[patch] fix /var/run/console bits

[patch] fix /var/run/console bits

[Colin Walters]

[-- Attachment #1.1: Type: text/plain, Size: 773 bytes --]

Hi,

Currently /var/run/console is labeled as xdm_var_run_t, which is totally
wrong, since it's actually owned by pam_console.  I noticed this while I
was trying to work on the D-BUS policy, which recently gained console
user authentication.

Attached is a patch which creates a new type for it, grants the
requisite permissions to login and xdm.  I still think we need a nicer
way of mapping the PAM permissions in policy.  The only reason that
login and xdm are granted these permissions is because they happen to
ship with pam_console in their PAM stack on Fedora, presumably.  (IIRC
Debian doesn't use pam_console).

But this patch should work better in the short term at least; if it's
accepted I'll post a little patch to update dbusd.te too.





[-- Attachment #1.2: console-policy.patch --]
[-- Type: text/x-patch, Size: 3059 bytes --]

--- policy-1.15.11/file_contexts/program/pam.fc~	2004-07-31 06:22:37.000000000 -0400
+++ policy-1.15.11/file_contexts/program/pam.fc	2004-08-03 20:44:39.117905464 -0400
@@ -1,3 +1,4 @@
 /var/run/sudo(/.*)?			system_u:object_r:pam_var_run_t
+/var/run/console.*			system_u:object_r:pam_var_console_t
 /sbin/pam_timestamp_check	 --	system_u:object_r:pam_exec_t
 /lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t
--- policy-1.15.11/file_contexts/program/xdm.fc~	2004-07-31 06:22:37.000000000 -0400
+++ policy-1.15.11/file_contexts/program/xdm.fc	2004-08-03 18:22:22.181717032 -0400
@@ -16,7 +16,6 @@
 /etc/X11/[wx]dm/Xsession	--	system_u:object_r:xsession_exec_t
 /etc/kde/kdm/Xsession	--	system_u:object_r:xsession_exec_t
 /var/run/xdmctl(/.*)?		system_u:object_r:xdm_var_run_t
-/var/run/console.*		system_u:object_r:xdm_var_run_t
 /var/lib/[xkw]dm(/.*)?		system_u:object_r:xdm_var_lib_t
 /usr/lib/qt-3.3/etc/settings/qtrc(/.*)? system_u:object_r:xdm_var_lib_t
 
--- policy-1.15.11/domains/program/unused/xdm.te~	2004-07-31 06:22:37.000000000 -0400
+++ policy-1.15.11/domains/program/unused/xdm.te	2004-08-03 21:54:42.650871320 -0400
@@ -291,6 +291,9 @@
 allow xdm_t pam_var_run_t:file create_file_perms;
 allow pam_t xdm_t:fifo_file { getattr ioctl write };
 can_exec(xdm_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file(xdm_t, var_run_t)
+rw_dir_create_file(xdm_t, pam_var_console_t)
 ')
 
 allow xdm_t var_log_t:file { read };
--- policy-1.15.11/domains/program/unused/pam.te~	2004-07-31 06:22:37.000000000 -0400
+++ policy-1.15.11/domains/program/unused/pam.te	2004-08-03 20:44:54.704535936 -0400
@@ -10,6 +10,8 @@
 allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
 allow pam_t pam_var_run_t:file { getattr read unlink };
 
+type pam_var_console_t, file_type, sysadmfile;
+
 role system_r types pam_t;
 in_user_role(pam_t)
 domain_auto_trans(userdomain, pam_exec_t, pam_t)
--- policy-1.15.11/domains/program/login.te~	2004-07-31 06:22:36.000000000 -0400
+++ policy-1.15.11/domains/program/login.te	2004-08-03 21:54:26.419338888 -0400
@@ -62,6 +62,9 @@
 
 ifdef(`pam.te', `
 can_exec($1_login_t, pam_exec_t)
+# For pam_console
+rw_dir_create_file($1_login_t, var_run_t)
+rw_dir_create_file($1_login_t, pam_var_console_t)
 ')
 
 # Use capabilities
@@ -81,11 +84,8 @@
 r_dir_file($1_login_t, nfs_t)
 ')dnl end if nfs_home_dirs
 
-#
-# /var/run/console requires the following
-#
+# FIXME: what is this for?
 ifdef(`xdm.te', `
-create_dir_file($1_login_t, xdm_var_run_t)
 allow xdm_t $1_login_t:process { signull };
 ')
 
@@ -184,10 +184,6 @@
 # Allow setting of attributes on sound devices.
 allow local_login_t sound_device_t:chr_file { getattr setattr };
 
-# Allow access to /var/run/console and /var/run/console.lock.  Need a separate type?
-allow local_login_t var_run_t:dir rw_dir_perms;
-allow local_login_t var_run_t:file create_file_perms;
-
 #################################
 #
 # Rules for the remote_login_t domain.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] fix /var/run/console bits

[Luke Kenneth Casson Leighton]

On Tue, Aug 03, 2004 at 10:01:51PM -0400, Colin Walters wrote:

> requisite permissions to login and xdm.  I still think we need a nicer
> way of mapping the PAM permissions in policy.  The only reason that
> 

 someone on advogato suggested porting bsd_auth to linux.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] fix /var/run/console bits

[Russell Coker]

On Wed, 4 Aug 2004 12:01, Colin Walters <walters@redhat.com> wrote:
> Currently /var/run/console is labeled as xdm_var_run_t, which is totally
> wrong, since it's actually owned by pam_console.  I noticed this while I
> was trying to work on the D-BUS policy, which recently gained console
> user authentication.
>
> Attached is a patch which creates a new type for it, grants the
> requisite permissions to login and xdm.  I still think we need a nicer
> way of mapping the PAM permissions in policy.  The only reason that
> login and xdm are granted these permissions is because they happen to
> ship with pam_console in their PAM stack on Fedora, presumably.  (IIRC
> Debian doesn't use pam_console).

I think that perhaps the following would be good for the fc entry to keep the 
convention:
/var/run/console/(.*)?                     system_u:object_r:pam_var_console_t

This is not what we want.  Ideally we will never have any files of type 
var_run_t.
rw_dir_create_file(xdm_t, var_run_t)
rw_dir_create_file($1_login_t, var_run_t)

I guess that the following code is to allow the xdm to check which login 
processes are active when searching for an unused virtual console.  If my 
guess is correct then signull access would need to be granted to getty_t and 
userdomain.  Of course if you hard-code a VC in the config file then maybe 
this isn't needed.
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process { signull };
')

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] fix /var/run/console bits

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

On Wed, 2004-08-04 at 20:07 +1000, Russell Coker wrote:
> On Wed, 4 Aug 2004 12:01, Colin Walters <walters@redhat.com> wrote:
> > Currently /var/run/console is labeled as xdm_var_run_t, which is totally
> > wrong, since it's actually owned by pam_console.  I noticed this while I
> > was trying to work on the D-BUS policy, which recently gained console
> > user authentication.
> >
> > Attached is a patch which creates a new type for it, grants the
> > requisite permissions to login and xdm.  I still think we need a nicer
> > way of mapping the PAM permissions in policy.  The only reason that
> > login and xdm are granted these permissions is because they happen to
> > ship with pam_console in their PAM stack on Fedora, presumably.  (IIRC
> > Debian doesn't use pam_console).
> 
> I think that perhaps the following would be good for the fc entry to keep the 
> convention:
> /var/run/console/(.*)?                     system_u:object_r:pam_var_console_t

Sounds good.

> This is not what we want.  Ideally we will never have any files of type 
> var_run_t.
> rw_dir_create_file(xdm_t, var_run_t)
> rw_dir_create_file($1_login_t, var_run_t)

I agree, but unfortunately pam_console creates a lockfile
named /var/run/console.lock.  We should probably fix that.

> I guess that the following code is to allow the xdm to check which login 
> processes are active when searching for an unused virtual console.  

Ok.  I just thought it was weird at first glance, and worthy of a
comment :)


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] fix /var/run/console bits

[Daniel J Walsh]

Colin Walters wrote:

>On Wed, 2004-08-04 at 20:07 +1000, Russell Coker wrote:
>  
>
>>On Wed, 4 Aug 2004 12:01, Colin Walters <walters@redhat.com> wrote:
>>    
>>
>>>Currently /var/run/console is labeled as xdm_var_run_t, which is totally
>>>wrong, since it's actually owned by pam_console.  I noticed this while I
>>>was trying to work on the D-BUS policy, which recently gained console
>>>user authentication.
>>>
>>>Attached is a patch which creates a new type for it, grants the
>>>requisite permissions to login and xdm.  I still think we need a nicer
>>>way of mapping the PAM permissions in policy.  The only reason that
>>>login and xdm are granted these permissions is because they happen to
>>>ship with pam_console in their PAM stack on Fedora, presumably.  (IIRC
>>>Debian doesn't use pam_console).
>>>      
>>>
>>I think that perhaps the following would be good for the fc entry to keep the 
>>convention:
>>/var/run/console/(.*)?                     system_u:object_r:pam_var_console_t
>>    
>>
>
>Sounds good.
>
>  
>
>>This is not what we want.  Ideally we will never have any files of type 
>>var_run_t.
>>rw_dir_create_file(xdm_t, var_run_t)
>>rw_dir_create_file($1_login_t, var_run_t)
>>    
>>
>
>I agree, but unfortunately pam_console creates a lockfile
>named /var/run/console.lock.  We should probably fix that.
>
>  
>
>>I guess that the following code is to allow the xdm to check which login 
>>processes are active when searching for an unused virtual console.  
>>    
>>
>
>Ok.  I just thought it was weird at first glance, and worthy of a
>comment :)
>
>  
>
Ok I will change pam_console to put the lock file in /var/run/console 
directory.  Then you should be able to change the rules to create files
pam_var_console_t

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] fix /var/run/console bits

[Russell Coker]

On Wed, 4 Aug 2004 23:03, Colin Walters <walters@redhat.com> wrote:
> > I think that perhaps the following would be good for the fc entry to keep
> > the convention:
> > /var/run/console/(.*)?                    
> > system_u:object_r:pam_var_console_t
>
> Sounds good.

Actually I did a typo, this is what is should be:
/var/run/console(/.*)?    system_u:object_r:pam_var_console_t

> > This is not what we want.  Ideally we will never have any files of type
> > var_run_t.
> > rw_dir_create_file(xdm_t, var_run_t)
> > rw_dir_create_file($1_login_t, var_run_t)
>
> I agree, but unfortunately pam_console creates a lockfile
> named /var/run/console.lock.  We should probably fix that.

Dan has just offered to fix that.  But if it was not possible to change that 
then the solution would be to have a file_type_auto_trans() rule.

I've been thinking of adding neverallow rules to prevent any access to files 
of type var_run_t, tmp_t, and tmpfs_t...

> > I guess that the following code is to allow the xdm to check which login
> > processes are active when searching for an unused virtual console.
>
> Ok.  I just thought it was weird at first glance, and worthy of a
> comment :)

It is weird, and probably something needs to be changed about it.

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] fix /var/run/console bits

[Stephen Smalley]

Merged a modified form of this patch per the discussion on the list.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.