More policy changes from Debian

More policy changes from Debian

[Erich Schubert]

[-- Attachment #1: Type: text/plain, Size: 682 bytes --]

Attached are three more diffs.
- moving logcheck from logrotate policy to logwatch. Seems more
appropriate.
Since logcheck runs as user logcheck, cron will search the home
directory.
I don't want cron to search the logrotate dirs.
- apt needs getattr_all_fs, to check for free diskspace.
- sxid wants to read the /etc/localtime symlink. I guess access to /etc
is okay.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    The infinite! No other question has ever moved so profoundly    //\
                the spirit of man. --- David Hilbert                V_/_
      Ein Freund ist ein Geschenk, das man sich selbst macht.

[-- Attachment #2: apt-getattr-fs --]
[-- Type: text/plain, Size: 435 bytes --]

# Needed to check for free diskspace.
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te	(Revision 245)
+++ policy/modules/admin/apt.te	(Revision 246)
@@ -97,7 +97,7 @@
 files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
-fs_dontaudit_getattr_all_fs(apt_t)
+fs_getattr_all_fs(apt_t)
 
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)

[-- Attachment #3: logcheck --]
[-- Type: text/plain, Size: 4202 bytes --]

# logcheck is more like logwatch than logrotate.
# cron needs to be able to getattr the logcheck home dir.
Index: policy/modules/services/cron.te
===================================================================
--- policy/modules/services/cron.te	(Revision 242)
+++ policy/modules/services/cron.te	(Arbeitskopie)
@@ -191,6 +191,13 @@
 	hal_dbus_send(crond_t)
 ')
 
+ifdef(`distro_debian', `
+	optional_policy(`
+		# Debian logcheck has the home dir set to its cache
+		logwatch_search_cache_dir(crond_t)
+	')
+')
+
 optional_policy(`
 	# cjp: why?
 	munin_search_lib(crond_t)
Index: policy/modules/admin/logwatch.te
===================================================================
--- policy/modules/admin/logwatch.te	(Revision 242)
+++ policy/modules/admin/logwatch.te	(Arbeitskopie)
@@ -15,6 +15,9 @@
 type logwatch_cache_t;
 files_type(logwatch_cache_t)
 
+type logwatch_lock_t;
+files_lock_file(logwatch_lock_t)
+
 type logwatch_tmp_t;
 files_tmp_file(logwatch_tmp_t)
 
@@ -27,6 +30,8 @@
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
 
+allow logwatch_t self:process signal;
+
 allow logwatch_t logwatch_cache_t:dir create_dir_perms;
 allow logwatch_t logwatch_cache_t:file create_file_perms;
 
@@ -34,6 +39,9 @@
 allow logwatch_t logwatch_tmp_t:file create_file_perms;
 files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
 
+allow logwatch_t logwatch_lock_t:file create_file_perms;
+files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
+
 kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
@@ -41,7 +49,9 @@
 corecmd_read_sbin_symlinks(logwatch_t)
 corecmd_read_sbin_files(logwatch_t)
 corecmd_exec_bin(logwatch_t)
+corecmd_exec_sbin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
+corecmd_exec_ls(logwatch_t)
 
 dev_read_urand(logwatch_t)
 
@@ -109,5 +119,9 @@
 ')
 
 optional_policy(`
+	hostname_exec(logwatch_t)
+')
+
+optional_policy(`
 	samba_read_log(logwatch_t)
 ')
Index: policy/modules/admin/logwatch.if
===================================================================
--- policy/modules/admin/logwatch.if	(Revision 242)
+++ policy/modules/admin/logwatch.if	(Arbeitskopie)
@@ -18,3 +18,21 @@
 	files_search_tmp($1)
 	allow $1 logwatch_tmp_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Search logwatch cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logwatch_search_cache_dir',`
+	gen_require(`
+		type logwatch_cache_t;
+	')
+
+	allow $1 logwatch_cache_t:dir search;
+')
Index: policy/modules/admin/logrotate.fc
===================================================================
--- policy/modules/admin/logrotate.fc	(Revision 242)
+++ policy/modules/admin/logrotate.fc	(Arbeitskopie)
@@ -1,13 +1,7 @@
 /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/usr/sbin/logcheck	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/var/lib/logcheck(/.*)?		gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck	-d	gen_context(system_u:object_r:logrotate_tmp_t,s0)
-
 ifdef(`distro_debian', `
 /usr/bin/savelog	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
Index: policy/modules/admin/logwatch.fc
===================================================================
--- policy/modules/admin/logwatch.fc	(Revision 242)
+++ policy/modules/admin/logwatch.fc	(Arbeitskopie)
@@ -1,3 +1,4 @@
+/usr/sbin/logcheck	--	gen_context(system_u:object_r:logwatch_exec_t,s0)
 
 /usr/share/logwatch/scripts/logwatch\.pl	--	gen_context(system_u:object_r:logwatch_exec_t, s0)
 
@@ -2 +3,3 @@
 /var/cache/logwatch(/.*)?			gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/lib/logcheck(/.*)?		gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/log/logcheck/.+	--	gen_context(system_u:object_r:logwatch_lock_t,s0)

[-- Attachment #4: sxid-tweak --]
[-- Type: text/plain, Size: 446 bytes --]

# just for /etc/localtime symlink, but I mean... it's just etc_t
Index: policy/modules/admin/sxid.te
===================================================================
--- policy/modules/admin/sxid.te	(Revision 246)
+++ policy/modules/admin/sxid.te	(Revision 247)
@@ -57,6 +57,7 @@
 
 domain_use_interactive_fds(sxid_t)
 
+files_read_etc_files(sxid_t)
 files_list_all(sxid_t)
 files_getattr_all_symlinks(sxid_t)
 files_getattr_all_pipes(sxid_t)

Re: More policy changes from Debian

[Uwe Hermann]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Hi,

On Wed, Sep 13, 2006 at 04:18:18PM +0200, Erich Schubert wrote:
> # just for /etc/localtime symlink, but I mean... it's just etc_t
[...]  
> +files_read_etc_files(sxid_t)

I'm pretty new to SELinux, so maybe I'm wrong, but isn't the general goal
of SELinux + refpolicy to implement the strictest possible ruleset
per default where-ever possible? If yes, I'd rather explicitly only
allow access to that single file, rather than all of /etc.


Uwe.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: More policy changes from Debian

[Christopher J. PeBenito]

On Wed, 2006-09-13 at 19:21 +0200, Uwe Hermann wrote:
> On Wed, Sep 13, 2006 at 04:18:18PM +0200, Erich Schubert wrote:
> > # just for /etc/localtime symlink, but I mean... it's just etc_t
> [...]  
> > +files_read_etc_files(sxid_t)
> 
> I'm pretty new to SELinux, so maybe I'm wrong, but isn't the general goal
> of SELinux + refpolicy to implement the strictest possible ruleset
> per default where-ever possible? If yes, I'd rather explicitly only
> allow access to that single file, rather than all of /etc.

Agreed.  The correct thing to do in this case was to fix
miscfiles_read_localization(), as it was missing the etc_t:lnk_file
read.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More policy changes from Debian

[Christopher J. PeBenito]

On Wed, 2006-09-13 at 16:18 +0200, Erich Schubert wrote:
> Attached are three more diffs.
> - moving logcheck from logrotate policy to logwatch. Seems more
> appropriate. Since logcheck runs as user logcheck, cron will search
> the home directory.  I don't want cron to search the logrotate dirs.

Merged.

- moved up the cron.te change.
- rearranged the additions logwatch.te a little.

One thing that needs to be investigated is the logrotate_lock_t type.
Since you added logcheck_lock_t, my guess is that logrotate_lock_t can
be removed.

> - apt needs getattr_all_fs, to check for free diskspace.

Merged.

> - sxid wants to read the /etc/localtime symlink. I guess access
> to /etc is okay.

Fixed miscfiles_read_localization() instead.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.