gentoo diff for snmpd

gentoo diff for snmpd

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 240 bytes --]


Hi,

gentoo as a special context for /proc/net:
genfscon proc /net  system_u:object_r:proc_net_t

so a small diff is needed for the snmpd policy. attached.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: selinux-snmpd.diff --]
[-- Type: text/plain, Size: 1124 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/snmpd.te	2004-11-08 11:44:39.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/snmpd/snmpd.te	2004-11-09 10:03:15.000000000 +0200
@@ -70,6 +70,12 @@
 ')
 allow snmpd_t var_lib_nfs_t:dir search;
 
+ifdef(`distro_gentoo', `
+# needed in order to retrieve net traffic data
+allow snmpd_t proc_net_t:dir search;
+allow snmpd_t proc_net_t:file r_file_perms;
+')
+
 dontaudit snmpd_t domain:dir { getattr search };
 
 dontaudit snmpd_t selinux_config_t:dir search;
--- /root/public_html/policy/nsa/file_contexts/program/snmpd.fc	2004-10-21 12:56:53.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/snmpd/snmpd.fc	2004-10-28 11:53:07.000000000 +0300
@@ -1,6 +1,7 @@
 # snmpd
 /usr/sbin/snmp(trap)?d	--	system_u:object_r:snmpd_exec_t
 /var/lib/snmp(/.*)?		system_u:object_r:snmpd_var_lib_t
+/var/lib/net-snmp(/.*)?	system_u:object_r:snmpd_var_lib_t
 /etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t
 /usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t
 /var/run/snmpd\.pid	--	system_u:object_r:snmpd_var_run_t

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for snmpd

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

* petre rodan <kaiowas@gentoo.org> [2004-11-15 18:04]:
> gentoo as a special context for /proc/net:
> genfscon proc /net  system_u:object_r:proc_net_t

This seems generally useful.
Care to provide a patch which adds this genfscon line plus the necessary
policy?

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: gentoo diff for snmpd

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]


Hi Thomas,

Thomas Bleher wrote:
> * petre rodan <kaiowas@gentoo.org> [2004-11-15 18:04]:
> 
>>gentoo as a special context for /proc/net:
>>genfscon proc /net  system_u:object_r:proc_net_t
> 
> 
> This seems generally useful.
> Care to provide a patch which adds this genfscon line plus the necessary
> policy?
> 
> Thomas

Chris is currently working on a base-policy patch that will be sent here. I'm not sure if that will also contain proc_net-related rules.

If he wants it, I can come up with a diff about this issue.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for snmpd

[James Carter]

Merged.

Oops, there is no proc_net_t defined.
Petre, could you send me the proc_net_t stuff as well.

On Mon, 2004-11-15 at 11:20, petre rodan wrote:
> Hi,
> 
> gentoo as a special context for /proc/net:
> genfscon proc /net  system_u:object_r:proc_net_t
> 
> so a small diff is needed for the snmpd policy. attached.
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for snmpd

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 475 bytes --]


Hi James,

James Carter wrote:
> Merged.
> 
> Oops, there is no proc_net_t defined.
> Petre, could you send me the proc_net_t stuff as well.

please see the attachment.

> On Mon, 2004-11-15 at 11:20, petre rodan wrote:
> 
>>Hi,
>>
>>gentoo as a special context for /proc/net:
>>genfscon proc /net  system_u:object_r:proc_net_t
>>
>>so a small diff is needed for the snmpd policy. attached.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: proc_net_t.diff --]
[-- Type: text/plain, Size: 4668 bytes --]

Index: policy/genfs_contexts
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/genfs_contexts,v
retrieving revision 1.16
diff -u -B -r1.16 genfs_contexts
--- policy/genfs_contexts	8 Oct 2004 17:56:47 -0000	1.16
+++ policy/genfs_contexts	19 Nov 2004 13:31:04 -0000
@@ -36,6 +36,7 @@
 genfscon proc /kcore			system_u:object_r:proc_kcore_t
 genfscon proc /mdstat			system_u:object_r:proc_mdstat_t
 genfscon proc /mtrr			system_u:object_r:mtrr_device_t
+genfscon proc /net			system_u:object_r:proc_net_t
 genfscon proc /sysvipc			system_u:object_r:proc_t
 genfscon proc /sys			system_u:object_r:sysctl_t
 genfscon proc /sys/kernel		system_u:object_r:sysctl_kernel_t
Index: policy/domains/program/ifconfig.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/ifconfig.te,v
retrieving revision 1.9
diff -u -B -r1.9 ifconfig.te
--- policy/domains/program/ifconfig.te	10 Sep 2004 14:45:48 -0000	1.9
+++ policy/domains/program/ifconfig.te	19 Nov 2004 13:31:04 -0000
@@ -38,8 +38,8 @@
 allow ifconfig_t { kernel_t init_t }:fd use;
 
 # Access /proc
-allow ifconfig_t proc_t:dir r_dir_perms;
-allow ifconfig_t proc_t:file r_file_perms;
+allow ifconfig_t { proc_t proc_net_t }:dir r_dir_perms;
+allow ifconfig_t { proc_t proc_net_t }:file r_file_perms;
 
 allow ifconfig_t privfd:fd use;
 allow ifconfig_t run_init_t:fd use;
Index: policy/domains/program/unused/iptables.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/unused/iptables.te,v
retrieving revision 1.13
diff -u -B -r1.13 iptables.te
--- policy/domains/program/unused/iptables.te	8 Nov 2004 20:57:04 -0000	1.13
+++ policy/domains/program/unused/iptables.te	19 Nov 2004 13:31:04 -0000
@@ -54,6 +54,8 @@
 ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
 
 allow iptables_t proc_t:file { getattr read };
+allow iptables_t proc_net_t:dir { search };
+allow iptables_t proc_net_t:file { read getattr };
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file append;
Index: policy/domains/program/unused/rpcd.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/unused/rpcd.te,v
retrieving revision 1.26
diff -u -B -r1.26 rpcd.te
--- policy/domains/program/unused/rpcd.te	8 Nov 2004 20:57:04 -0000	1.26
+++ policy/domains/program/unused/rpcd.te	19 Nov 2004 13:31:04 -0000
@@ -71,6 +71,7 @@
 
 # for /proc/fs/nfs/exports - should we have a new type?
 allow nfsd_t proc_t:file r_file_perms;
+allow nfsd_t proc_net_t:dir search;
 allow nfsd_t exports_t:file { getattr read };
 
 allow nfsd_t nfsd_fs_t:filesystem mount;
Index: policy/macros/global_macros.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/macros/global_macros.te,v
retrieving revision 1.46
diff -u -B -r1.46 global_macros.te
--- policy/macros/global_macros.te	17 Nov 2004 19:51:54 -0000	1.46
+++ policy/macros/global_macros.te	19 Nov 2004 13:31:05 -0000
@@ -214,6 +214,8 @@
 # Read system information files in /proc.
 allow $1 proc_t:dir r_dir_perms;
 allow $1 proc_t:notdevfile_class_set r_file_perms;
+allow $1 proc_net_t:dir r_dir_perms;
+allow $1 proc_net_t:file r_file_perms;
 allow $1 proc_mdstat_t:file r_file_perms;
 
 # Stat /proc/kmsg and /proc/kcore.
Index: policy/macros/program/vmware_macros.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/macros/program/vmware_macros.te,v
retrieving revision 1.3
diff -u -B -r1.3 vmware_macros.te
--- policy/macros/program/vmware_macros.te	17 Nov 2004 19:51:55 -0000	1.3
+++ policy/macros/program/vmware_macros.te	19 Nov 2004 13:31:05 -0000
@@ -55,6 +55,8 @@
 
 # Access /proc
 r_dir_file($1_vmware_t, proc_t)
+allow $1_vmware_t proc_net_t:dir search;
+allow $1_vmware_t proc_net_t:file { getattr read };
 
 # Access to some files in the user home directory
 r_dir_file($1_vmware_t, $1_home_t)
Index: policy/types/procfs.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/types/procfs.te,v
retrieving revision 1.7
diff -u -B -r1.7 procfs.te
--- policy/types/procfs.te	22 Sep 2004 20:19:14 -0000	1.7
+++ policy/types/procfs.te	19 Nov 2004 13:31:05 -0000
@@ -17,6 +17,7 @@
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;
+type proc_net_t, proc_fs;
 
 #
 # sysctl_t is the type of /proc/sys.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo diff for snmpd

[James Carter]

I put an "ifdef(`distro_gentoo'" around all of these rules and merged
them.


On Fri, 2004-11-19 at 08:41, petre rodan wrote:
> Hi James,
> 
> James Carter wrote:
> > Merged.
> > 
> > Oops, there is no proc_net_t defined.
> > Petre, could you send me the proc_net_t stuff as well.
> 
> please see the attachment.
> 
> > On Mon, 2004-11-15 at 11:20, petre rodan wrote:
> > 
> >>Hi,
> >>
> >>gentoo as a special context for /proc/net:
> >>genfscon proc /net  system_u:object_r:proc_net_t
> >>
> >>so a small diff is needed for the snmpd policy. attached.
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for snmpd

[Daniel J Walsh]

James Carter wrote:

>I put an "ifdef(`distro_gentoo'" around all of these rules and merged
>them.
>
>  
>
Are you sure the proc_net changes are specific to gentoo?

>On Fri, 2004-11-19 at 08:41, petre rodan wrote:
>  
>
>>Hi James,
>>
>>James Carter wrote:
>>    
>>
>>>Merged.
>>>
>>>Oops, there is no proc_net_t defined.
>>>Petre, could you send me the proc_net_t stuff as well.
>>>      
>>>
>>please see the attachment.
>>
>>    
>>
>>>On Mon, 2004-11-15 at 11:20, petre rodan wrote:
>>>
>>>      
>>>
>>>>Hi,
>>>>
>>>>gentoo as a special context for /proc/net:
>>>>genfscon proc /net  system_u:object_r:proc_net_t
>>>>
>>>>so a small diff is needed for the snmpd policy. attached.
>>>>        
>>>>
>>bye,
>>peter
>>    
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo diff for snmpd

[James Carter]

On Sun, 2004-11-21 at 00:08, Daniel J Walsh wrote:
> James Carter wrote:
> 
> >I put an "ifdef(`distro_gentoo'" around all of these rules and merged
> >them.
> >
> >  
> >
> Are you sure the proc_net changes are specific to gentoo?

I don't see why it couldn't be used in the other distributions.  
I guess I put the ifdef's in because I knew only Gentoo was using it.  I
don't have a problem with the ifdef's being removed.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.