log_domain macro

log_domain macro

[Yuichi Nakamura]

In log_domain macro,
file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
is described.

By file_type_auto_trans, $1_t can write(unlink) $1_log_t.

If attackers obtains the domain where log_domain macro is used, 
attackers can erase log file.

Many daemons only need append permission to log files.
I think macro such as following is necessary.

define(`append_log_domain', `
type $1_log_t, file_type, sysadmfile, logfile;
allow $1_t var_log_t:dir rw_dir_perms;
allow $1_t $1_log_t:file  { create ra_file_perms };
type_transition $1_t var_log_t:file $1_log_t;
')

--
Yuichi Nakamura
Hitachi Software Engineering Co.,Ltd.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: log_domain macro

[Stephen Smalley]

On Mon, 2003-12-15 at 05:02, Yuichi Nakamura wrote:
> In log_domain macro,
> file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
> is described.
> 
> By file_type_auto_trans, $1_t can write(unlink) $1_log_t.
> 
> If attackers obtains the domain where log_domain macro is used, 
> attackers can erase log file.
> 
> Many daemons only need append permission to log files.
> I think macro such as following is necessary.
> 
> define(`append_log_domain', `
> type $1_log_t, file_type, sysadmfile, logfile;
> allow $1_t var_log_t:dir rw_dir_perms;
> allow $1_t $1_log_t:file  { create ra_file_perms };
> type_transition $1_t var_log_t:file $1_log_t;
> ')

This sounds reasonable.  Note that there is a create_append_log_file()
macro in core_macros.te that is used by syslogd_t and bootloader_t, but
it acts on an existing log type and does not include a type declaration
or type_transition rule.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: log_domain macro

[Stephen Smalley]

On Mon, 2003-12-15 at 05:02, Yuichi Nakamura wrote:
> Many daemons only need append permission to log files.
> I think macro such as following is necessary.
> 
> define(`append_log_domain', `
> type $1_log_t, file_type, sysadmfile, logfile;
> allow $1_t var_log_t:dir rw_dir_perms;
> allow $1_t $1_log_t:file  { create ra_file_perms };
> type_transition $1_t var_log_t:file $1_log_t;

BTW, you might want to reduce the directory permissions in the above
macro to ra_dir_perms, since there is no reason to allow the domain to
remove files from the directory in that case.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: log_domain macro

[Yuichi Nakamura]

Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > define(`append_log_domain', `
> > type $1_log_t, file_type, sysadmfile, logfile;
> > allow $1_t var_log_t:dir rw_dir_perms;
> > allow $1_t $1_log_t:file  { create ra_file_perms };
> > type_transition $1_t var_log_t:file $1_log_t;
> BTW, you might want to reduce the directory permissions in the above
> macro to ra_dir_perms, since there is no reason to allow the domain to
> remove files from the directory in that case.

As you say, "remove_name" granted by rw_dir_perms is not necessary.
So the following is better.

define(`append_log_domain', `
type $1_log_t, file_type, sysadmfile, logfile;
allow $1_t var_log_t:dir ra_dir_perms;
allow $1_t $1_log_t:file  { create ra_file_perms };
type_transition $1_t var_log_t:file $1_log_t;
')

> Note that there is a create_append_log_file() macro in core_macros.te 
> that is used by syslogd_t and bootloader_t, 

In apache.te logdir_domain macro is used, 
but create_append_log_file will be prefered.
Because in FedoraCore1, apache create log files on its own directory(/var/log/httpd/).

append_log_domain macro will be useful when a daemon creates its own log file on  /var/log/.

----
Yuichi Nakamura


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Apache on FedoraCore1(Was Re: log_domain macro)

[Yuichi Nakamura]

[-- Attachment #1: Type: text/plain, Size: 1931 bytes --]


I tested apache on FedoraCore1 .
I found that some changes are needed. 
I modified apache.te,apache.fc and global_macros.te as attached patches.

Here I list important changes.
(1) 
can_exec(httpd_t,bin_t) is described in apache.te.
I think it is not good , because "execute_no_trans" is granted.
Apache and CGI worked without execute_no_trans.
So,I replaced it by using rx_file_perms.

(2) 
I tried not to grant write access of httpd_t to /etc/log/httpd.
I used append_log_domain macro posted before.
In FedoraCore1, 
it is better to modify SSLMutex path defined in /etc/httpd/conf.d/ssl.conf like following,
because file is written on SSLMutex path.
#SSLMutex  file:logs/ssl_mutex
SSLMutex   file:/var/cache/mod_ssl/ssl_mutex

(3)
I defined new type krb5_conf_t for /etc/krb5.conf
because write access to /etc/krb5.conf was denied.
However, Apache worked when access to /etc/krb5.conf is denied.
So,"allow httpd_t krb5_conf_t:file rw_file_perms;" is commented out now.



On Wed, 17 Dec 2003 14:12:33 -0500
Stephen Smalley <sds@epoch.ncsc.mil> wrote:

> On Mon, 2003-12-15 at 23:39, Yuichi Nakamura wrote:
> > As you say, "remove_name" granted by rw_dir_perms is not necessary.
> > So the following is better.
> > 
> > define(`append_log_domain', `
> > type $1_log_t, file_type, sysadmfile, logfile;
> > allow $1_t var_log_t:dir ra_dir_perms;
> > allow $1_t $1_log_t:file  { create ra_file_perms };
> > type_transition $1_t var_log_t:file $1_log_t;
> > ')
> >
> > In apache.te logdir_domain macro is used, 
> > but create_append_log_file will be prefered.
> > Because in FedoraCore1, apache create log files on its own directory(/var/log/httpd/).
> > 
> > append_log_domain macro will be useful when a daemon creates its own log file on  /var/log/.
> 
> Ok.  Care to submit a patch adding your macro and changing apache.te to
> use it (after testing your updated policy with apache on FC1, of
> course)?
> 

---
Yuichi Nakamura

[-- Attachment #2: apache.te.patch --]
[-- Type: application/octet-stream, Size: 1977 bytes --]

--- policy.orig/domains/program/unused/apache.te	2003-12-06 10:01:57.000000000 +0900
+++ policy/domains/program/apache.te	2003-12-18 23:14:10.000000000 +0900
@@ -30,7 +30,18 @@
 #
 type httpd_config_t, file_type, sysadmfile;
 
-logdir_domain(httpd)
+#can create append-only logs under /var/log
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file { read };
+
+#can write sslmutex file to /var/log/httpd
+#!!Notice:It is better not to grant write accesss to /var/log/httpd.
+#To comment out these,modify SSLMutex entry in /etc/httpd/conf.d/ssl.conf,like following
+#SSLMutex file:/var/cache/mod_ssl
+allow httpd_t httpd_log_t:dir { remove_name };
+allow httpd_t httpd_log_t:file { setattr unlink };
+
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
@@ -99,11 +110,14 @@
 ')
 
 uses_shlib(httpd_t)
+allow httpd_t lib_t:file { getattr read };
 
 # execute perl
-can_exec(httpd_t, bin_t)
+allow httpd_t bin_t:file rx_file_perms;
+allow httpd_t bin_t:dir { search };
 
 can_network(httpd_t)
+allow httpd_t httpd_t:netlink_socket { bind create getattr read write };
 
 ###################
 # Allow httpd to search users diretories
@@ -114,7 +128,7 @@
 ############################################################################
 # Allow the httpd_t the capability to bind to a port and various other stuff
 ############################################################################
-allow httpd_t httpd_t:capability {chown net_bind_service setgid setuid kill dac_override dac_read_search };
+allow httpd_t httpd_t:capability {chown net_bind_service setgid setuid kill dac_override dac_read_search net_admin };
 
 #################################################
 # Allow the httpd_t to read the web servers config files
@@ -212,3 +226,7 @@
 allow httpd_php_t mysqld_var_run_t:sock_file { write };
 ')
 
+# write /etc/krb5.conf
+type krb5_conf_t,file_type,sysadmfile;
+#allow httpd_t krb5_conf_t:file rw_file_perms;
+

[-- Attachment #3: apache.fc.patch --]
[-- Type: application/octet-stream, Size: 1794 bytes --]

--- policy.orig/file_contexts/program/apache.fc	2003-12-06 10:01:57.000000000 +0900
+++ policy/file_contexts/program/apache.fc	2003-12-18 23:09:57.000000000 +0900
@@ -2,6 +2,7 @@
 /home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
 /var/www		-d	system_u:object_r:httpd_sys_content_t
 /var/www/html(/.*)?		system_u:object_r:httpd_sys_content_t
+/var/www/error(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/mrtg(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
@@ -10,12 +11,14 @@
 /var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t
 /etc/httpd		-d	system_u:object_r:httpd_config_t
 /etc/httpd/conf(/.*)?		system_u:object_r:httpd_config_t
+/etc/httpd/conf\.d(/.*)?	system_u:object_r:httpd_config_t
 /etc/httpd/logs			system_u:object_r:httpd_log_t
 /etc/httpd/modules		system_u:object_r:httpd_modules_t
 /etc/apache(2)?(/.*)?		system_u:object_r:httpd_config_t
 /etc/vhosts		--	system_u:object_r:httpd_config_t
 /usr/lib/apache(/.*)?		system_u:object_r:httpd_modules_t
 /usr/lib/apache2/modules(/.*)?	system_u:object_r:httpd_modules_t
+/usr/lib/httpd(/.*)?		system_u:object_r:httpd_modules_t
 /usr/sbin/httpd		--	system_u:object_r:httpd_exec_t
 /usr/sbin/apache(2)?	--	system_u:object_r:httpd_exec_t
 /usr/sbin/suexec	--	system_u:object_r:httpd_suexec_exec_t
@@ -25,4 +28,7 @@
 /var/log/apache(2)?(/.*)?	system_u:object_r:httpd_log_t
 /var/log/cgiwrap.log.*	--	system_u:object_r:httpd_log_t
 /var/cache/ssl.*\.sem	--	system_u:object_r:httpd_cache_t
+/var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
 /var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
+/etc/krb5.conf		system_u:object_r:krb5_conf_t
+

[-- Attachment #4: global_macros.te.patch --]
[-- Type: application/octet-stream, Size: 700 bytes --]

--- policy.orig/macros/global_macros.te	2003-12-06 10:01:57.000000000 +0900
+++ policy/macros/global_macros.te	2003-12-18 23:16:57.000000000 +0900
@@ -365,6 +365,20 @@
 allow $1_t $1_log_t:dir { setattr rw_dir_perms };
 ')
 
+
+define(`append_log_domain', `
+type $1_log_t, file_type, sysadmfile, logfile;
+allow $1_t var_log_t:dir ra_dir_perms;
+allow $1_t $1_log_t:file  { create ra_file_perms };
+type_transition $1_t var_log_t:file $1_log_t;
+')
+
+define(`append_logdir_domain', `
+append_log_domain($1)
+allow $1_t $1_log_t:dir { setattr ra_dir_perms };
+')
+
+
 define(`lock_domain', `
 type $1_lock_t, file_type, sysadmfile, lockfile;
 file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Kerry Thompson]

Yuichi Nakamura said:

> (3)
> I defined new type krb5_conf_t for /etc/krb5.conf
> because write access to /etc/krb5.conf was denied.
> However, Apache worked when access to /etc/krb5.conf is denied.
> So,"allow httpd_t krb5_conf_t:file rw_file_perms;" is commented out now.
>

PAM ( and others ) make calls to the kerberos library which will always
open /etc/krb5.conf in r/w mode, even though no apps should be writing to
it. I suggest allowing read from all, and dontaudit for write.

Kerry


-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@crypt.gen.nz

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Joerg Hoh]

[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

On Mon, Dec 22, 2003 at 10:54:07AM +1300, Kerry Thompson wrote:
> 
> PAM ( and others ) make calls to the kerberos library which will always
> open /etc/krb5.conf in r/w mode, even though no apps should be writing to
> it. I suggest allowing read from all, and dontaudit for write.

But the longterm solution would be to check why kerberos wants to have write
access to that file (and change it to read-only, if it isn't necessary at
all).

Joerg

-- 
Fachbegriffe der Informatik (Nr 293): Halteproblem
- Man zeigt, daß ein Problem im allgemeinen Fall nicht lösbar ist, und
verweigert dann die Lösung der wichtigsten, praxisrelevanten Fälle. 
	Florian Weimer

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]

Joerg Hoh wrote:

>On Mon, Dec 22, 2003 at 10:54:07AM +1300, Kerry Thompson wrote:
>  
>
>>PAM ( and others ) make calls to the kerberos library which will always
>>open /etc/krb5.conf in r/w mode, even though no apps should be writing to
>>it. I suggest allowing read from all, and dontaudit for write.
>>    
>>
>
>But the longterm solution would be to check why kerberos wants to have write
>access to that file (and change it to read-only, if it isn't necessary at
>all).
>
>Joerg
>

Kerberos has a sort of getstatusinfo call that it uses for all its 
configuration files.  It basically loads up a information structure that 
allows it to make decistions on a file.  Included in this information is 
whether the file is writable.  So the Kerberos library does an 
access(filename,W_OK) on the file it is investigating.  I believe all of 
kerberos should have a security policy written on it, since some of the 
config files are as important as /etc/passwd, shadow.  If I can somehow 
get the system to trust a different kerberos server then I can gain 
access to the machine and wreak havoc.

Dan

>
>  
>

[-- Attachment #2: Type: text/html, Size: 1669 bytes --]

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Yuichi Nakamura]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

Daniel J Walsh <dwalsh@redhat.com> wrote:
> >On Mon, Dec 22, 2003 at 10:54:07AM +1300, Kerry Thompson wrote:
> >>PAM ( and others ) make calls to the kerberos library which will always
> >>open /etc/krb5.conf in r/w mode, even though no apps should be writing to
> >>it. I suggest allowing read from all, and dontaudit for write.
> Kerberos has a sort of getstatusinfo call that it uses for all its 
> configuration files.  It basically loads up a information structure that 
> allows it to make decistions on a file.  Included in this information is 
> whether the file is writable.  So the Kerberos library does an 
> access(filename,W_OK) on the file it is investigating. 

I didn't know such behavior of kerberos.
I added "dontaudit httpd_t krb5_conf_t:file { write };" in apache.te.

To add "neverallow ~{ admin } krb5_conf_t:file { write }" might be better.

---
Yuichi Nakamura

[-- Attachment #2: apache.te.patch --]
[-- Type: application/octet-stream, Size: 2094 bytes --]

--- policy.orig/domains/program/unused/apache.te	2003-12-06 10:01:57.000000000 +0900
+++ policy/domains/program/unused/apache.te	2003-12-22 09:23:39.000000000 +0900
@@ -30,7 +30,18 @@
 #
 type httpd_config_t, file_type, sysadmfile;
 
-logdir_domain(httpd)
+#can create append-only logs under /var/log
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file { read };
+
+#can write sslmutex file to /var/log/httpd
+#!!Notice:It is better not to grant write accesss to /var/log/httpd.
+#To comment out these,modify SSLMutex entry in /etc/httpd/conf.d/ssl.conf,like following
+#SSLMutex file:/var/cache/mod_ssl
+allow httpd_t httpd_log_t:dir { remove_name };
+allow httpd_t httpd_log_t:file { setattr unlink };
+
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
@@ -99,11 +110,14 @@
 ')
 
 uses_shlib(httpd_t)
+allow httpd_t lib_t:file { getattr read };
 
 # execute perl
-can_exec(httpd_t, bin_t)
+allow httpd_t bin_t:file rx_file_perms;
+allow httpd_t bin_t:dir { search };
 
 can_network(httpd_t)
+allow httpd_t httpd_t:netlink_socket { bind create getattr read write };
 
 ###################
 # Allow httpd to search users diretories
@@ -114,7 +128,7 @@
 ############################################################################
 # Allow the httpd_t the capability to bind to a port and various other stuff
 ############################################################################
-allow httpd_t httpd_t:capability {chown net_bind_service setgid setuid kill dac_override dac_read_search };
+allow httpd_t httpd_t:capability {chown net_bind_service setgid setuid kill dac_override dac_read_search net_admin };
 
 #################################################
 # Allow the httpd_t to read the web servers config files
@@ -212,3 +226,8 @@
 allow httpd_php_t mysqld_var_run_t:sock_file { write };
 ')
 
+# read /etc/krb5.conf
+type krb5_conf_t,file_type,sysadmfile;
+allow httpd_t krb5_conf_t:file r_file_perms;
+# Apache opens krb5.conf in r/w mode, but it don't write krb5.conf
+dontaudit httpd_t krb5_conf_t:file { write };

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Russell Coker]

On Tue, 23 Dec 2003 11:01, Yuichi Nakamura <himainu_ynakam@yahoo.co.jp> wrote:

I have added most of your patches to my tree, however I moved the type 
definition for the /etc/krb5.conf file to file.fc and types.fc (most people 
who use Kerberos won't use Apache on all servers).  We probably should make a 
separate kerberos_client.te file or something.  But for the moment I've stuck 
the allow and dontaudit rules in apache.te (it's easy to change them later).

allow httpd_t httpd_t:netlink_socket { bind create getattr read write };
What is the reason for the above?


I've put a new policy archive on http://www.coker.com.au/selinux/policy.tgz 
which contains this and some other changes (including some resulting from 
apparent differences between 2.6.0-test11 and 2.6.0 kernels).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Yuichi Nakamura]

On Tue, 23 Dec 2003 14:38:59 +1100
Russell Coker <russell@coker.com.au> wrote:
> allow httpd_t httpd_t:netlink_socket { bind create getattr read write };
> What is the reason for the above?
It is added by using audit2allow.
Apache seems to work without it, 
but in some case these permissions may be required.
I don't know whether Apache really requires these permissions.

------
Yuichi Nakamura


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache on FedoraCore1(Was Re: log_domain macro)

[Russell Coker]

On Tue, 23 Dec 2003 20:45, Yuichi Nakamura <himainu_ynakam@yahoo.co.jp> wrote:
> Russell Coker <russell@coker.com.au> wrote:
> > allow httpd_t httpd_t:netlink_socket { bind create getattr read write };
> > What is the reason for the above?
>
> It is added by using audit2allow.
> Apache seems to work without it,
> but in some case these permissions may be required.
> I don't know whether Apache really requires these permissions.

Until we know why Apache does that I will leave it out of my tree.  I suspect 
that you have some Apache module loaded which does it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.