >
> >I think I like this better.  But let them also specify unit number or
> >similar so that multiple devices of the same type can be mapped to
> >different contexts, please.

 the major and minor numbers?

> >
> > 
> >
> Ok so the original context as specified in the file context file with 
> hardware type.   IE
> PATH  MODETYPE CONTEXT HARDWARE
> /dev/hd.* -b  system_u:object_r:removable_disk_device_t     cdrom
> /dev/hd.* -b  system_u:object_r:fixed_disk_device_t              disk
> 
> >>But this would still fail the restorecon, rpm and setfiles.
> >>
> >>One idea would be to not include /dev in the setfiles stuff.  ( I guess 
> >>it wouldn't now that it is a tmpfs file system)
> >>   
> >>
> >
> >True, relabel won't include tmpfs mounts.   Not sure about rpm and /dev
> >nodes, e.g. is dev package obsoleted by udev, and are there other /dev
> >nodes that are part of other packages?
> >
> > 
> >
> >>We still need a mapping in policy and a libselinux function to give us 
> >>that mapping.
> >>   
> >>
> >
> >True.  But much simpler than matchpathcon.

well as an API, you'd have something like

	int matchdevcon(char *devicename, char *devicetype, mode_t mode,
					scontext *scontext);

or:

	int matchdevcon(int major, int minor, char *devicetype, mode_t mode,
					scontext *scontext);

in using something like that, would you _care_ if underneath it did
regexps like matchpathcon does?

l.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Please review openssh patch for selinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 176 bytes --]

New SSH patch.

Provides the capability of doing

ssh hostname -l root/sysadm_r

suggested by Collin. 

I used the / instead of : to preserve the BSD syntax.

Comments?


Dan


[-- Attachment #2: openssh-selinux.patch --]
[-- Type: text/plain, Size: 13155 bytes --]

--- openssh-3.9p1/monitor_wrap.h.selinux	2004-06-21 22:56:02.000000000 -0400
+++ openssh-3.9p1/monitor_wrap.h	2004-09-02 16:01:12.361473922 -0400
@@ -44,6 +44,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
+void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
--- openssh-3.9p1/contrib/redhat/sshd.init.selinux	2002-05-09 22:19:23.000000000 -0400
+++ openssh-3.9p1/contrib/redhat/sshd.init	2004-09-02 16:01:12.363473687 -0400
@@ -35,6 +35,9 @@
 		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA1_KEY.pub
+			fi
 			success $"RSA1 key generation"
 			echo
 		else
@@ -51,6 +54,9 @@
 		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA_KEY.pub
+			fi
 			success $"RSA key generation"
 			echo
 		else
@@ -67,6 +73,9 @@
 		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $DSA_KEY.pub
+			fi
 			success $"DSA key generation"
 			echo
 		else
--- openssh-3.9p1/auth1.c.selinux	2004-09-02 16:01:12.290482263 -0400
+++ openssh-3.9p1/auth1.c	2004-09-02 16:02:18.505704965 -0400
@@ -283,7 +283,7 @@
 do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
-	char *user, *style = NULL;
+	char *user, *style = NULL, *role=NULL;
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -292,11 +292,15 @@
 	user = packet_get_string(&ulen);
 	packet_check_eom();
 
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = '\0';
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 
 	authctxt->user = user;
 	authctxt->style = style;
+	authctxt->role = role;
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
--- openssh-3.9p1/monitor.h.selinux	2003-11-17 06:18:22.000000000 -0500
+++ openssh-3.9p1/monitor.h	2004-09-02 16:01:12.366473335 -0400
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
--- openssh-3.9p1/monitor.c.selinux	2004-07-17 03:05:14.000000000 -0400
+++ openssh-3.9p1/monitor.c	2004-09-02 16:01:12.369472982 -0400
@@ -111,6 +111,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -176,6 +177,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -602,6 +604,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -647,6 +650,23 @@
 }
 
 int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: style=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+
+int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
--- openssh-3.9p1/config.h.in.selinux	2004-08-17 08:54:51.000000000 -0400
+++ openssh-3.9p1/config.h.in	2004-09-02 16:01:12.371472747 -0400
@@ -265,6 +265,9 @@
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 
+/* Define if have want SELinux support */
+#undef WITH_SELINUX
+
 /* Define this if you are using the Heimdal version of Kerberos V5 */
 #undef HEIMDAL
 
--- /dev/null	2004-08-26 15:03:20.000000000 -0400
+++ openssh-3.9p1/selinux.c	2004-09-02 16:01:12.375472277 -0400
@@ -0,0 +1,101 @@
+#include "includes.h"
+#include "auth.h"
+#include "log.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+extern Authctxt *the_authctxt;
+
+static const security_context_t selinux_get_user_context(const char *name) {
+	security_context_t user_context=NULL;
+	if (get_default_context(name,NULL,&user_context)) {
+		if (security_getenforce() > 0) 
+			fatal("Failed to get default security context for %s.", name);
+		else 
+			error("Failed to get default security context for %s. Continuing in permissve mode", name);
+	} else {
+		if (the_authctxt) {
+			char *role=the_authctxt->role;
+			if (role != NULL && role[0]) {
+				char *type;
+				if (get_default_type(role, &type) < 0) {
+					if (security_getenforce() > 0) 
+						fatal("Failed to get default type for role %s, user %s.", role, name);
+					else 
+						error("Failed to get default type for role %s, user %s. Continuing in permissive mode", role, name);
+				} else {
+					context_t newcon=context_new(user_context);
+					if (context_role_set(newcon, role) != 0) {
+						context_free(newcon);
+						if (security_getenforce() > 0) 
+							fatal("Failed to set role %s for %s.", role, name);
+						else 
+							error("Failed to set role %s for %s. Continuing in permissive mode", role, name);
+					} else if (context_type_set(newcon, type) != 0) {
+						context_free(newcon);
+						if (security_getenforce() > 0) 
+							fatal("Failed to set type %s for %s.", role, name);
+						else 
+							error("Failed to set type %s for %s. Continuing in permissive mode", role, name);
+					} else {
+						freecon(user_context);
+						user_context = strdup(context_str(newcon));
+						context_free(newcon);
+					}
+				}
+			}
+		}
+	}
+	return user_context;
+}
+
+void setup_selinux_pty(const char *name, const char *tty) {
+	if (is_selinux_enabled() > 0) {
+		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 
+
+		user_context=selinux_get_user_context(name);
+
+		if (getfilecon(tty, &old_tty_context) < 0) {
+			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+		} else {
+			if (security_compute_relabel(user_context,old_tty_context,
+						     SECCLASS_CHR_FILE,
+						     &new_tty_context) != 0) {
+				error("security_compute_relabel(%.100s) failed: %.100s", tty,
+				      strerror(errno));
+			} else {
+				if (setfilecon (tty, new_tty_context) != 0) 
+					error("setfilecon(%.100s, %s) failed: %.100s",
+					      tty, new_tty_context, 
+					      strerror(errno));
+				freecon(new_tty_context);
+			}
+			freecon(old_tty_context);
+		}
+		if (user_context) {
+			freecon(user_context);
+		}
+	}
+}
+
+void setup_selinux_exec_context(char *name) {
+
+	if (is_selinux_enabled() > 0) {
+		security_context_t user_context=selinux_get_user_context(name);
+		if (setexeccon(user_context)) {
+			if (security_getenforce() > 0) 
+				fatal("Failed to set exec security context %s for %s.", user_context, name);
+			else 
+				error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
+		}
+		if (user_context) {
+			freecon(user_context);
+		}
+	}
+}
+
+#endif /* WITH_SELINUX */
--- openssh-3.9p1/auth.h.selinux	2004-05-23 20:36:23.000000000 -0400
+++ openssh-3.9p1/auth.h	2004-09-02 16:01:12.377472042 -0400
@@ -57,6 +57,7 @@
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
+	char		*role;
 	void		*kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t	*as;
--- openssh-3.9p1/sshpty.c.selinux	2004-06-21 22:56:02.000000000 -0400
+++ openssh-3.9p1/sshpty.c	2004-09-02 16:01:12.378471925 -0400
@@ -22,6 +22,8 @@
 #include "log.h"
 #include "misc.h"
 
+#include "selinux.h"
+
 #ifdef HAVE_PTY_H
 # include <pty.h>
 #endif
@@ -200,6 +202,8 @@
 		fatal("stat(%.100s) failed: %.100s", tty,
 		    strerror(errno));
 
+	setup_selinux_pty(pw->pw_name, tty);
+
 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
 		if (chown(tty, pw->pw_uid, gid) < 0) {
 			if (errno == EROFS &&
--- openssh-3.9p1/configure.ac.selinux	2004-09-02 16:01:12.327477916 -0400
+++ openssh-3.9p1/configure.ac	2004-09-02 16:01:12.382471455 -0400
@@ -2218,6 +2218,18 @@
 			[#include <arpa/nameser.h>])
 	])
 
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+AC_ARG_WITH(selinux,
+	[  --with-selinux   Enable SELinux support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(WITH_SELINUX)
+		SELINUX_MSG="yes"
+		AC_CHECK_HEADERS(selinux.h)
+		LIBS="$LIBS -lselinux"
+	fi
+	])
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -2975,6 +2987,7 @@
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
+echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
--- openssh-3.9p1/Makefile.in.selinux	2004-08-15 07:01:37.000000000 -0400
+++ openssh-3.9p1/Makefile.in	2004-09-02 16:01:12.385471103 -0400
@@ -76,7 +76,7 @@
 	sshconnect.o sshconnect1.o sshconnect2.o
 
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	sshpty.o sshlogin.o servconf.o serverloop.o \
+	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
 	auth.o auth1.o auth2.o auth-options.o session.o \
 	auth-chall.o auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
--- /dev/null	2004-08-26 15:03:20.000000000 -0400
+++ openssh-3.9p1/selinux.h	2004-09-02 16:01:12.386470985 -0400
@@ -0,0 +1,10 @@
+#ifndef __SELINUX_H_
+#define __SELINUX_H_
+#ifdef WITH_SELINUX
+extern void setup_selinux_pty(const char *name, const char *tty);
+extern void setup_selinux_exec_context(const char *name);
+#else
+inline void setup_selinux_pty(const char *name, const char *tty) {}
+inline void setup_selinux_exec_context(const char *name) {} 
+#endif /* WITH_SELINUX */
+#endif /* __SELINUX_H_ */
--- openssh-3.9p1/auth2.c.selinux	2004-08-12 08:40:25.000000000 -0400
+++ openssh-3.9p1/auth2.c	2004-09-02 16:01:12.389470633 -0400
@@ -132,7 +132,7 @@
 {
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
-	char *user, *service, *method, *style = NULL;
+	char *user, *service, *method, *style = NULL, *role = NULL;
 	int authenticated = 0;
 
 	if (authctxt == NULL)
@@ -144,6 +144,9 @@
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = 0;
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
@@ -170,8 +173,11 @@
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
+		authctxt->role = role ? xstrdup(role) : NULL;
+		if (use_privsep) {
 			mm_inform_authserv(service, style);
+			mm_inform_authrole(role);
+		}
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
--- openssh-3.9p1/monitor_wrap.c.selinux	2004-07-17 03:05:14.000000000 -0400
+++ openssh-3.9p1/monitor_wrap.c	2004-09-02 16:01:12.391470398 -0400
@@ -274,6 +274,23 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
--- openssh-3.9p1/session.c.selinux	2004-08-12 08:40:25.000000000 -0400
+++ openssh-3.9p1/session.c	2004-09-02 16:01:12.395469928 -0400
@@ -58,6 +58,8 @@
 #include "session.h"
 #include "monitor_wrap.h"
 
+#include "selinux.h"
+
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
@@ -1304,6 +1306,8 @@
 #endif
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+
+	setup_selinux_exec_context(pw->pw_name);
 }
 
 static void

Re: Please review openssh patch for selinux

[Stephen Smalley]

On Thu, 2004-09-02 at 16:11, Daniel J Walsh wrote:
> New SSH patch.
> 
> Provides the capability of doing
> 
> ssh hostname -l root/sysadm_r
> 
> suggested by Collin. 
> 
> I used the / instead of : to preserve the BSD syntax.

As per the earlier discussion on the list, I think we want a new
libselinux function similar to get_default_context() that also takes the
optional role, and rather than simply substituting the role (if
specified) and its default type, it would check the array returned by
get_ordered_context_list for the first entry that matches the role and
return the entry or fail if no such entry exists.  That would ensure
that we immediately abort if the role is not reachable by sshd, and also
allow an admin to prevent use of this feature for a given role simply by
not listing it in the sshd entry in defualt_contexts.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Please review openssh patch for selinux

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 16:11, Daniel J Walsh wrote:
>  
>
>>New SSH patch.
>>
>>Provides the capability of doing
>>
>>ssh hostname -l root/sysadm_r
>>
>>suggested by Collin. 
>>
>>I used the / instead of : to preserve the BSD syntax.
>>    
>>
>
>As per the earlier discussion on the list, I think we want a new
>libselinux function similar to get_default_context() that also takes the
>optional role, and rather than simply substituting the role (if
>specified) and its default type, it would check the array returned by
>get_ordered_context_list for the first entry that matches the role and
>return the entry or fail if no such entry exists.  That would ensure
>that we immediately abort if the role is not reachable by sshd, and also
>allow an admin to prevent use of this feature for a given role simply by
>not listing it in the sshd entry in defualt_contexts.
>
>  
>
Ok, can you create the function?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Please review openssh patch for selinux

[Stephen Smalley]

On Sat, 2004-09-04 at 07:21, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> >As per the earlier discussion on the list, I think we want a new
> >libselinux function similar to get_default_context() that also takes the
> >optional role, and rather than simply substituting the role (if
> >specified) and its default type, it would check the array returned by
> >get_ordered_context_list for the first entry that matches the role and
> >return the entry or fail if no such entry exists.  That would ensure
> >that we immediately abort if the role is not reachable by sshd, and also
> >allow an admin to prevent use of this feature for a given role simply by
> >not listing it in the sshd entry in defualt_contexts.
> >
> >  
> >
> Ok, can you create the function?

Ok, done.  Function prototype is:

int get_default_context_with_role(const char* user, 
				  const char *role,
				  security_context_t fromcon,
				  security_context_t *newcon);

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Please review openssh patch for selinux

[Nigel Kukard]

[-- Attachment #1: Type: text/plain, Size: 17462 bytes --]

I Tried to apply the below patch to vanilla 3.9p1 and get the following
error...

<snip>
gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o selinux.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.omonitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/  -lssh -lopenbsd-compat -lwrap -lpam -ldl -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
session.o(.text+0x0): In function `setup_selinux_pty':
/var/tmp/nkukard-openssh-build/openssh-3.9p1/selinux.h:7: multiple
definition of `setup_selinux_pty'
sshpty.o(.text+0x480)://selinux.h:7: first defined here
session.o(.text+0x10): In function `setup_selinux_exec_context':
/var/tmp/nkukard-openssh-build/openssh-3.9p1/selinux.h:8: multiple
definition of `setup_selinux_exec_context'
sshpty.o(.text+0x490)://selinux.h:8: first defined here
collect2: ld returned 1 exit status
</snip>

this is using kernel 2.6.8.1 + latest selinux patch (kernel side)


-Nigel


On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote:
> New SSH patch.
> 
> Provides the capability of doing
> 
> ssh hostname -l root/sysadm_r
> 
> suggested by Collin. 
> 
> I used the / instead of : to preserve the BSD syntax.
> 
> Comments?
> 
> 
> Dan
> 

> --- openssh-3.9p1/monitor_wrap.h.selinux	2004-06-21 22:56:02.000000000 -0400
> +++ openssh-3.9p1/monitor_wrap.h	2004-09-02 16:01:12.361473922 -0400
> @@ -44,6 +44,7 @@
>  DH *mm_choose_dh(int, int, int);
>  int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
>  void mm_inform_authserv(char *, char *);
> +void mm_inform_authrole(char *);
>  struct passwd *mm_getpwnamallow(const char *);
>  char *mm_auth2_read_banner(void);
>  int mm_auth_password(struct Authctxt *, char *);
> --- openssh-3.9p1/contrib/redhat/sshd.init.selinux	2002-05-09 22:19:23.000000000 -0400
> +++ openssh-3.9p1/contrib/redhat/sshd.init	2004-09-02 16:01:12.363473687 -0400
> @@ -35,6 +35,9 @@
>  		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
>  			chmod 600 $RSA1_KEY
>  			chmod 644 $RSA1_KEY.pub
> +			if [ -x /sbin/restorecon ]; then
> +			    /sbin/restorecon $RSA1_KEY.pub
> +			fi
>  			success $"RSA1 key generation"
>  			echo
>  		else
> @@ -51,6 +54,9 @@
>  		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
>  			chmod 600 $RSA_KEY
>  			chmod 644 $RSA_KEY.pub
> +			if [ -x /sbin/restorecon ]; then
> +			    /sbin/restorecon $RSA_KEY.pub
> +			fi
>  			success $"RSA key generation"
>  			echo
>  		else
> @@ -67,6 +73,9 @@
>  		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
>  			chmod 600 $DSA_KEY
>  			chmod 644 $DSA_KEY.pub
> +			if [ -x /sbin/restorecon ]; then
> +			    /sbin/restorecon $DSA_KEY.pub
> +			fi
>  			success $"DSA key generation"
>  			echo
>  		else
> --- openssh-3.9p1/auth1.c.selinux	2004-09-02 16:01:12.290482263 -0400
> +++ openssh-3.9p1/auth1.c	2004-09-02 16:02:18.505704965 -0400
> @@ -283,7 +283,7 @@
>  do_authentication(Authctxt *authctxt)
>  {
>  	u_int ulen;
> -	char *user, *style = NULL;
> +	char *user, *style = NULL, *role=NULL;
>  
>  	/* Get the name of the user that we wish to log in as. */
>  	packet_read_expect(SSH_CMSG_USER);
> @@ -292,11 +292,15 @@
>  	user = packet_get_string(&ulen);
>  	packet_check_eom();
>  
> +	if ((role = strchr(user, '/')) != NULL)
> +		*role++ = '\0';
> +
>  	if ((style = strchr(user, ':')) != NULL)
>  		*style++ = '\0';
>  
>  	authctxt->user = user;
>  	authctxt->style = style;
> +	authctxt->role = role;
>  
>  	/* Verify that the user is a valid user. */
>  	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
> --- openssh-3.9p1/monitor.h.selinux	2003-11-17 06:18:22.000000000 -0500
> +++ openssh-3.9p1/monitor.h	2004-09-02 16:01:12.366473335 -0400
> @@ -30,7 +30,7 @@
>  
>  enum monitor_reqtype {
>  	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
> -	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
> +	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
>  	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
>  	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
>  	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
> --- openssh-3.9p1/monitor.c.selinux	2004-07-17 03:05:14.000000000 -0400
> +++ openssh-3.9p1/monitor.c	2004-09-02 16:01:12.369472982 -0400
> @@ -111,6 +111,7 @@
>  int mm_answer_pwnamallow(int, Buffer *);
>  int mm_answer_auth2_read_banner(int, Buffer *);
>  int mm_answer_authserv(int, Buffer *);
> +int mm_answer_authrole(int, Buffer *);
>  int mm_answer_authpassword(int, Buffer *);
>  int mm_answer_bsdauthquery(int, Buffer *);
>  int mm_answer_bsdauthrespond(int, Buffer *);
> @@ -176,6 +177,7 @@
>      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
>      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
>      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
> +    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
>      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
>      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
>  #ifdef USE_PAM
> @@ -602,6 +604,7 @@
>  	else {
>  		/* Allow service/style information on the auth context */
>  		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
> +		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
>  		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
>  	}
>  
> @@ -647,6 +650,23 @@
>  }
>  
>  int
> +mm_answer_authrole(int sock, Buffer *m)
> +{
> +	monitor_permit_authentications(1);
> +
> +	authctxt->role = buffer_get_string(m, NULL);
> +	debug3("%s: style=%s",
> +	    __func__, authctxt->role);
> +
> +	if (strlen(authctxt->role) == 0) {
> +		xfree(authctxt->role);
> +		authctxt->role = NULL;
> +	}
> +
> +	return (0);
> +}
> +
> +int
>  mm_answer_authpassword(int sock, Buffer *m)
>  {
>  	static int call_count;
> --- openssh-3.9p1/config.h.in.selinux	2004-08-17 08:54:51.000000000 -0400
> +++ openssh-3.9p1/config.h.in	2004-09-02 16:01:12.371472747 -0400
> @@ -265,6 +265,9 @@
>  /* Define if you want Kerberos 5 support */
>  #undef KRB5
>  
> +/* Define if have want SELinux support */
> +#undef WITH_SELINUX
> +
>  /* Define this if you are using the Heimdal version of Kerberos V5 */
>  #undef HEIMDAL
>  
> --- /dev/null	2004-08-26 15:03:20.000000000 -0400
> +++ openssh-3.9p1/selinux.c	2004-09-02 16:01:12.375472277 -0400
> @@ -0,0 +1,101 @@
> +#include "includes.h"
> +#include "auth.h"
> +#include "log.h"
> +
> +#ifdef WITH_SELINUX
> +#include <selinux/selinux.h>
> +#include <selinux/flask.h>
> +#include <selinux/context.h>
> +#include <selinux/get_context_list.h>
> +#include <selinux/get_default_type.h>
> +extern Authctxt *the_authctxt;
> +
> +static const security_context_t selinux_get_user_context(const char *name) {
> +	security_context_t user_context=NULL;
> +	if (get_default_context(name,NULL,&user_context)) {
> +		if (security_getenforce() > 0) 
> +			fatal("Failed to get default security context for %s.", name);
> +		else 
> +			error("Failed to get default security context for %s. Continuing in permissve mode", name);
> +	} else {
> +		if (the_authctxt) {
> +			char *role=the_authctxt->role;
> +			if (role != NULL && role[0]) {
> +				char *type;
> +				if (get_default_type(role, &type) < 0) {
> +					if (security_getenforce() > 0) 
> +						fatal("Failed to get default type for role %s, user %s.", role, name);
> +					else 
> +						error("Failed to get default type for role %s, user %s. Continuing in permissive mode", role, name);
> +				} else {
> +					context_t newcon=context_new(user_context);
> +					if (context_role_set(newcon, role) != 0) {
> +						context_free(newcon);
> +						if (security_getenforce() > 0) 
> +							fatal("Failed to set role %s for %s.", role, name);
> +						else 
> +							error("Failed to set role %s for %s. Continuing in permissive mode", role, name);
> +					} else if (context_type_set(newcon, type) != 0) {
> +						context_free(newcon);
> +						if (security_getenforce() > 0) 
> +							fatal("Failed to set type %s for %s.", role, name);
> +						else 
> +							error("Failed to set type %s for %s. Continuing in permissive mode", role, name);
> +					} else {
> +						freecon(user_context);
> +						user_context = strdup(context_str(newcon));
> +						context_free(newcon);
> +					}
> +				}
> +			}
> +		}
> +	}
> +	return user_context;
> +}
> +
> +void setup_selinux_pty(const char *name, const char *tty) {
> +	if (is_selinux_enabled() > 0) {
> +		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 
> +
> +		user_context=selinux_get_user_context(name);
> +
> +		if (getfilecon(tty, &old_tty_context) < 0) {
> +			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
> +		} else {
> +			if (security_compute_relabel(user_context,old_tty_context,
> +						     SECCLASS_CHR_FILE,
> +						     &new_tty_context) != 0) {
> +				error("security_compute_relabel(%.100s) failed: %.100s", tty,
> +				      strerror(errno));
> +			} else {
> +				if (setfilecon (tty, new_tty_context) != 0) 
> +					error("setfilecon(%.100s, %s) failed: %.100s",
> +					      tty, new_tty_context, 
> +					      strerror(errno));
> +				freecon(new_tty_context);
> +			}
> +			freecon(old_tty_context);
> +		}
> +		if (user_context) {
> +			freecon(user_context);
> +		}
> +	}
> +}
> +
> +void setup_selinux_exec_context(char *name) {
> +
> +	if (is_selinux_enabled() > 0) {
> +		security_context_t user_context=selinux_get_user_context(name);
> +		if (setexeccon(user_context)) {
> +			if (security_getenforce() > 0) 
> +				fatal("Failed to set exec security context %s for %s.", user_context, name);
> +			else 
> +				error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
> +		}
> +		if (user_context) {
> +			freecon(user_context);
> +		}
> +	}
> +}
> +
> +#endif /* WITH_SELINUX */
> --- openssh-3.9p1/auth.h.selinux	2004-05-23 20:36:23.000000000 -0400
> +++ openssh-3.9p1/auth.h	2004-09-02 16:01:12.377472042 -0400
> @@ -57,6 +57,7 @@
>  	char		*service;
>  	struct passwd	*pw;		/* set if 'valid' */
>  	char		*style;
> +	char		*role;
>  	void		*kbdintctxt;
>  #ifdef BSD_AUTH
>  	auth_session_t	*as;
> --- openssh-3.9p1/sshpty.c.selinux	2004-06-21 22:56:02.000000000 -0400
> +++ openssh-3.9p1/sshpty.c	2004-09-02 16:01:12.378471925 -0400
> @@ -22,6 +22,8 @@
>  #include "log.h"
>  #include "misc.h"
>  
> +#include "selinux.h"
> +
>  #ifdef HAVE_PTY_H
>  # include <pty.h>
>  #endif
> @@ -200,6 +202,8 @@
>  		fatal("stat(%.100s) failed: %.100s", tty,
>  		    strerror(errno));
>  
> +	setup_selinux_pty(pw->pw_name, tty);
> +
>  	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
>  		if (chown(tty, pw->pw_uid, gid) < 0) {
>  			if (errno == EROFS &&
> --- openssh-3.9p1/configure.ac.selinux	2004-09-02 16:01:12.327477916 -0400
> +++ openssh-3.9p1/configure.ac	2004-09-02 16:01:12.382471455 -0400
> @@ -2218,6 +2218,18 @@
>  			[#include <arpa/nameser.h>])
>  	])
>  
> +# Check whether user wants SELinux support
> +SELINUX_MSG="no"
> +AC_ARG_WITH(selinux,
> +	[  --with-selinux   Enable SELinux support],
> +	[ if test "x$withval" != "xno" ; then
> +		AC_DEFINE(WITH_SELINUX)
> +		SELINUX_MSG="yes"
> +		AC_CHECK_HEADERS(selinux.h)
> +		LIBS="$LIBS -lselinux"
> +	fi
> +	])
> +
>  # Check whether user wants Kerberos 5 support
>  KRB5_MSG="no"
>  AC_ARG_WITH(kerberos5,
> @@ -2975,6 +2987,7 @@
>  echo "                    Manpage format: $MANTYPE"
>  echo "                       PAM support: $PAM_MSG"
>  echo "                 KerberosV support: $KRB5_MSG"
> +echo "                   SELinux support: $SELINUX_MSG"
>  echo "                 Smartcard support: $SCARD_MSG"
>  echo "                     S/KEY support: $SKEY_MSG"
>  echo "              TCP Wrappers support: $TCPW_MSG"
> --- openssh-3.9p1/Makefile.in.selinux	2004-08-15 07:01:37.000000000 -0400
> +++ openssh-3.9p1/Makefile.in	2004-09-02 16:01:12.385471103 -0400
> @@ -76,7 +76,7 @@
>  	sshconnect.o sshconnect1.o sshconnect2.o
>  
>  SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
> -	sshpty.o sshlogin.o servconf.o serverloop.o \
> +	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
>  	auth.o auth1.o auth2.o auth-options.o session.o \
>  	auth-chall.o auth2-chall.o groupaccess.o \
>  	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
> --- /dev/null	2004-08-26 15:03:20.000000000 -0400
> +++ openssh-3.9p1/selinux.h	2004-09-02 16:01:12.386470985 -0400
> @@ -0,0 +1,10 @@
> +#ifndef __SELINUX_H_
> +#define __SELINUX_H_
> +#ifdef WITH_SELINUX
> +extern void setup_selinux_pty(const char *name, const char *tty);
> +extern void setup_selinux_exec_context(const char *name);
> +#else
> +inline void setup_selinux_pty(const char *name, const char *tty) {}
> +inline void setup_selinux_exec_context(const char *name) {} 
> +#endif /* WITH_SELINUX */
> +#endif /* __SELINUX_H_ */
> --- openssh-3.9p1/auth2.c.selinux	2004-08-12 08:40:25.000000000 -0400
> +++ openssh-3.9p1/auth2.c	2004-09-02 16:01:12.389470633 -0400
> @@ -132,7 +132,7 @@
>  {
>  	Authctxt *authctxt = ctxt;
>  	Authmethod *m = NULL;
> -	char *user, *service, *method, *style = NULL;
> +	char *user, *service, *method, *style = NULL, *role = NULL;
>  	int authenticated = 0;
>  
>  	if (authctxt == NULL)
> @@ -144,6 +144,9 @@
>  	debug("userauth-request for user %s service %s method %s", user, service, method);
>  	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
>  
> +	if ((role = strchr(user, '/')) != NULL)
> +		*role++ = 0;
> +
>  	if ((style = strchr(user, ':')) != NULL)
>  		*style++ = 0;
>  
> @@ -170,8 +173,11 @@
>  		    use_privsep ? " [net]" : "");
>  		authctxt->service = xstrdup(service);
>  		authctxt->style = style ? xstrdup(style) : NULL;
> -		if (use_privsep)
> +		authctxt->role = role ? xstrdup(role) : NULL;
> +		if (use_privsep) {
>  			mm_inform_authserv(service, style);
> +			mm_inform_authrole(role);
> +		}
>  	} else if (strcmp(user, authctxt->user) != 0 ||
>  	    strcmp(service, authctxt->service) != 0) {
>  		packet_disconnect("Change of username or service not allowed: "
> --- openssh-3.9p1/monitor_wrap.c.selinux	2004-07-17 03:05:14.000000000 -0400
> +++ openssh-3.9p1/monitor_wrap.c	2004-09-02 16:01:12.391470398 -0400
> @@ -274,6 +274,23 @@
>  	buffer_free(&m);
>  }
>  
> +/* Inform the privileged process about role */
> +
> +void
> +mm_inform_authrole(char *role)
> +{
> +	Buffer m;
> +
> +	debug3("%s entering", __func__);
> +
> +	buffer_init(&m);
> +	buffer_put_cstring(&m, role ? role : "");
> +
> +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
> +
> +	buffer_free(&m);
> +}
> +
>  /* Do the password authentication */
>  int
>  mm_auth_password(Authctxt *authctxt, char *password)
> --- openssh-3.9p1/session.c.selinux	2004-08-12 08:40:25.000000000 -0400
> +++ openssh-3.9p1/session.c	2004-09-02 16:01:12.395469928 -0400
> @@ -58,6 +58,8 @@
>  #include "session.h"
>  #include "monitor_wrap.h"
>  
> +#include "selinux.h"
> +
>  #if defined(KRB5) && defined(USE_AFS)
>  #include <kafs.h>
>  #endif
> @@ -1304,6 +1306,8 @@
>  #endif
>  	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
>  		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
> +
> +	setup_selinux_exec_context(pw->pw_name);
>  }
>  
>  static void


-- 
Nigel Kukard, PhD CompSc
(Chief Executive Officer)
Linux Based Systems Design (Non-Profit)
Web: www.lbsd.net          Email: nkukard@lbsd.net
Tel: (+27) 023 349 8000     Cell: (+27) 082 333 3723
Fax: (+27) 023 349 1395  Support: 086 747 7600
Address: LIGT House, 2 Klipdrift Rd, Rawsonville
Linux Systems Design & Technology Solutions


   The best language to use is the language that was designed for
                  what you want to use it for.


=====================================================================

Disclaimer
----------
The contents of this message and any attachments are intended 
solely for the addressee's use and may be legally privileged and/or 
confidential information. This message may not be retained, 
distributed, copied or used if you are not he addressee of this 
message. If this message was sent to you in error, please notify 
the sender immediately by reply e-mail and then destroy the message 
and any copies thereof.

Opinions, conclusions and other information in this message may be 
personal to the sender and is not that of Linux Based Systems Design,
LinuxRulz or any of it's subsideries, associated companies or 
principals and is therefore not endorsed by Linux Based Systems 
Design or LinuxRulz. Due to e-maill communication being insecure, 
Linux Based Systems Design and LinuxRulz do not guarantee 
confidentiality, security, accuracy or performance of the e-mail. 
Any liability for viruses is excluded to the fullest extent.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Please review openssh patch for selinux

[Nigel Kukard]

[-- Attachment #1.1: Type: text/plain, Size: 609 bytes --]

As posted, here is an updated patch which allows openssh to be built
with non-selinux config.

(Hi openssh guys, forwarding this to you incase you interested including
it into the devel version of openssh. Please let us know if you have any
suggestions or changes that need to be made)


Regards
Nigel Kukard


On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote:
> New SSH patch.
> 
> Provides the capability of doing
> 
> ssh hostname -l root/sysadm_r
> 
> suggested by Collin. 
> 
> I used the / instead of : to preserve the BSD syntax.
> 
> Comments?
> 
> 
> Dan
> 

[-- Attachment #1.2: openssh-3.9p1_selinux.patch --]
[-- Type: text/plain, Size: 16520 bytes --]

Author: Daniel J Walsh <dwalsh@redhat.com>
Date:   02/09/2004
Source: selinux@tycho.nsa.gov mailing list


ChangeLog:

	07/09/2004 - Nigel Kukard  <nkukard@lbsd.net>
		o Fixed patch to work with non-selinux configuration


Changes:

 Makefile.in              |    2 
 auth.h                   |    3 +
 auth1.c                  |   11 +++++
 auth2.c                  |   17 +++++++
 config.h.in              |    3 +
 configure.ac             |   13 ++++++
 contrib/redhat/sshd.init |    9 ++++
 monitor.c                |   29 +++++++++++++
 monitor.h                |    2 
 monitor_wrap.c           |   18 ++++++++
 monitor_wrap.h           |    3 +
 selinux.c                |  101 +++++++++++++++++++++++++++++++++++++++++++++++
 selinux.h                |   10 ++++
 session.c                |    8 +++
 sshpty.c                 |    8 +++
 15 files changed, 234 insertions(+), 3 deletions(-)


diff -u --new-file --recursive openssh-3.9p1_vanilla/Makefile.in openssh-3.9p1_selinux/Makefile.in
--- openssh-3.9p1_vanilla/Makefile.in	2004-08-15 13:01:37.000000000 +0200
+++ openssh-3.9p1_selinux/Makefile.in	2004-09-07 17:41:15.000000000 +0200
@@ -76,7 +76,7 @@
 	sshconnect.o sshconnect1.o sshconnect2.o
 
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	sshpty.o sshlogin.o servconf.o serverloop.o \
+	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
 	auth.o auth1.o auth2.o auth-options.o session.o \
 	auth-chall.o auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth.h openssh-3.9p1_selinux/auth.h
--- openssh-3.9p1_vanilla/auth.h	2004-05-24 02:36:23.000000000 +0200
+++ openssh-3.9p1_selinux/auth.h	2004-09-07 18:03:09.000000000 +0200
@@ -57,6 +57,9 @@
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
+#ifdef WITH_SELINUX
+	char		*role;
+#endif
 	void		*kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t	*as;
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth1.c openssh-3.9p1_selinux/auth1.c
--- openssh-3.9p1_vanilla/auth1.c	2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/auth1.c	2004-09-07 18:04:03.000000000 +0200
@@ -284,6 +284,9 @@
 {
 	u_int ulen;
 	char *user, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role=NULL;
+#endif
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -292,11 +295,19 @@
 	user = packet_get_string(&ulen);
 	packet_check_eom();
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = '\0';
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 
 	authctxt->user = user;
 	authctxt->style = style;
+#ifdef WITH_SELINUX
+	authctxt->role = role;
+#endif
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -u --new-file --recursive openssh-3.9p1_vanilla/auth2.c openssh-3.9p1_selinux/auth2.c
--- openssh-3.9p1_vanilla/auth2.c	2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/auth2.c	2004-09-07 18:06:25.000000000 +0200
@@ -133,6 +133,9 @@
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role = NULL;
+#endif
 	int authenticated = 0;
 
 	if (authctxt == NULL)
@@ -144,6 +147,11 @@
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = 0;
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
@@ -170,8 +178,15 @@
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
+#ifdef WITH_SELINUX
+		authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+		if (use_privsep) {
 			mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+			mm_inform_authrole(role);
+#endif
+		}
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
diff -u --new-file --recursive openssh-3.9p1_vanilla/config.h.in openssh-3.9p1_selinux/config.h.in
--- openssh-3.9p1_vanilla/config.h.in	2004-08-17 14:54:51.000000000 +0200
+++ openssh-3.9p1_selinux/config.h.in	2004-09-07 17:41:15.000000000 +0200
@@ -265,6 +265,9 @@
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 
+/* Define if have want SELinux support */
+#undef WITH_SELINUX
+
 /* Define this if you are using the Heimdal version of Kerberos V5 */
 #undef HEIMDAL
 
diff -u --new-file --recursive openssh-3.9p1_vanilla/configure.ac openssh-3.9p1_selinux/configure.ac
--- openssh-3.9p1_vanilla/configure.ac	2004-08-16 15:12:06.000000000 +0200
+++ openssh-3.9p1_selinux/configure.ac	2004-09-07 17:41:15.000000000 +0200
@@ -2218,6 +2218,18 @@
 			[#include <arpa/nameser.h>])
 	])
 
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+AC_ARG_WITH(selinux,
+	[  --with-selinux   Enable SELinux support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(WITH_SELINUX)
+		SELINUX_MSG="yes"
+		AC_CHECK_HEADERS(selinux.h)
+		LIBS="$LIBS -lselinux"
+	fi
+	])
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -2973,6 +2985,7 @@
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
+echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
diff -u --new-file --recursive openssh-3.9p1_vanilla/contrib/redhat/sshd.init openssh-3.9p1_selinux/contrib/redhat/sshd.init
--- openssh-3.9p1_vanilla/contrib/redhat/sshd.init	2002-05-10 04:19:23.000000000 +0200
+++ openssh-3.9p1_selinux/contrib/redhat/sshd.init	2004-09-07 17:41:15.000000000 +0200
@@ -35,6 +35,9 @@
 		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA1_KEY.pub
+			fi
 			success $"RSA1 key generation"
 			echo
 		else
@@ -51,6 +54,9 @@
 		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $RSA_KEY.pub
+			fi
 			success $"RSA key generation"
 			echo
 		else
@@ -67,6 +73,9 @@
 		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $DSA_KEY.pub
+			fi
 			success $"DSA key generation"
 			echo
 		else
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.c openssh-3.9p1_selinux/monitor.c
--- openssh-3.9p1_vanilla/monitor.c	2004-07-17 09:05:14.000000000 +0200
+++ openssh-3.9p1_selinux/monitor.c	2004-09-07 18:01:38.000000000 +0200
@@ -127,6 +127,10 @@
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
 
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
+
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
 int mm_answer_pam_account(int, Buffer *);
@@ -178,6 +182,9 @@
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef WITH_SELINUX
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
     {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
@@ -602,6 +609,9 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -646,6 +656,25 @@
 	return (0);
 }
 
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: style=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+#endif
+
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.h openssh-3.9p1_selinux/monitor.h
--- openssh-3.9p1_vanilla/monitor.h	2003-11-17 13:18:22.000000000 +0200
+++ openssh-3.9p1_selinux/monitor.h	2004-09-07 18:08:22.000000000 +0200
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.c openssh-3.9p1_selinux/monitor_wrap.c
--- openssh-3.9p1_vanilla/monitor_wrap.c	2004-07-17 09:05:14.000000000 +0200
+++ openssh-3.9p1_selinux/monitor_wrap.c	2004-09-07 18:14:58.000000000 +0200
@@ -274,6 +274,24 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.h openssh-3.9p1_selinux/monitor_wrap.h
--- openssh-3.9p1_vanilla/monitor_wrap.h	2004-06-22 04:56:02.000000000 +0200
+++ openssh-3.9p1_selinux/monitor_wrap.h	2004-09-07 18:13:13.000000000 +0200
@@ -44,6 +44,9 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.c openssh-3.9p1_selinux/selinux.c
--- openssh-3.9p1_vanilla/selinux.c	1970-01-01 02:00:00.000000000 +0200
+++ openssh-3.9p1_selinux/selinux.c	2004-09-07 17:41:15.000000000 +0200
@@ -0,0 +1,101 @@
+#include "includes.h"
+#include "auth.h"
+#include "log.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+extern Authctxt *the_authctxt;
+
+static const security_context_t selinux_get_user_context(const char *name) {
+	security_context_t user_context=NULL;
+	if (get_default_context(name,NULL,&user_context)) {
+		if (security_getenforce() > 0) 
+			fatal("Failed to get default security context for %s.", name);
+		else 
+			error("Failed to get default security context for %s. Continuing in permissve mode", name);
+	} else {
+		if (the_authctxt) {
+			char *role=the_authctxt->role;
+			if (role != NULL && role[0]) {
+				char *type;
+				if (get_default_type(role, &type) < 0) {
+					if (security_getenforce() > 0) 
+						fatal("Failed to get default type for role %s, user %s.", role, name);
+					else 
+						error("Failed to get default type for role %s, user %s. Continuing in permissive mode", role, name);
+				} else {
+					context_t newcon=context_new(user_context);
+					if (context_role_set(newcon, role) != 0) {
+						context_free(newcon);
+						if (security_getenforce() > 0) 
+							fatal("Failed to set role %s for %s.", role, name);
+						else 
+							error("Failed to set role %s for %s. Continuing in permissive mode", role, name);
+					} else if (context_type_set(newcon, type) != 0) {
+						context_free(newcon);
+						if (security_getenforce() > 0) 
+							fatal("Failed to set type %s for %s.", role, name);
+						else 
+							error("Failed to set type %s for %s. Continuing in permissive mode", role, name);
+					} else {
+						freecon(user_context);
+						user_context = strdup(context_str(newcon));
+						context_free(newcon);
+					}
+				}
+			}
+		}
+	}
+	return user_context;
+}
+
+void setup_selinux_pty(const char *name, const char *tty) {
+	if (is_selinux_enabled() > 0) {
+		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 
+
+		user_context=selinux_get_user_context(name);
+
+		if (getfilecon(tty, &old_tty_context) < 0) {
+			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
+		} else {
+			if (security_compute_relabel(user_context,old_tty_context,
+						     SECCLASS_CHR_FILE,
+						     &new_tty_context) != 0) {
+				error("security_compute_relabel(%.100s) failed: %.100s", tty,
+				      strerror(errno));
+			} else {
+				if (setfilecon (tty, new_tty_context) != 0) 
+					error("setfilecon(%.100s, %s) failed: %.100s",
+					      tty, new_tty_context, 
+					      strerror(errno));
+				freecon(new_tty_context);
+			}
+			freecon(old_tty_context);
+		}
+		if (user_context) {
+			freecon(user_context);
+		}
+	}
+}
+
+void setup_selinux_exec_context(char *name) {
+
+	if (is_selinux_enabled() > 0) {
+		security_context_t user_context=selinux_get_user_context(name);
+		if (setexeccon(user_context)) {
+			if (security_getenforce() > 0) 
+				fatal("Failed to set exec security context %s for %s.", user_context, name);
+			else 
+				error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
+		}
+		if (user_context) {
+			freecon(user_context);
+		}
+	}
+}
+
+#endif /* WITH_SELINUX */
diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.h openssh-3.9p1_selinux/selinux.h
--- openssh-3.9p1_vanilla/selinux.h	1970-01-01 02:00:00.000000000 +0200
+++ openssh-3.9p1_selinux/selinux.h	2004-09-07 17:41:16.000000000 +0200
@@ -0,0 +1,10 @@
+#ifndef __SELINUX_H_
+#define __SELINUX_H_
+#ifdef WITH_SELINUX
+extern void setup_selinux_pty(const char *name, const char *tty);
+extern void setup_selinux_exec_context(const char *name);
+#else
+inline void setup_selinux_pty(const char *name, const char *tty) {}
+inline void setup_selinux_exec_context(const char *name) {} 
+#endif /* WITH_SELINUX */
+#endif /* __SELINUX_H_ */
diff -u --new-file --recursive openssh-3.9p1_vanilla/session.c openssh-3.9p1_selinux/session.c
--- openssh-3.9p1_vanilla/session.c	2004-08-12 14:40:25.000000000 +0200
+++ openssh-3.9p1_selinux/session.c	2004-09-07 17:41:56.000000000 +0200
@@ -58,6 +58,10 @@
 #include "session.h"
 #include "monitor_wrap.h"
 
+#ifdef WITH_SELINUX
+#include "selinux.h"
+#endif
+
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
@@ -1304,6 +1308,10 @@
 #endif
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+
+#ifdef WITH_SELINUX
+	setup_selinux_exec_context(pw->pw_name);
+#endif
 }
 
 static void
diff -u --new-file --recursive openssh-3.9p1_vanilla/sshpty.c openssh-3.9p1_selinux/sshpty.c
--- openssh-3.9p1_vanilla/sshpty.c	2004-06-22 04:56:02.000000000 +0200
+++ openssh-3.9p1_selinux/sshpty.c	2004-09-07 17:42:39.000000000 +0200
@@ -22,6 +22,10 @@
 #include "log.h"
 #include "misc.h"
 
+#ifdef WITH_SELINUX
+#include "selinux.h"
+#endif
+
 #ifdef HAVE_PTY_H
 # include <pty.h>
 #endif
@@ -200,6 +204,10 @@
 		fatal("stat(%.100s) failed: %.100s", tty,
 		    strerror(errno));
 
+#ifdef WITH_SELINUX
+	setup_selinux_pty(pw->pw_name, tty);
+#endif
+	
 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
 		if (chown(tty, pw->pw_uid, gid) < 0) {
 			if (errno == EROFS &&

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 03:38:39PM -0400, Stephen Smalley wrote:

> On Thu, 2004-09-02 at 11:52, Daniel J Walsh wrote:
> > Collin and I were discussing a way to label hardware devices correctly.
> > 
> > One proposal would be to come up with a new file_contexts file based off 
> > of path and hardware type.
> > 
> > So we could have a file with
> > 
> > /dev/h
> > 
> > /u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t
> > /u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom

> This is separate from the main file_contexts configuration used by
> setfiles, restorecon, and rpm?  If so, what prevents the device from
> being relabeled back to the wrong type by them?  If not, how do they
> determine the hardware type to pass in?  
> 
> It also isn't clear that you care about the pathname regex or file type
> if you know that you are dealing with a particular hardware type (and
> unit); you can just map those directly to a context.

okay: i got it, i got it.

the "cdrom" bit on the end is a "shortcut keyword" to say
"please override the default".

we need an "alternative" file system context function.

the function - setalternatefscontext() - should take two arguments:

- the name of the device (/dev/hdc)
- the "keyword" e.g. "cdrom".

setfscontextbykeyword() should:

- match the device against the regexp
- match the keyword against the last line: if there isn't one that
  matches, return an error (?)

if both device and keyword match, set the file context.


it remains the responsibility of programs that use the "alternative"
to reset the context back to the default after they're done.

so udev would need a udevremove if it doesn't already have one.


this is generic enough for it to be useable for purposes other than
/dev.

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 11:52:03AM -0400, Daniel J Walsh wrote:
> Collin and I were discussing a way to label hardware devices correctly.
> 
> One proposal would be to come up with a new file_contexts file based off 
> of path and hardware type.
> 
> So we could have a file with
> 
> /dev/h
> 
> /u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t

you mean:

  /u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t disk

or do you mean _not_ having the extra word on the end to indicate
the default, should the type not be matched [by a udev script]?

> /u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom

> Then either add a param to matchpathcon or a new function that would 
> pass in the hardware type
> and get the correct context.
> 
> Then tools like udev could use this to create the device with the 
> correct context.
> 
> ideas??

 interesting.

 in some respects, it's almost like you don't need the /u?dev/[...]...
 bit: if it's a cdrom, you know it's removable_disk_device_t, end
 of story.

 hm.

 except.... what about restricting access to removable_disk_device_t,
 or is that covered by user_rw_noexattrfile?

 l.

 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed Hardware File Context file.

[Daniel J Walsh]

Luke Kenneth Casson Leighton wrote:

>On Thu, Sep 02, 2004 at 11:52:03AM -0400, Daniel J Walsh wrote:
>  
>
>>Collin and I were discussing a way to label hardware devices correctly.
>>
>>One proposal would be to come up with a new file_contexts file based off 
>>of path and hardware type.
>>
>>So we could have a file with
>>
>>/dev/h
>>
>>/u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t
>>    
>>
>
>you mean:
>
>  /u?dev/[shmx]d[^/]*    -b    system_u:object_r:fixed_disk_device_t disk
>
>or do you mean _not_ having the extra word on the end to indicate
>the default, should the type not be matched [by a udev script]?
>
>  
>
>>/u?dev/[shmx]d[^/]*    -b    system_u:object_r:removable_disk_device_t cdrom
>>    
>>
>
>  
>
Yes I was thinking no hardware type would be default.

>>Then either add a param to matchpathcon or a new function that would 
>>pass in the hardware type
>>and get the correct context.
>>
>>Then tools like udev could use this to create the device with the 
>>correct context.
>>
>>ideas??
>>    
>>
>
> interesting.
>
> in some respects, it's almost like you don't need the /u?dev/[...]...
> bit: if it's a cdrom, you know it's removable_disk_device_t, end
> of story.
>
>  
>
Yes covered in another email.

> hm.
>
> except.... what about restricting access to removable_disk_device_t,
> or is that covered by user_rw_noexattrfile?
>
> l.
>
> 
>  
>
Yes this is just getting the file type correct.  Policy would be handled 
in the traditional way.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
>>--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
>>@@ -12,12 +12,14 @@
>> # initrc_exec_t is the type of the init program.
>> #
>> # do not use privmail for sendmail as it creates a type transition conflict
>>-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
>> ifdef(`sendmail.te', `
>>+# do not use privmail for sendmail as it creates a type transition conflict
>>+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
>> allow system_mail_t initrc_t:fd use;
>> allow system_mail_t initrc_t:fifo_file write;
>>+', `
>>+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
>> ')
>>-
>>    
>>
>
>This reverts a patch from Russell to merge the two initrc_t type
>declarations together (using an ifdef embedded in the attribute list for
>the sendmail issue) to ease maintenance.
>
>  
>
Removed

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
>>--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
>>@@ -41,6 +41,7 @@
>> append_logdir_domain(httpd)
>> #can read /etc/httpd/logs
>> allow httpd_t httpd_log_t:lnk_file { read };
>>+allow httpd_t httpd_log_t:dir { remove_name };
>> 
>> # For /etc/init.d/apache2 reload
>> can_tcp_connect(httpd_t, httpd_t)
>>    
>>
>
>As before, do you want apache removing log files?
>  
>
Russell added it I believe,  I will remove it for now.

>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
>>--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
>>@@ -157,5 +157,6 @@
>> allow cupsd_t ptal_var_run_t:dir { search };
>> dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>> 
>>+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
>> dontaudit cupsd_t selinux_config_t:dir search;
>> dontaudit cupsd_t selinux_config_t:file { getattr read };
>>    
>>
>
>Does this fifo still exist?  Russell removed this rule earlier.
>
>  
>
Ok I will remove it til we see the avc message again.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
>>--- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
>>@@ -113,7 +113,6 @@
>> allow ndc_t self:unix_stream_socket create_stream_socket_perms;
>> allow ndc_t self:unix_stream_socket connect;
>> allow ndc_t self:capability { dac_override net_admin };
>>-allow ndc_t var_t:dir search;
>> allow ndc_t var_run_t:dir search;
>> allow ndc_t named_var_run_t:sock_file rw_file_perms;
>> allow ndc_t named_t:unix_stream_socket connectto;
>>    
>>
>
>You can't reach /var/run if you can't search /var.
>
>  
>
Ok I will remove.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
>>--- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
>>@@ -33,11 +33,6 @@
>> allow insmod_t ramfs_t:file write;
>> allow insmod_t rhgb_t:fd use;
>> 
>>-allow rhgb_t ramfs_t:filesystem { mount unmount };
>>-allow rhgb_t root_t:dir { mounton };
>>-allow rhgb_t rhgb_t:capability { sys_admin };
>>-dontaudit rhgb_t var_run_t:dir { search };
>>-
>> can_network(rhgb_t)
>> can_ypbind(rhgb_t)
>>    
>>
>
>Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
>still work as expected with strict/enforcing?
>
>  
>
 From Russell's Policy.  I will try it out.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
>>--- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
>>@@ -43,7 +43,8 @@
>> allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
>> 	
>> # to read the file_contexts file
>>-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
>>+allow udev_t { selinux_config_t default_context_t }:dir search;
>>+allow udev_t file_context_t:file { getattr read };
>>    
>>
>
>To access the file_contexts file, udev must be able to read
>/etc/selinux/config (requires search to selinux_config_t:dir and read to
>selinux_config_t:file) and
>/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
>to default_context_t:dir and file_context_t:dir and read to
>file_context_t:file).  Simpler to just express this using the single
>r_dir_file() line that is in our policy, even it is a bit more
>permissive than strictly necessary (your rules aren't sufficient).
>
>  
>
Removed

>>@@ -82,11 +83,6 @@
>> ifdef(`consoletype.te', `
>> can_exec(udev_t, consoletype_exec_t)
>> ')
>>-ifdef(`pamconsole.te', `
>>-allow udev_t pam_var_console_t:dir search;
>>-')
>>-allow udev_t var_lock_t:dir search;
>>-allow udev_t var_lock_t:file getattr;
>> domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
>> ifdef(`hide_broken_symptoms', `
>> dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
>>    
>>
>
>These were just added by Russell, I think.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
>>--- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
>>@@ -8,6 +8,7 @@
>> fs_use_xattr ext3 system_u:object_r:fs_t;
>> fs_use_xattr xfs system_u:object_r:fs_t;
>> fs_use_xattr reiserfs system_u:object_r:fs_t;
>>+fs_use_xattr tmpfs system_u:object_r:fs_t;
>> 
>> # Use the allocating task SID to label inodes in the following filesystem
>> # types, and label the filesystem itself with the specified context.
>>@@ -23,7 +24,6 @@
>> # This is appropriate for pseudo filesystems like devpts and tmpfs
>> # where we want to label objects with a derived type.
>> fs_use_trans devpts system_u:object_r:devpts_t;
>>-fs_use_trans tmpfs system_u:object_r:tmpfs_t;
>> fs_use_trans shm system_u:object_r:tmpfs_t;
>> 
>> # The separate genfs_contexts configuration can be used for filesystem 
>>    
>>
>
>Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
>handlers, like devpts.
>
>
>  
>
Other Email talks about this.

>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
>>--- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
>>@@ -89,6 +89,14 @@
>> can_network($1_ssh_t)
>> can_ypbind($1_ssh_t)
>> 
>>+if (user_tcp_server) {
>>+# for sshing to a ssh tunnel
>>+can_tcp_connect($1_ssh_t, $1_ssh_t)
>>+
>>+# for other connections to a ssh tunnel
>>+can_tcp_connect($1_t, $1_ssh_t)
>>+}
>>+
>> # Use capabilities.
>> allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
>>    
>>
>
>Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
>the present policy; it was only applicable to the pre-2.6 SELinux with
>labeled network buffers
>
Policy had a commented this out with a comment saying uncomment if you 
want to allow it.  So I
added the boolean code.    Since it has no effect I will leave it, for 
when controls added back ???

>.
>
>  
>
>>+# Connect to sshd.
>>+ifdef(`inetd.te', `
>>+ifdef(`run_ssh_inetd', `
>>+can_tcp_connect($1_ssh_t, inetd_t)
>>+', `
>>+can_tcp_connect($1_ssh_t, sshd_t)
>>+')', `
>>+can_tcp_connect($1_ssh_t, sshd_t)
>>+')
>>+
>>    
>>
>
>Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.
>
>  
>
Changed to boolean

>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
>>--- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
>>@@ -17,7 +17,7 @@
>> ifdef(`single_userdomain', `
>> typealias $1_t alias $1_userhelper_t;
>> ', `
>>-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
>>+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
>> 
>> in_user_role($1_userhelper_t)
>> role sysadm_r types $1_userhelper_t;
>>    
>>
>
>No, this is a reversion (where are these diffs coming from?).  privuser
>is always needed by userhelper with the current code (always switches to
>"root").
>  
>
Added back, This is from Russell's Policy

>  
>
>>@@ -127,7 +130,9 @@
>> allow $1_xserver_t mtrr_device_t:file rw_file_perms;
>> allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
>> allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
>>+ifdef(`redhat', `
>> allow $1_xserver_t device_t:lnk_file { getattr read };
>>+')
>> allow $1_xserver_t devtty_t:chr_file rw_file_perms;
>> allow $1_xserver_t devtty_t:lnk_file read;
>> 
>>    
>>
>
>Wrapping such a trivial rule with a distro-specific ifdef is pointless,
>IMHO, and makes maintenance a pain.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
>>--- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
>>+++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
>>@@ -147,6 +147,7 @@
>> 	@grep -v "^/root" $@.tmp > $@.root
>> 	@/usr/sbin/genhomedircon . $@.root  > $@
>> 	@grep "^/root" $@.tmp >> $@
>>+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
>> 	@-rm $@.tmp $@.root
>> 
>> clean:
>>    
>>
>
>Requires that the policy be rebuilt on every machine, as it depends on
>local /proc information.
>
>  
>
But if gives a default of /dev/hdc being removable, for initial 
install.  I want to propose a new hardware context file
in a nother email that would help fix this.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 09:10:07AM -0400, Stephen Smalley wrote:

> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
> >  
> 
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.

 it's also, istrc, needed for debian.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[James Carter]

Merged everything other then the hunks Steve mentions here, and, of
course, the tunables.  

It doesn't matter to me if the tunables are there, they're ignored.

On Thu, 2004-09-02 at 09:10, Stephen Smalley wrote:
> On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
> > --- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
> > @@ -12,12 +12,14 @@
> >  # initrc_exec_t is the type of the init program.
> >  #
> >  # do not use privmail for sendmail as it creates a type transition conflict
> > -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
> >  ifdef(`sendmail.te', `
> > +# do not use privmail for sendmail as it creates a type transition conflict
> > +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
> >  allow system_mail_t initrc_t:fd use;
> >  allow system_mail_t initrc_t:fifo_file write;
> > +', `
> > +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
> >  ')
> > -
> 
> This reverts a patch from Russell to merge the two initrc_t type
> declarations together (using an ifdef embedded in the attribute list for
> the sendmail issue) to ease maintenance.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
> > --- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
> > @@ -41,6 +41,7 @@
> >  append_logdir_domain(httpd)
> >  #can read /etc/httpd/logs
> >  allow httpd_t httpd_log_t:lnk_file { read };
> > +allow httpd_t httpd_log_t:dir { remove_name };
> >  
> >  # For /etc/init.d/apache2 reload
> >  can_tcp_connect(httpd_t, httpd_t)
> 
> As before, do you want apache removing log files?
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
> > --- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
> > @@ -157,5 +157,6 @@
> >  allow cupsd_t ptal_var_run_t:dir { search };
> >  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
> >  
> > +allow cupsd_t printer_device_t:fifo_file rw_file_perms;
> >  dontaudit cupsd_t selinux_config_t:dir search;
> >  dontaudit cupsd_t selinux_config_t:file { getattr read };
> 
> Does this fifo still exist?  Russell removed this rule earlier.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
> > --- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
> > @@ -113,7 +113,6 @@
> >  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
> >  allow ndc_t self:unix_stream_socket connect;
> >  allow ndc_t self:capability { dac_override net_admin };
> > -allow ndc_t var_t:dir search;
> >  allow ndc_t var_run_t:dir search;
> >  allow ndc_t named_var_run_t:sock_file rw_file_perms;
> >  allow ndc_t named_t:unix_stream_socket connectto;
> 
> You can't reach /var/run if you can't search /var.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
> > --- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
> > @@ -33,11 +33,6 @@
> >  allow insmod_t ramfs_t:file write;
> >  allow insmod_t rhgb_t:fd use;
> >  
> > -allow rhgb_t ramfs_t:filesystem { mount unmount };
> > -allow rhgb_t root_t:dir { mounton };
> > -allow rhgb_t rhgb_t:capability { sys_admin };
> > -dontaudit rhgb_t var_run_t:dir { search };
> > -
> >  can_network(rhgb_t)
> >  can_ypbind(rhgb_t)
> 
> Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
> still work as expected with strict/enforcing?
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
> > --- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
> > @@ -43,7 +43,8 @@
> >  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
> >  	
> >  # to read the file_contexts file
> > -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
> > +allow udev_t { selinux_config_t default_context_t }:dir search;
> > +allow udev_t file_context_t:file { getattr read };
> 
> To access the file_contexts file, udev must be able to read
> /etc/selinux/config (requires search to selinux_config_t:dir and read to
> selinux_config_t:file) and
> /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
> to default_context_t:dir and file_context_t:dir and read to
> file_context_t:file).  Simpler to just express this using the single
> r_dir_file() line that is in our policy, even it is a bit more
> permissive than strictly necessary (your rules aren't sufficient).
> 
> > @@ -82,11 +83,6 @@
> >  ifdef(`consoletype.te', `
> >  can_exec(udev_t, consoletype_exec_t)
> >  ')
> > -ifdef(`pamconsole.te', `
> > -allow udev_t pam_var_console_t:dir search;
> > -')
> > -allow udev_t var_lock_t:dir search;
> > -allow udev_t var_lock_t:file getattr;
> >  domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
> >  ifdef(`hide_broken_symptoms', `
> >  dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
> 
> These were just added by Russell, I think.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
> > --- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
> > @@ -8,6 +8,7 @@
> >  fs_use_xattr ext3 system_u:object_r:fs_t;
> >  fs_use_xattr xfs system_u:object_r:fs_t;
> >  fs_use_xattr reiserfs system_u:object_r:fs_t;
> > +fs_use_xattr tmpfs system_u:object_r:fs_t;
> >  
> >  # Use the allocating task SID to label inodes in the following filesystem
> >  # types, and label the filesystem itself with the specified context.
> > @@ -23,7 +24,6 @@
> >  # This is appropriate for pseudo filesystems like devpts and tmpfs
> >  # where we want to label objects with a derived type.
> >  fs_use_trans devpts system_u:object_r:devpts_t;
> > -fs_use_trans tmpfs system_u:object_r:tmpfs_t;
> >  fs_use_trans shm system_u:object_r:tmpfs_t;
> >  
> >  # The separate genfs_contexts configuration can be used for filesystem 
> 
> Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
> handlers, like devpts.
> 
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
> > --- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
> > @@ -89,6 +89,14 @@
> >  can_network($1_ssh_t)
> >  can_ypbind($1_ssh_t)
> >  
> > +if (user_tcp_server) {
> > +# for sshing to a ssh tunnel
> > +can_tcp_connect($1_ssh_t, $1_ssh_t)
> > +
> > +# for other connections to a ssh tunnel
> > +can_tcp_connect($1_t, $1_ssh_t)
> > +}
> > +
> >  # Use capabilities.
> >  allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
> 
> Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
> the present policy; it was only applicable to the pre-2.6 SELinux with
> labeled network buffers.
> 
> > +# Connect to sshd.
> > +ifdef(`inetd.te', `
> > +ifdef(`run_ssh_inetd', `
> > +can_tcp_connect($1_ssh_t, inetd_t)
> > +', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')
> > +
> 
> Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
> > --- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
> > @@ -17,7 +17,7 @@
> >  ifdef(`single_userdomain', `
> >  typealias $1_t alias $1_userhelper_t;
> >  ', `
> > -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
> > +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
> >  
> >  in_user_role($1_userhelper_t)
> >  role sysadm_r types $1_userhelper_t;
> 
> No, this is a reversion (where are these diffs coming from?).  privuser
> is always needed by userhelper with the current code (always switches to
> "root").
> 
> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
> >  
> 
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
> > --- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
> > +++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
> > @@ -147,6 +147,7 @@
> >  	@grep -v "^/root" $@.tmp > $@.root
> >  	@/usr/sbin/genhomedircon . $@.root  > $@
> >  	@grep "^/root" $@.tmp >> $@
> > +	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
> >  	@-rm $@.tmp $@.root
> >  
> >  clean:
> 
> Requires that the policy be rebuilt on every machine, as it depends on
> local /proc information.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Russell Coker]

On Thu, 2 Sep 2004 22:46, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working
>
> You sent me a note saying some patches conflict with other changes,
> please point those out so I can remove them.

The initrc patch removes my change to clean up the initrc_t definition.  
Having two definitions leads to bugs when people update only one of them (as 
was done with the unrestricted attribute change).

There should never be a printer_device_t:fifo_file entry, I removed it because 
there is no way for such a node to be created in enforcing mode.

The dovecot patch reverts my change to put the capabilities in numerical 
order.  I put them in order to improve readability.

In xserver_macros.te there's a ifdef(`redhat' when distro_redhat should be 
used.

We should probably avoid putting distro.tun into patch files that are 
distributed outside a distribution.  Leave all options commented for the CVS 
version.

Also the patch for tunable.tun is not something we want in the CVS.  I think 
that we want the CVS policy to have fairly restrictive settings for tunables.  
Apart from use_games I think that all the tunable changes in your patch 
should not be in the CVS.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Joshua Brindle]

Daniel J Walsh wrote:

> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working
> 
> You sent me a note saying some patches conflict with other changes, 
> please point those out so I can remove them.
> 
> Dan
> 

Why are you submitting a patch to the list that turns on all these 
tunables? These should definately not be turned on in the sample policy!

Joshua Brindle

> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.9/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/tunables/tunable.tun	2004-09-02 08:15:02.755586567 -0400
> @@ -5,50 +5,47 @@
>  dnl define(`user_net_control')
>  
>  # Allow users to execute the mount command
> -dnl define(`user_can_mount')
> +define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Support NFS home directories
> -dnl define(`nfs_home_dirs')
> +define(`nfs_home_dirs')
>  
>  # Allow users to run games
> -dnl define(`use_games')
> +define(`use_games')
>  
>  # Allow ypbind to run with NIS
> -dnl define(`allow_ypbind')
> +define(`allow_ypbind')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
>  # explicitly defined.
> -dnl define(`unlimitedRC')
> +define(`unlimitedRC')
>  
>  # Allow sysadm_t to directly start daemons
>  define(`direct_sysadm_daemon')
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow sysadm_t to do almost everything
>  dnl define(`unrestricted_admin')
>  
>  # Allow the read/write/create on any NFS file system
> -dnl define(`nfs_export_all_rw')
> -
> -# Allow users to unrestricted access
> -dnl define(`unlimitedUsers')
> +define(`nfs_export_all_rw')
>  
>  # Allow the reading on any NFS file system
>  dnl define(`nfs_export_all_ro')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 12:30, Joshua Brindle wrote:
> Why are you submitting a patch to the list that turns on all these 
> tunables? These should definately not be turned on in the sample policy!

Not an issue; we always omit diffs to tunables from merging.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Joshua Brindle wrote:

> Daniel J Walsh wrote:
>
>> Include some stuff from Russell,
>> Critical patch for tmpfs to get udev on tmpfs working
>>
>> You sent me a note saying some patches conflict with other changes, 
>> please point those out so I can remove them.
>>
>> Dan
>>
>
> Why are you submitting a patch to the list that turns on all these 
> tunables? These should definately not be turned on in the sample policy!
>
> Joshua Brindle
>
I am just submitting the patch that is currently being applied to the 
Fedora package.  The tunables were always ignored in the past.
I suppose I could edit them but up to now they have not been a problem 
to ignore them.

Dan

>> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun 
>> policy-1.17.9/tunables/tunable.tun
>> --- nsapolicy/tunables/tunable.tun    2004-08-27 14:44:11.000000000 
>> -0400
>> +++ policy-1.17.9/tunables/tunable.tun    2004-09-02 
>> 08:15:02.755586567 -0400
>> @@ -5,50 +5,47 @@
>>  dnl define(`user_net_control')
>>  
>>  # Allow users to execute the mount command
>> -dnl define(`user_can_mount')
>> +define(`user_can_mount')
>>  
>>  # Allow rpm to run unconfined.
>> -dnl define(`unlimitedRPM')
>> +define(`unlimitedRPM')
>>  
>>  # Allow privileged utilities like hotplug and insmod to run unconfined.
>> -dnl define(`unlimitedUtils')
>> +define(`unlimitedUtils')
>>  
>>  # Support NFS home directories
>> -dnl define(`nfs_home_dirs')
>> +define(`nfs_home_dirs')
>>  
>>  # Allow users to run games
>> -dnl define(`use_games')
>> +define(`use_games')
>>  
>>  # Allow ypbind to run with NIS
>> -dnl define(`allow_ypbind')
>> +define(`allow_ypbind')
>>  
>>  # Allow rc scripts to run unconfined, including any daemon
>>  # started by an rc script that does not have a domain transition
>>  # explicitly defined.
>> -dnl define(`unlimitedRC')
>> +define(`unlimitedRC')
>>  
>>  # Allow sysadm_t to directly start daemons
>>  define(`direct_sysadm_daemon')
>>  
>>  # Do not audit things that we know to be broken but which
>>  # are not security risks
>> -dnl define(`hide_broken_symptoms')
>> +define(`hide_broken_symptoms')
>>  
>>  # Allow sysadm_t to do almost everything
>>  dnl define(`unrestricted_admin')
>>  
>>  # Allow the read/write/create on any NFS file system
>> -dnl define(`nfs_export_all_rw')
>> -
>> -# Allow users to unrestricted access
>> -dnl define(`unlimitedUsers')
>> +define(`nfs_export_all_rw')
>>  
>>  # Allow the reading on any NFS file system
>>  dnl define(`nfs_export_all_ro')
>>  
>>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>>  # Otherwise, only staff_r can do so.
>> -dnl define(`user_canbe_sysadm')
>> +define(`user_canbe_sysadm')
>>  
>>  # Allow xinetd to run unconfined, including any services it starts
>>  # that do not have a domain transition explicitly defined.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.