ssh policy

ssh policy

[Russell Coker]

I've put a new archive of my SE Linux policy on 
http://www.coker.com.au/selinux/policy.tgz (no debs yet because I'm still 
experimenting with it).

The major change I've just made is merging ssh.te and sshd.te.  The reason 
for this is that they both require access to ~/.ssh, this means that to 
support one without the other makes the policy more complex but delivers 
little benefit.  There are few people who want to run ssh without sshd (or 
the other way around).  Also I believe that having the files separate will 
result in someone deciding that they don't want ssh and removing ssh.te but 
not /usr/bin/ssh!  This would result in /usr/bin/ssh running in user_t thus 
being marginally less secure.

While these issues are both minor, I think it's enough reason for us as 
policy developers to save ourselves the extra effort and merge the files.

Also it's just occurred to me that I should create a new domain for 
ssh-keygen to give an automatic transition of key files 
{identity,id_rsa,id_dsa}{,.pub} to a type that can't be read by sshd.  I had 
previously thought of just using a different type for the identity, id_dsa, 
and id_rsa files, but I realised that sshd has no cause to read the .pub 
files (although I don't think there's any real need to deny read access 
either).


-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

ssh policy

[Russell Coker]

# Proxy openlogging.
allow $1_ssh_t http_cache_port_t:tcp_socket name_bind;

The above has just appeared in the new policy.  I suggest that it be in the 
policy commented out at the most.

This allows any ssh user (IE any user) to potentially subvert the web cache if 
they can cause it to crash.

I don't think I'll include this in my policy tree.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 532 bytes --]


On Wed, 23 Oct 2002, Russell Coker wrote:

> # Proxy openlogging.
> allow $1_ssh_t http_cache_port_t:tcp_socket name_bind;
>
> The above has just appeared in the new policy.  I suggest that it be in the
> policy commented out at the most.
>
> This allows any ssh user (IE any user) to potentially subvert the web cache if
> they can cause it to crash.
>
> I don't think I'll include this in my policy tree.

Ok, removed.  Patch attached and committed to the updated sf CVS tree.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 727 bytes --]

Index: selinux/policy/macros/program/ssh_macros.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux/policy/macros/program/ssh_macros.te,v
retrieving revision 1.8
diff -u -r1.8 ssh_macros.te
--- selinux/policy/macros/program/ssh_macros.te	23 Oct 2002 18:23:16 -0000	1.8
+++ selinux/policy/macros/program/ssh_macros.te	23 Oct 2002 19:17:26 -0000
@@ -22,9 +22,6 @@
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
 
-# Proxy openlogging.
-allow $1_ssh_t http_cache_port_t:tcp_socket name_bind;
-
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
 

Re: ssh policy

[Russell Coker]

On Fri, 5 Dec 2003 12:18, Nick <nagray@austin.rr.com> wrote:
> avc:  denied  { signal } for  pid=1002 exe=/usr/sbin/sshd
> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t
> tclass=process
>
> I dont think I get this one at all, unless the process which is starting
> sshd is what is not able to send a signal or is it sshd can't send a
> signal out?

I don't get it either.  Usually sshd runs fine with that blocked, but 
sometimes it doesn't work correctly.  In my latest policy I have enabled that 
access, but it needs more review.

> avc:  denied  { getattr } for  pid=1055 exe=/usr/sbin/sshd name=xauth
> dev=03:02 ino=2261013 scontext=system_u:system_r:sshd_t
> tcontext=system_u:object_r:bin_t tclass=file

You are logging in with X11 forwarding enabled.  I strongly recommend that you 
set "ForwardX11 no" in your ssh_config file and then specifically enable X11 
forwarding when you want it with the "-X" option to ssh.  Otherwise whenever 
you ssh to a hostile machine they can use X to take over your account.

> avc:  denied  { name_bind } for  pid=1055 exe=/usr/sbin/sshd port=6010
> scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:port_t
> tclass=tcp_socket

6010 is for DISPLAY=:10.0 .  In my current policy I don't enable this unless 
you have startx or xdm policy included.  I can see that this was an error, it 
should be included for ssh as it's quite valid to have an ssh tunnel be the 
only X server on a machine.  In my next release I will also check for xauth 
policy.

If you don't have xauth policy then using sshd with X forwarding is probably a 
bad idea.


PS  Please choose an appropriate subject for your messages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Russell Coker]

On Sat, 6 Dec 2003 06:06, Nick <nagray@austin.rr.com> wrote:
> > I don't get it either.  Usually sshd runs fine with that blocked, but
> > sometimes it doesn't work correctly.  In my latest policy I have enabled
> > that access, but it needs more review.
>
> I took a look at the source for sshd. While the daemon is waiting for
> connections it regenerates it's server key every hour. This is done
> through a SIGALRM. I am trying to figure out why this would cause
> intermittent failures on the daemon if it wasn't allowed.
>
> I guess it really doesn't matter, it should be allowed. As the resident
> expert on policies, can you tell me if we can restrict the signals down
> to a type? I will look later.

Strange.  In any case this has to be enabled for running as a daemon.

For the moment I will deny sshd_t access to send signals to itself when 
running from inetd.

> I just found out I don't need X at all, so for now this solves any
> problem I have with that.

In that case it's best to disable X forwarding on both client and server.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

ssh policy

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

The attached patch restores the functionality of sshd_extern_t after the 
recent can_exec change.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: ssh.diff --]
[-- Type: text/x-diff, Size: 818 bytes --]

--- /usr/src/se/policy/domains/program/ssh.te	2004-09-02 23:18:48.000000000 +1000
+++ ./domains/program/ssh.te	2004-09-07 23:36:07.000000000 +1000
@@ -26,6 +26,8 @@
 # privfd is for passing the terminal file handle to the user process
 # auth_chkpwd is for running unix_chkpwd and unix_verify.
 type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
+can_exec($1_t, sshd_exec_t)
+r_dir_file($1_t, self)
 role system_r types $1_t;
 dontaudit $1_t shadow_t:file { getattr read };
 uses_shlib($1_t)
@@ -147,8 +149,6 @@
 # sshd_extern_t is the domain for ssh from outside our network
 #
 sshd_program_domain(sshd)
-can_exec(sshd_t, sshd_exec_t)
-r_dir_file(sshd_t, self)
 if (ssh_sysadm_login) {
 sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 } else {

Re: ssh policy

[James Carter]

Merged.

On Wed, 2004-09-08 at 14:28, Russell Coker wrote:
> The attached patch restores the functionality of sshd_extern_t after the 
> recent can_exec change.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 86 bytes --]

Latest policy.  More stuff for dbus.  Added media file.   Changes for 
udev on tmpfs.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 10720 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/media policy-1.17.13/appconfig/media
--- nsapolicy/appconfig/media	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.13/appconfig/media	2004-09-10 10:29:32.756600463 -0400
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.17.13/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.13/domains/program/ifconfig.te	2004-09-10 10:29:32.757600350 -0400
@@ -24,7 +24,7 @@
 domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
 
 # for /sbin/ip
-allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write setopt };
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.13/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-09-10 10:17:48.000000000 -0400
+++ policy-1.17.13/domains/program/initrc.te	2004-09-10 10:29:32.757600350 -0400
@@ -317,5 +317,5 @@
 allow initrc_t security_t:dir { getattr search };
 allow initrc_t security_t:file { getattr read };
 ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_t:dbus { send_msg };
+allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.13/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.13/domains/program/unused/cups.te	2004-09-10 10:29:32.758600237 -0400
@@ -161,3 +161,8 @@
 
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
+
+ifdef(`hald.te', `
+allow cupsd_t hald_t:dbus { send_msg };
+allow hald_t cupsd_t:dbus { send_msg };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.13/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.13/domains/program/unused/udev.te	2004-09-10 10:29:32.759600124 -0400
@@ -103,3 +103,4 @@
 
 dbusd_client(system, udev_t)
 
+allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.13/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.13/domains/program/unused/updfstab.te	2004-09-10 10:30:15.342777769 -0400
@@ -60,5 +60,5 @@
 allow updfstab_t self:capability dac_override;
 dontaudit updfstab_t self:capability sys_admin;
 
-r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
 can_getsecurity(updfstab_t)
+dontaudit updfstab_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.17.13/file_contexts/program/lvm.fc
--- nsapolicy/file_contexts/program/lvm.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/file_contexts/program/lvm.fc	2004-09-10 10:29:32.760600010 -0400
@@ -54,12 +54,7 @@
 /sbin/vgscan.static	--	system_u:object_r:lvm_exec_t
 /sbin/vgsplit		--	system_u:object_r:lvm_exec_t
 /sbin/vgwrapper		--	system_u:object_r:lvm_exec_t
-ifdef(`distro_redhat', `
-/usr/bin/cryptsetup	--	system_u:object_r:lvm_exec_t
-')
-ifdef(`distro_debian', `
 /sbin/cryptsetup	--	system_u:object_r:lvm_exec_t
-')
 /sbin/dmsetup      --      system_u:object_r:lvm_exec_t
 /sbin/dmsetup.static --    system_u:object_r:lvm_exec_t
 /sbin/lvm          --      system_u:object_r:lvm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/saslauthd.fc policy-1.17.13/file_contexts/program/saslauthd.fc
--- nsapolicy/file_contexts/program/saslauthd.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/file_contexts/program/saslauthd.fc	2004-09-10 10:29:32.760600010 -0400
@@ -1,3 +1,3 @@
 # saslauthd 
-/usr/sbin/saslauthd				--	system_u:object_r:saslauthd_exec_t
-/var/run/saslauthd					system_u:object_r:saslauthd_var_run_t
+/usr/sbin/saslauthd		--	system_u:object_r:saslauthd_exec_t
+/var/run/saslauthd(/.*)?		system_u:object_r:saslauthd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.17.13/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/file_contexts/program/xdm.fc	2004-09-10 10:29:32.761599897 -0400
@@ -7,7 +7,7 @@
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
 /var/log/gdm(/.*)?		system_u:object_r:xserver_log_t
-/tmp/\.X0-lock		--	system_u:object_r:xdm_tmp_t
+/tmp/\.X0-lock		--	system_u:object_r:xdm_xserver_tmp_t
 /etc/X11/Xsession[^/]*	--	system_u:object_r:xsession_exec_t
 /etc/X11/wdm(/.*)?		system_u:object_r:xdm_rw_etc_t
 /etc/X11/wdm/Xsetup.*	--	system_u:object_r:xsession_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.17.13/file_contexts/program/xserver.fc
--- nsapolicy/file_contexts/program/xserver.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/file_contexts/program/xserver.fc	2004-09-10 10:29:32.761599897 -0400
@@ -11,7 +11,7 @@
 /var/log/XFree86.*	--	system_u:object_r:xserver_log_t
 /var/log/Xorg.*		--	system_u:object_r:xserver_log_t
 /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
-/tmp/\.X11-unix		-d	system_u:object_r:xdm_xserver_tmp_t
+/tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
 /tmp/\.X11-unix/.*	-s	<<none>>
 /tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
 /tmp/\.ICE-unix/.*	-s	<<none>>
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.13/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-09-09 16:22:13.000000000 -0400
+++ policy-1.17.13/macros/program/dbusd_macros.te	2004-09-10 10:29:32.762599784 -0400
@@ -22,7 +22,8 @@
 type $1_dbusd_t, domain, privlog, userspace_objmgr;
 role $1_r types $1_dbusd_t;
 domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
-
+read_locale($1_dbusd_t)
+dontaudit $1_dbusd_t var_t:dir { getattr search };
 ')dnl end ifdef single_userdomain
 ')dnl end ifelse system
 
@@ -30,6 +31,12 @@
 uses_shlib($1_dbusd_t)
 allow $1_dbusd_t etc_t:file { getattr read };
 r_dir_file($1_dbusd_t, etc_dbusd_t)
+tmp_domain($1_dbusd) 
+allow $1_dbusd_t self:process { fork };
+ifdef(`xdm.te', `
+allow $1_dbusd_t xdm_t:fd { use };
+allow $1_dbusd_t xdm_t:fifo_file { write };
+')
 
 allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
@@ -58,5 +65,6 @@
 ') dnl endif system
 # SE-DBus specific permissions
 allow $2 { $1_dbusd_t self }:dbus { send_msg };
+allow $2 $1_dbusd_t:dbus { acquire_svc };
 ') dnl endif dbusd.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.13/Makefile
--- nsapolicy/Makefile	2004-09-10 10:17:48.000000000 -0400
+++ policy-1.17.13/Makefile	2004-09-10 10:32:06.029242516 -0400
@@ -52,13 +52,18 @@
 FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context)
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context) $(CONTEXTPATH)/files/media
+
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
 install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) 
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
 
+$(CONTEXTPATH)/files/media: appconfig/media
+	mkdir -p $(CONTEXTPATH)/files/
+	install -m 644 $< $@
+
 $(APPDIR)/default_contexts: appconfig/default_contexts
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.13/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/tunables/distro.tun	2004-09-10 10:29:32.763599671 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.13/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.13/tunables/tunable.tun	2004-09-10 10:29:32.764599557 -0400
@@ -1,54 +1,51 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow users to unrestricted access
-dnl define(`unlimitedUsers')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: ssh policy

[Stephen Smalley]

On Fri, 2004-09-10 at 10:50, Daniel J Walsh wrote:
> Latest policy.  More stuff for dbus.  Added media file.   Changes for 
> udev on tmpfs.

Conflicts with our latest patches.
> 
> ______________________________________________________________________
> -allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
> +allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write setopt };

I just replaced this with rw_netlink_socket_perms in our tree.

> -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>  can_getsecurity(updfstab_t)
> +dontaudit updfstab_t selinux_config_t:dir search;

I don't think that this is correct; updfstab appears to be looking up a
context via matchpathcon for preserving the context on /etc/fstab, so it
needs access to the file contexts file as in our policy.

> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.17.13/file_contexts/program/xserver.fc
> --- nsapolicy/file_contexts/program/xserver.fc	2004-09-09 15:36:11.000000000 -0400
> +++ policy-1.17.13/file_contexts/program/xserver.fc	2004-09-10 10:29:32.761599897 -0400
> @@ -11,7 +11,7 @@
>  /var/log/XFree86.*	--	system_u:object_r:xserver_log_t
>  /var/log/Xorg.*		--	system_u:object_r:xserver_log_t
>  /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
> -/tmp/\.X11-unix		-d	system_u:object_r:xdm_xserver_tmp_t
> +/tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
>  /tmp/\.X11-unix/.*	-s	<<none>>
>  /tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
>  /tmp/\.ICE-unix/.*	-s	<<none>>

I know that this was motivated by the relabel cycling reported by Tom
London, but it raises an obvious question - who is creating this
directory?  Is it truly [xdk]dm?  If not, why it is being created in
xdm_tmp_t rather than xdm_xserver_t?

> +dontaudit $1_dbusd_t var_t:dir { getattr search };

Hmm...I was going to give it access to read /var/run/console, as with
the system dbus daemon.  Does the per-session dbusd not need it?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2004-09-10 at 10:50, Daniel J Walsh wrote:
>  
>
>>Latest policy.  More stuff for dbus.  Added media file.   Changes for 
>>udev on tmpfs.
>>    
>>
>
>Conflicts with our latest patches.
>  
>
Ok

>>______________________________________________________________________
>>-allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
>>+allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write setopt };
>>    
>>
>
>I just replaced this with rw_netlink_socket_perms in our tree.
>
>  
>
Yes I saw that.

>>-r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>> can_getsecurity(updfstab_t)
>>+dontaudit updfstab_t selinux_config_t:dir search;
>>    
>>
>
>I don't think that this is correct; updfstab appears to be looking up a
>context via matchpathcon for preserving the context on /etc/fstab, so it
>needs access to the file contexts file as in our policy.
>  
>
Ok somebody else must have made that change.

>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.17.13/file_contexts/program/xserver.fc
>>--- nsapolicy/file_contexts/program/xserver.fc	2004-09-09 15:36:11.000000000 -0400
>>+++ policy-1.17.13/file_contexts/program/xserver.fc	2004-09-10 10:29:32.761599897 -0400
>>@@ -11,7 +11,7 @@
>> /var/log/XFree86.*	--	system_u:object_r:xserver_log_t
>> /var/log/Xorg.*		--	system_u:object_r:xserver_log_t
>> /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
>>-/tmp/\.X11-unix		-d	system_u:object_r:xdm_xserver_tmp_t
>>+/tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
>> /tmp/\.X11-unix/.*	-s	<<none>>
>> /tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
>> /tmp/\.ICE-unix/.*	-s	<<none>>
>>    
>>
>
>I know that this was motivated by the relabel cycling reported by Tom
>London, but it raises an obvious question - who is creating this
>directory?  Is it truly [xdk]dm?  If not, why it is being created in
>xdm_tmp_t rather than xdm_xserver_t?
>
>  
>
>>+dontaudit $1_dbusd_t var_t:dir { getattr search };
>>    
>>
>
>Hmm...I was going to give it access to read /var/run/console, as with
>the system dbus daemon.  Does the per-session dbusd not need it?
>
>  
>
Colin will need to comment on this.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Luke Kenneth Casson Leighton]

On Fri, Sep 10, 2004 at 11:08:11AM -0400, Stephen Smalley wrote:
> On Fri, 2004-09-10 at 10:50, Daniel J Walsh wrote:
> > Latest policy.  More stuff for dbus.  Added media file.   Changes for 
> > udev on tmpfs.
> 
> Conflicts with our latest patches.
> > 
> > ______________________________________________________________________
> > -allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
> > +allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write setopt };
> 
> I just replaced this with rw_netlink_socket_perms in our tree.
> 
> > -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
> >  can_getsecurity(updfstab_t)
> > +dontaudit updfstab_t selinux_config_t:dir search;
> 
> I don't think that this is correct; updfstab appears to be looking up a
> context via matchpathcon for preserving the context on /etc/fstab, so it
> needs access to the file contexts file as in our policy.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.17.13/file_contexts/program/xserver.fc
> > --- nsapolicy/file_contexts/program/xserver.fc	2004-09-09 15:36:11.000000000 -0400
> > +++ policy-1.17.13/file_contexts/program/xserver.fc	2004-09-10 10:29:32.761599897 -0400
> > @@ -11,7 +11,7 @@
> >  /var/log/XFree86.*	--	system_u:object_r:xserver_log_t
> >  /var/log/Xorg.*		--	system_u:object_r:xserver_log_t
> >  /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
> > -/tmp/\.X11-unix		-d	system_u:object_r:xdm_xserver_tmp_t
> > +/tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
> >  /tmp/\.X11-unix/.*	-s	<<none>>
> >  /tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
> >  /tmp/\.ICE-unix/.*	-s	<<none>>
> 
> I know that this was motivated by the relabel cycling reported by Tom
> London, but it raises an obvious question - who is creating this
> directory?  Is it truly [xdk]dm?  If not, why it is being created in
> xdm_tmp_t rather than xdm_xserver_t?
> 

 i raised a bug on debian about this and the reason is that a number
 of legacy X programs rely on the location /tmp.

 actually i raised the bug about /etc/init.d/xfs so in fact
 this time /etc/init.d/xfree86-common needs
 if [ -x /sbin/restorecon ]; then /sbin/restorecon $ICE_DIR; fi
 and
 if [ -x /sbin/restorecon ]; then /sbin/restorecon $SOCKET_DIR; fi

 debian intend to fix the location of all of these post-sarge.

 at the moment it'd break too many legacy apps that used to be
 happy with /tmp.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Russell Coker]

On Sat, 11 Sep 2004 01:08, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > -r_dir_file(updfstab_t, { selinux_config_t file_context_t
> > default_context_t } ) can_getsecurity(updfstab_t)
> > +dontaudit updfstab_t selinux_config_t:dir search;
>
> I don't think that this is correct; updfstab appears to be looking up a
> context via matchpathcon for preserving the context on /etc/fstab, so it
> needs access to the file contexts file as in our policy.

Why do we want to have updfstab do that?  Adding such functionality to 
updfstab means more work for it to do, more time taken to complete, etc.

Just having updfstab create the new file as /etc/fstab.new (or similar) makes 
it get the right context automatically with much less effort.

We don't want to change every program that creates a file to preserve the SE 
Linux context!  That would take significant development work and create 
significant issues if the SE Linux interfaces ever change.

The source to fstab-sync refers to the idea of creating a new fstab file 
in /tmp if /etc is mounted read-only (with /etc/fstab being a sym-link to 
somewhere else).  If this is implemented as described in the comments then an 
inopportune power failure or system crash could potentially truncate the 
fstab file and make the system non-bootable.  I think we should give up on 
the idea of having fstab-sync do anything special in regard to SE Linux.

Dan, what do you think?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Daniel J Walsh]

Russell Coker wrote:

>On Sat, 11 Sep 2004 01:08, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
>  
>
>>>-r_dir_file(updfstab_t, { selinux_config_t file_context_t
>>>default_context_t } ) can_getsecurity(updfstab_t)
>>>+dontaudit updfstab_t selinux_config_t:dir search;
>>>      
>>>
>>I don't think that this is correct; updfstab appears to be looking up a
>>context via matchpathcon for preserving the context on /etc/fstab, so it
>>needs access to the file contexts file as in our policy.
>>    
>>
>
>Why do we want to have updfstab do that?  Adding such functionality to 
>updfstab means more work for it to do, more time taken to complete, etc.
>
>Just having updfstab create the new file as /etc/fstab.new (or similar) makes 
>it get the right context automatically with much less effort.
>
>We don't want to change every program that creates a file to preserve the SE 
>Linux context!  That would take significant development work and create 
>significant issues if the SE Linux interfaces ever change.
>
>The source to fstab-sync refers to the idea of creating a new fstab file 
>in /tmp if /etc is mounted read-only (with /etc/fstab being a sym-link to 
>somewhere else).  If this is implemented as described in the comments then an 
>inopportune power failure or system crash could potentially truncate the 
>fstab file and make the system non-bootable.  I think we should give up on 
>the idea of having fstab-sync do anything special in regard to SE Linux.
>
>Dan, what do you think?
>
>  
>
That sounds good to me.  I will look into who made the change and see if 
we remedy this.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[Daniel J Walsh]

Russell Coker wrote:

>On Sat, 11 Sep 2004 01:08, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
>  
>
>>>-r_dir_file(updfstab_t, { selinux_config_t file_context_t
>>>default_context_t } ) can_getsecurity(updfstab_t)
>>>+dontaudit updfstab_t selinux_config_t:dir search;
>>>      
>>>
>>I don't think that this is correct; updfstab appears to be looking up a
>>context via matchpathcon for preserving the context on /etc/fstab, so it
>>needs access to the file contexts file as in our policy.
>>    
>>
>
>Why do we want to have updfstab do that?  Adding such functionality to 
>updfstab means more work for it to do, more time taken to complete, etc.
>
>Just having updfstab create the new file as /etc/fstab.new (or similar) makes 
>it get the right context automatically with much less effort.
>
>We don't want to change every program that creates a file to preserve the SE 
>Linux context!  That would take significant development work and create 
>significant issues if the SE Linux interfaces ever change.
>
>The source to fstab-sync refers to the idea of creating a new fstab file 
>in /tmp if /etc is mounted read-only (with /etc/fstab being a sym-link to 
>somewhere else).  If this is implemented as described in the comments then an 
>inopportune power failure or system crash could potentially truncate the 
>fstab file and make the system non-bootable.  I think we should give up on 
>the idea of having fstab-sync do anything special in regard to SE Linux.
>
>Dan, what do you think?
>
>  
>
Talked to the person who did this and he is fixing it.  It came about 
because the temp file was originally
being created on /tmp but now is created in /etc/.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh policy

[James Carter]

Merged, for the most part, except for what Steve commented on.

On Fri, 2004-09-10 at 10:50, Daniel J Walsh wrote:
> Latest policy.  More stuff for dbus.  Added media file.   Changes for 
> udev on tmpfs.
> 
> ______________________________________________________________________

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.13/domains/program/unused/updfstab.te
> --- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
> +++ policy-1.17.13/domains/program/unused/updfstab.te	2004-09-10 10:30:15.342777769 -0400
> @@ -60,5 +60,5 @@
>  allow updfstab_t self:capability dac_override;
>  dontaudit updfstab_t self:capability sys_admin;
>  
> -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>  can_getsecurity(updfstab_t)
> +dontaudit updfstab_t selinux_config_t:dir search;

Will wait for updfstab to be fixed to update its policy.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.