gentoo diff for ntpd

gentoo diff for ntpd

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 225 bytes --]

Hi!

This is a very small diff that would make the gentoo community happy :)

reference:
http://bugs.gentoo.org/show_bug.cgi?id=59633

many thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: ntpd.diff --]
[-- Type: text/plain, Size: 1002 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/ntpd.fc	2004-06-25 23:02:43.000000000 +0300
+++ /etc/security/selinux/src/policy/file_contexts/program/ntpd.fc	2004-10-05 10:20:01.034334096 +0300
@@ -10,3 +10,11 @@
 /var/run/ntpd.pid		--	system_u:object_r:ntpd_var_run_t
 /etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t
 /etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t
+
+ifdef(`distro_gentoo', `
+/usr/bin/ntpd			--	system_u:object_r:ntpd_exec_t
+/usr/bin/ntpdate		--	system_u:object_r:ntpd_exec_t
+
+# for net-misc/openntpd
+/etc/ntpd\.conf			--	system_u:object_r:net_conf_t
+')
--- /root/public_html/policy/nsa/domains/program/unused/ntpd.te	2004-10-02 01:38:20.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/ntpd.te	2004-10-05 04:23:53.935260872 +0300
@@ -69,3 +69,8 @@
 ifdef(`firstboot.te', `
 dontaudit ntpd_t firstboot_t:fd { use };
 ')
+
+ifdef(`distro_gentoo', `
+allow ntpd_t self:capability { sys_chroot kill };
+')
+

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for ntpd

[Joshua Brindle]

Since peter forgot to introduce himself :) he just started with gentoo 
to give us some badly needed policy help which will hopefully allow us 
to start sending more policy upstream. Thanks peter

Also, this diff is to make openntpd work with the current ntp policy, so 
  a tunable other than distro_gentoo might be appropriate, or none at all.

Joshua Brindle


petre rodan wrote:

> Hi!
> 
> This is a very small diff that would make the gentoo community happy :)
> 
> reference:
> http://bugs.gentoo.org/show_bug.cgi?id=59633
> 
> many thanks,
> peter
> 
> 
> ------------------------------------------------------------------------
> 
> --- /root/public_html/policy/nsa/file_contexts/program/ntpd.fc	2004-06-25 23:02:43.000000000 +0300
> +++ /etc/security/selinux/src/policy/file_contexts/program/ntpd.fc	2004-10-05 10:20:01.034334096 +0300
> @@ -10,3 +10,11 @@
>  /var/run/ntpd.pid		--	system_u:object_r:ntpd_var_run_t
>  /etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t
>  /etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t
> +
> +ifdef(`distro_gentoo', `
> +/usr/bin/ntpd			--	system_u:object_r:ntpd_exec_t
> +/usr/bin/ntpdate		--	system_u:object_r:ntpd_exec_t
> +
> +# for net-misc/openntpd
> +/etc/ntpd\.conf			--	system_u:object_r:net_conf_t
> +')
> --- /root/public_html/policy/nsa/domains/program/unused/ntpd.te	2004-10-02 01:38:20.000000000 +0300
> +++ /etc/security/selinux/src/policy/domains/program/ntpd.te	2004-10-05 04:23:53.935260872 +0300
> @@ -69,3 +69,8 @@
>  ifdef(`firstboot.te', `
>  dontaudit ntpd_t firstboot_t:fd { use };
>  ')
> +
> +ifdef(`distro_gentoo', `
> +allow ntpd_t self:capability { sys_chroot kill };
> +')
> +


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for ntpd

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 668 bytes --]


Hi!

Joshua Brindle wrote:
> Since peter forgot to introduce himself :) he just started with gentoo 
> to give us some badly needed policy help which will hopefully allow us 
> to start sending more policy upstream. Thanks peter
> 
> Also, this diff is to make openntpd work with the current ntp policy, so 
>  a tunable other than distro_gentoo might be appropriate, or none at all.
> 
> Joshua Brindle

this is a new diff with distro_gentoo ifdefs dropped.
also, logrotate is not part of the gentoo base-policy and it shouldn't be a dependency for ntpd, so I'm also ifdef-ing that.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: ntpd.diff --]
[-- Type: text/plain, Size: 2129 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/ntpd.te	2004-10-02 01:38:20.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/ntpd.te	2004-10-06 04:37:19.999115040 +0300
@@ -22,7 +22,7 @@
 # for SSP
 allow ntpd_t urandom_device_t:chr_file read;
 
-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock };
+allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot kill };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { fsetid sys_nice };
@@ -50,7 +50,7 @@
 can_exec(ntpd_t, initrc_exec_t)
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
 allow ntpd_t { sbin_t bin_t }:dir search;
 allow ntpd_t bin_t:lnk_file read;
 allow ntpd_t sysctl_kernel_t:dir search;
@@ -59,6 +59,7 @@
 allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
 allow ntpd_t self:file { getattr read };
 dontaudit ntpd_t domain:dir search;
+ifdef(`logrotate.te', `can_exec(ntpd_t,logrotate_exec_t)')
 ')
 
 allow ntpd_t devtty_t:chr_file rw_file_perms;
--- /root/public_html/policy/nsa/file_contexts/program/ntpd.fc	2004-06-25 23:02:43.000000000 +0300
+++ /etc/security/selinux/src/policy/file_contexts/program/ntpd.fc	2004-10-06 04:39:01.740647976 +0300
@@ -1,9 +1,9 @@
 /var/lib/ntp(/.*)?			system_u:object_r:ntp_drift_t
 /etc/ntp/data(/.*)?			system_u:object_r:ntp_drift_t
-/etc/ntp\.conf			--	system_u:object_r:net_conf_t
+/etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
-/usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/(s)?bin/ntpd		--	system_u:object_r:ntpd_exec_t
+/usr/(s)?bin/ntpdate		--	system_u:object_r:ntpd_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for ntpd

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]

On Wed, 6 Oct 2004 20:49, petre rodan <kaiowas@gentoo.org> wrote:
> this is a new diff with distro_gentoo ifdefs dropped.
> also, logrotate is not part of the gentoo base-policy and it shouldn't be a
> dependency for ntpd, so I'm also ifdef-ing that.

Having daemon binaries in /usr/bin instead of /usr/sbin is a bug.

ntpd and ntpdate can not be used by regular users, they can only be used by 
the administrator.  Therefore any distribution that follows the LSB (or the 
FHS which the LSB is based on) will put them in /usr/sbin.  Here is the 
relevant section of the FHS:

4.6 /usr/sbin : Non-essential standard system binaries

This directory contains any non-essential binaries used exclusively by the
system administrator. System administration programs that are required for
system repair, system recovery, mounting /usr, or other essential functions
should be placed in /sbin instead.


Those .fc entries for /usr/bin can go in under ifdef(`distro_gentoo' if Gentoo 
does not follow the FHS.  Otherwise it's best to file a bug in the Gentoo bug 
system requesting that the files be moved.

I've attached a patch which has the changes I think belong in the CVS at this 
time.  Note that I changed the order of the capabilities so that they match 
the order of capability.h .

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: ntpd.diff --]
[-- Type: text/x-diff, Size: 1784 bytes --]

--- /usr/src/se/policy/domains/program/unused/ntpd.te	2004-09-29 00:49:58.000000000 +1000
+++ domains/program/unused/ntpd.te	2004-10-07 16:59:59.000000000 +1000
@@ -22,7 +22,7 @@
 # for SSP
 allow ntpd_t urandom_device_t:chr_file read;
 
-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock };
+allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { fsetid sys_nice };
@@ -50,7 +50,7 @@
 can_exec(ntpd_t, initrc_exec_t)
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
 allow ntpd_t { sbin_t bin_t }:dir search;
 allow ntpd_t bin_t:lnk_file read;
 allow ntpd_t sysctl_kernel_t:dir search;
@@ -59,6 +59,7 @@
 allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
 allow ntpd_t self:file { getattr read };
 dontaudit ntpd_t domain:dir search;
+ifdef(`logrotate.te', `can_exec(ntpd_t, logrotate_exec_t)')
 ')
 
 allow ntpd_t devtty_t:chr_file rw_file_perms;
--- /usr/src/se/policy/file_contexts/program/ntpd.fc	2004-06-17 15:10:43.000000000 +1000
+++ file_contexts/program/ntpd.fc	2004-10-07 17:00:11.000000000 +1000
@@ -1,6 +1,6 @@
 /var/lib/ntp(/.*)?			system_u:object_r:ntp_drift_t
 /etc/ntp/data(/.*)?			system_u:object_r:ntp_drift_t
-/etc/ntp\.conf			--	system_u:object_r:net_conf_t
+/etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
 /usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t

Re: gentoo diff for ntpd

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]


Hi Russell,

Russell Coker wrote:
> On Wed, 6 Oct 2004 20:49, petre rodan <kaiowas@gentoo.org> wrote:
> 
>>this is a new diff with distro_gentoo ifdefs dropped.
>>also, logrotate is not part of the gentoo base-policy and it shouldn't be a
>>dependency for ntpd, so I'm also ifdef-ing that.
> 
> 
> Having daemon binaries in /usr/bin instead of /usr/sbin is a bug.
> 
> ntpd and ntpdate can not be used by regular users, they can only be used by 
> the administrator.  Therefore any distribution that follows the LSB (or the 
> FHS which the LSB is based on) will put them in /usr/sbin.

You are correct. I have sent patches to gentoo bugzilla and upstream.
Let's hope at least one of those will like the idea.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for ntpd

[James Carter]

Merged.

On Thu, 2004-10-07 at 03:02, Russell Coker wrote:
> On Wed, 6 Oct 2004 20:49, petre rodan <kaiowas@gentoo.org> wrote:
> > this is a new diff with distro_gentoo ifdefs dropped.
> > also, logrotate is not part of the gentoo base-policy and it shouldn't be a
> > dependency for ntpd, so I'm also ifdef-ing that.
> 
> Having daemon binaries in /usr/bin instead of /usr/sbin is a bug.
> 
> ntpd and ntpdate can not be used by regular users, they can only be used by 
> the administrator.  Therefore any distribution that follows the LSB (or the 
> FHS which the LSB is based on) will put them in /usr/sbin.  Here is the 
> relevant section of the FHS:
> 
> 4.6 /usr/sbin : Non-essential standard system binaries
> 
> This directory contains any non-essential binaries used exclusively by the
> system administrator. System administration programs that are required for
> system repair, system recovery, mounting /usr, or other essential functions
> should be placed in /sbin instead.
> 
> 
> Those .fc entries for /usr/bin can go in under ifdef(`distro_gentoo' if Gentoo 
> does not follow the FHS.  Otherwise it's best to file a bug in the Gentoo bug 
> system requesting that the files be moved.
> 
> I've attached a patch which has the changes I think belong in the CVS at this 
> time.  Note that I changed the order of the capabilities so that they match 
> the order of capability.h .
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.