cvs and mta

cvs and mta

[Junji Kanemaru]

Hi,

I recently upgraded to fc4 and having problem with my pserver(cvs)
that it no longer sends out checkin mail.
I was missing around with SELinux policy and realized that there's no
TE and FC defined for such use.
I guess /var/cvs should be cvs_data_t and cvs.te should have entries
to allow cvs to invoke MTA.
I fixed my policy using audit2allow but it is dirty fix and not safe,
I have whole bunch of "allow" lines in it now.
Is there patch already there?

-- Junji

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Daniel J Walsh]

Junji Kanemaru wrote:

>Hi,
>
>I recently upgraded to fc4 and having problem with my pserver(cvs)
>that it no longer sends out checkin mail.
>I was missing around with SELinux policy and realized that there's no
>TE and FC defined for such use.
>I guess /var/cvs should be cvs_data_t and cvs.te should have entries
>to allow cvs to invoke MTA.
>I fixed my policy using audit2allow but it is dirty fix and not safe,
>I have whole bunch of "allow" lines in it now.
>Is there patch already there?
>
>-- Junji
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>
Does adding the line

typeattribute cvs_t privmail;

help?



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Junji Kanemaru]

Daniel J Walsh wrote:
> Does adding the line
> 
> typeattribute cvs_t privmail;
> 
> help?

It helped. It reduced the "allow" lines about hlaf.
I still needed have followings:

allow cvs_t bin_t:dir search;
allow cvs_t bin_t:file { execute execute_no_trans getattr read };
allow cvs_t bin_t:lnk_file read;
allow cvs_t default_t:dir search;
allow cvs_t default_t:lnk_file read;
allow cvs_t devtty_t:chr_file { read write };
allow cvs_t etc_runtime_t:file { getattr read };
allow cvs_t sbin_t:dir search;
allow cvs_t sbin_t:lnk_file read;
allow cvs_t shadow_t:file read;
allow cvs_t shell_exec_t:file { execute execute_no_trans getattr read };
allow system_mail_t cvs_data_t:file read;

Is there any simple way do above?

Thanks,

-- Junji

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Daniel J Walsh]

Junji Kanemaru wrote:

>Daniel J Walsh wrote:
>  
>
>>Does adding the line
>>
>>typeattribute cvs_t privmail;
>>
>>help?
>>    
>>
>
>It helped. It reduced the "allow" lines about hlaf.
>I still needed have followings:
>
>allow cvs_t bin_t:dir search;
>allow cvs_t bin_t:file { execute execute_no_trans getattr read };
>allow cvs_t bin_t:lnk_file read;
>allow cvs_t default_t:dir search;
>allow cvs_t default_t:lnk_file read;
>allow cvs_t devtty_t:chr_file { read write };
>allow cvs_t etc_runtime_t:file { getattr read };
>allow cvs_t sbin_t:dir search;
>allow cvs_t sbin_t:lnk_file read;
>allow cvs_t shadow_t:file read;
>allow cvs_t shell_exec_t:file { execute execute_no_trans getattr read };
>allow system_mail_t cvs_data_t:file read;
>
>Is there any simple way do above?
>
>Thanks,
>
>-- Junji
>  
>
How about the following?

What is it looking at that is marked default_t? I don't like those rules.

DESC cvs - Concurrent Versions System
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te

#################################
#
# Rules for the cvs_t domain.
#
# cvs_exec_t is the type of the cvs executable.
#

inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;

type cvs_data_t, file_type, sysadmfile;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
allow cvs_t default_t:dir search;
allow cvs_t default_t:lnk_file read;


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Daniel J Walsh]

Junji Kanemaru wrote:

>Daniel J Walsh wrote:
>  
>
>>Does adding the line
>>
>>typeattribute cvs_t privmail;
>>
>>help?
>>    
>>
>
>It helped. It reduced the "allow" lines about hlaf.
>I still needed have followings:
>
>allow cvs_t bin_t:dir search;
>allow cvs_t bin_t:file { execute execute_no_trans getattr read };
>allow cvs_t bin_t:lnk_file read;
>allow cvs_t default_t:dir search;
>allow cvs_t default_t:lnk_file read;
>allow cvs_t devtty_t:chr_file { read write };
>allow cvs_t etc_runtime_t:file { getattr read };
>allow cvs_t sbin_t:dir search;
>allow cvs_t sbin_t:lnk_file read;
>allow cvs_t shadow_t:file read;
>allow cvs_t shell_exec_t:file { execute execute_no_trans getattr read };
>allow system_mail_t cvs_data_t:file read;
>
>Is there any simple way do above?
>
>Thanks,
>
>-- Junji
>  
>
How about the following?

What is it looking at that is marked default_t? I don't like those rules.

DESC cvs - Concurrent Versions System
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te

#################################
#
# Rules for the cvs_t domain.
#
# cvs_exec_t is the type of the cvs executable.
#

inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;

type cvs_data_t, file_type, sysadmfile;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
allow cvs_t default_t:dir search;
allow cvs_t default_t:lnk_file read;


-- 



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Junji Kanemaru]

> How about the following?

Thanks. I'll try it next week since I'm out of office now.

> What is it looking at that is marked default_t? I don't like those rules.

I used to have cvs user on server which was shared by
developers to access cvs repo.
I moved them to /var/cvs now so it shouldn't be needed anymore.

Thank you for your help.

-- Junji


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cvs and mta

[Junji Kanemaru]

Following worked. I still need cvs_t to have access to bin:dir
bin:lnk_file and sbin:lnk_file though.

#DESC cvs - Concurrent Versions System
#
# Author:  Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te

#################################
#
# Rules for the cvs_t domain.
#
# cvs_exec_t is the type of the cvs executable.
#

inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;

type cvs_data_t, file_type, sysadmfile;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
allow cvs_t bin_t:dir search;
allow cvs_t bin_t:lnk_file read;
allow cvs_t sbin_t:lnk_file read;

Thank you for your help.

-- Junji

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.