From: Daniel J Walsh <dwalsh@redhat.com>
To: ivg2@cornell.edu
Cc: Jim Carter <jwcart2@epoch.ncsc.mil>, SELinux <SELinux@tycho.nsa.gov>
Subject: Re: Latest diffs
Date: Wed, 20 Jul 2005 11:02:53 -0400 [thread overview]
Message-ID: <42DE679D.2080909@redhat.com> (raw)
In-Reply-To: <1121811396.11941.19.camel@localhost.localdomain>
Ivan Gyurdiev wrote:
>>rogram/initrc.te policy-1.25.3/domains/program/initrc.te
>>--- nsapolicy/domains/program/initrc.te 2005-07-06 17:15:06.000000000 -0400
>>+++ policy-1.25.3/domains/program/initrc.te 2005-07-19 15:41:44.000000000 -0400
>>@@ -123,7 +123,7 @@
>> allow initrc_t file_t:dir { read search getattr mounton };
>>
>> # during boot up initrc needs to do the following
>>-allow initrc_t default_t:dir { read search getattr mounton };
>>+allow initrc_t default_t:dir { write read search getattr mounton };
>>
>>
>
>Why does it need to do that?
>
>
>
Not sure. Happens in strict policy.
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
>>--- nsapolicy/domains/program/unused/hald.te 2005-07-12 08:50:43.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/hald.te 2005-07-19 15:41:44.000000000 -0400
>>@@ -96,3 +96,7 @@
>> allow unconfined_t hald_t:dbus send_msg;
>> allow hald_t unconfined_t:dbus send_msg;
>> ')
>>+ifdef(`mount.te', `
>>+domain_auto_trans(hald_t, mount_exec_t, mount_t)
>>+')
>>+
>>
>>
>
>That doesn't allow it to mount whatever it wants?
>
>
>
It is required to unmount removable_t
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.3/domains/program/unused/hotplug.te
>>--- nsapolicy/domains/program/unused/hotplug.te 2005-07-12 08:50:43.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/hotplug.te 2005-07-19 15:41:44.000000000 -0400
>>@@ -128,7 +128,7 @@
>> # Read /usr/lib/gconv/.*
>> allow hotplug_t lib_t:file { getattr read };
>>
>>-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
>>+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
>>
>>
>
>Why do we keep needing that?
>Isn't this a dangerous capability?
>I thought it was established that only dmidecode needs this.
>
>
Trying to get prism54 card at boot.
Jul 17 17:46:56 bureau kernel: audit(1121615214.230:2): avc: denied { search }
for pid=1782 comm="cp" name="selinux" dev=dm-0 ino=27656630
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:selinux_config_t
tclass=dir
Jul 17 17:46:56 bureau kernel: audit(1121615214.237:3): avc: denied {
sys_rawio } for pid=1782 comm="cp" capability=17
scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t
tclass=capability
Jul 17 17:46:56 bureau kernel: prism54: request_firmware() failed for 'isl3890'
Jul 17 17:46:56 bureau kernel: eth0: could not upload firmware ('isl3890')
Jul 17 17:46:56 bureau kernel: eth0: islpci_reset: failure
Jul 17 17:46:56 bureau kernel: audit(1121615214.293:4): avc: denied {
sys_tty_config } for pid=1779 comm="ip" capability=26
scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t
tclass=capability
>
>
>>+can_network_client_tcp(pptp_t)
>>+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
>>
>>
>
>Why does it need name_connect on a reserved port?
>If it's reserved, shouldn't it have a type declared for it?
>
>
>
pptp can be setup to forward multiple connections.
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
>>--- nsapolicy/domains/program/unused/udev.te 2005-07-06 17:15:07.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/udev.te 2005-07-19 15:41:44.000000000 -0400
>>@@ -28,11 +28,12 @@
>> type udev_tdb_t, file_type, sysadmfile, dev_fs;
>> typealias udev_tdb_t alias udev_tbl_t;
>> file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
>>-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
>>+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
>>
>>
>
>Also looks dangerous - rawio.
>
>
>
>>+allow vpnc_t user_home_dir_t:dir search;
>>+allow vpnc_t user_home_t:dir search;
>>
>>
>
>?
>
>
Should remove.
>
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.3/macros/program/cdrecord_macros.te
>>--- nsapolicy/macros/program/cdrecord_macros.te 2005-05-02 14:06:57.000000000 -0400
>>+++ policy-1.25.3/macros/program/cdrecord_macros.te 2005-07-19 15:43:50.000000000 -0400
>>@@ -47,8 +47,11 @@
>> allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
>> allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
>>
>>-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
>>+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
>> allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
>>-
>>+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
>>+allow $1_cdrecord_t $1_home_t:dir search;
>>+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
>>+allow $1_cdrecord_t $1_home_t:file r_file_perms;
>> ')
>>
>>
>
>Same here... why is cdrecord reading the user's private documents.
>
>
>
Usually if you are creating a cd, it will be from your home dir.
>>+allow $1_thunderbird_t fs_t:filesystem getattr;
>>
>>
>
>Why does it need to do that?
>
>
Don't know. Probably checking filesystems in mtab
>
>
>> # GNOME support
>> ifdef(`gnome.te', `
>> gnome_application($1_thunderbird, $1)
>> gnome_file_dialog($1_thunderbird, $1)
>>+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
>>
>>
>
>That needs to be labeled something other than $1_gnome_settings_t.
>Which file is this? gnome_settings_t is the fallback type,
>we should be moving away from that, and towards specific
>labeling.
>
>
>
Don't know but needed to work. You can remove it to see which file.
>> ')
>>
>> # Access ~/.thunderbird
>>@@ -54,4 +53,7 @@
>> # RSS feeds
>> can_network_client_tcp($1_thunderbird_t, http_port_t)
>> allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
>>+
>>+allow $1_thunderbird_t self:process { execheap execmem execstack };
>>+
>>
>>
>
>Execmem is dangerous.
>
>
>
Maybe but thunderbird does not run without it.
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-07-20 15:02 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-19 21:12 Latest diffs Daniel J Walsh
2005-07-19 22:16 ` Ivan Gyurdiev
2005-07-20 15:02 ` Daniel J Walsh [this message]
2005-07-20 18:41 ` Ivan Gyurdiev
2005-07-20 19:37 ` Daniel J Walsh
2005-07-20 20:56 ` Ivan Gyurdiev
2005-07-20 0:05 ` Casey Schaufler
2005-07-20 2:03 ` Frank Mayer
2005-07-20 2:29 ` Casey Schaufler
2005-07-20 2:49 ` Daniel J Walsh
2005-07-20 3:33 ` Casey Schaufler
-- strict thread matches above, loose matches on Subject: below --
2007-01-03 16:54 Daniel J Walsh
2007-01-03 21:37 ` Klaus Weidner
2007-01-03 21:48 ` Klaus Weidner
2007-01-08 17:48 ` Christopher J. PeBenito
2007-01-09 4:47 ` Klaus Weidner
2007-01-03 22:05 ` Russell Coker
2007-01-04 13:33 ` Steve G
2007-01-04 15:47 ` Klaus Weidner
2007-01-04 16:23 ` Russell Coker
2007-01-04 16:47 ` Casey Schaufler
2007-01-04 17:07 ` Russell Coker
2007-01-04 17:24 ` Casey Schaufler
2007-01-04 18:27 ` Erich Schubert
2006-10-24 15:00 Latest Diffs Daniel J Walsh
2006-10-31 21:00 ` Christopher J. PeBenito
2006-11-14 20:11 ` Daniel J Walsh
2006-11-15 9:49 ` Russell Coker
2006-11-15 13:39 ` Daniel J Walsh
2006-11-15 17:33 ` Russell Coker
2006-11-16 13:49 ` Christopher J. PeBenito
2006-11-17 13:07 ` Russell Coker
2006-11-17 18:33 ` Joshua Brindle
2006-11-17 21:27 ` Russell Coker
2006-09-29 19:05 latest diffs Daniel J Walsh
2006-09-20 16:12 Latest diffs Daniel J Walsh
2006-09-21 13:45 ` Christopher J. PeBenito
2006-09-21 14:06 ` Daniel J Walsh
2006-09-21 14:34 ` Christopher J. PeBenito
2006-09-21 16:33 ` Karl MacMillan
2006-09-21 18:05 ` Christopher J. PeBenito
2006-09-21 14:08 ` Mikel L. Matthews
2006-09-21 14:49 ` Joshua Brindle
2006-09-21 15:10 ` Mikel L. Matthews
2006-09-21 15:18 ` Stephen Smalley
2006-09-21 15:40 ` Joe Nall
2006-09-21 15:47 ` Klaus Weidner
2006-09-21 16:08 ` Casey Schaufler
2006-09-22 17:13 ` Christopher J. PeBenito
2006-09-22 20:30 ` Daniel J Walsh
2006-09-25 18:51 ` Christopher J. PeBenito
2006-09-25 19:10 ` Daniel J Walsh
2006-09-26 10:41 ` Russell Coker
2006-09-26 13:13 ` Christopher J. PeBenito
2006-09-26 13:21 ` Russell Coker
2006-09-26 14:01 ` Christopher J. PeBenito
2006-09-23 2:22 ` Russell Coker
2006-09-05 21:06 Latest Diffs Daniel J Walsh
2006-09-06 16:33 ` Christopher J. PeBenito
2006-08-02 17:33 Latest diffs Daniel J Walsh
2006-06-20 20:19 Daniel J Walsh
2006-06-21 18:31 ` Christopher J. PeBenito
2006-06-12 19:32 Daniel J Walsh
2006-06-12 21:39 ` Christopher J. PeBenito
2006-06-12 21:47 ` Christopher J. PeBenito
[not found] <44863F06.90206@comcast.net>
2006-06-07 17:46 ` Christopher J. PeBenito
2006-05-18 15:56 Daniel J Walsh
2006-05-19 14:04 ` Christopher J. PeBenito
2006-05-19 14:13 ` Daniel J Walsh
2006-05-19 17:40 ` Christopher J. PeBenito
2006-05-19 18:25 ` Daniel J Walsh
[not found] <445767D1.3040406@redhat.com>
2006-05-02 15:19 ` Christopher J. PeBenito
[not found] ` <44579740.4010708@redhat.com>
2006-05-02 17:57 ` Christopher J. PeBenito
2006-04-20 18:57 Chad Hanson
2006-04-20 18:06 Daniel J Walsh
2006-04-20 18:17 ` Christopher J. PeBenito
2006-04-19 3:16 Daniel J Walsh
2006-04-19 15:34 ` Christopher J. PeBenito
2006-02-20 22:19 Daniel J Walsh
2006-02-23 14:18 ` Christopher J. PeBenito
2006-02-09 18:39 Daniel J Walsh
2006-02-13 22:08 ` Christopher J. PeBenito
2006-02-14 14:01 ` Daniel J Walsh
2006-02-14 19:03 ` Joshua Brindle
2006-02-16 19:30 ` Christopher J. PeBenito
2006-02-01 13:33 Latest Diffs Daniel J Walsh
2006-02-06 22:50 ` Christopher J. PeBenito
2006-01-19 19:16 Daniel J Walsh
2006-01-19 23:18 ` Christopher J. PeBenito
2006-01-20 13:56 ` Daniel J Walsh
2006-01-20 14:53 ` Christopher J. PeBenito
2006-01-17 22:50 Latest diffs Daniel J Walsh
2006-01-18 14:26 ` Christopher J. PeBenito
2006-01-10 14:15 Daniel J Walsh
2006-01-11 15:55 ` Christopher J. PeBenito
2005-12-13 22:07 Latest Diffs Daniel J Walsh
2005-12-14 15:35 ` Christopher J. PeBenito
2005-12-13 15:48 Latest diffs Daniel J Walsh
2005-12-13 20:43 ` Christopher J. PeBenito
2005-12-13 21:56 ` Daniel J Walsh
2005-09-16 17:43 Latest Diffs Daniel J Walsh
2005-10-20 20:23 ` James Carter
2005-08-15 14:29 Daniel J Walsh
2005-07-12 20:24 Daniel J Walsh
2005-07-08 1:11 Latest diffs Daniel J Walsh
2005-05-28 5:15 latest diffs Daniel J Walsh
2005-04-27 21:17 Latest diffs Daniel J Walsh
2005-04-14 20:49 Daniel J Walsh
2005-04-20 13:17 ` Russell Coker
2005-04-21 1:41 ` Daniel J Walsh
2005-04-21 12:32 ` Daniel J Walsh
2005-02-10 23:24 Daniel J Walsh
[not found] <1106940328.32737.120.camel@moss-spartans.epoch.ncsc.mil>
2005-01-28 19:48 ` Daniel J Walsh
2005-02-01 18:45 ` James Carter
2005-02-01 19:48 ` Stephen Smalley
2005-02-01 21:41 ` Ivan Gyurdiev
2005-02-02 12:57 ` Stephen Smalley
2005-02-02 13:08 ` Stephen Smalley
2005-02-02 13:17 ` Stephen Smalley
2005-02-02 13:32 ` Daniel J Walsh
2005-02-04 0:58 ` Ivan Gyurdiev
2005-02-04 12:23 ` Stephen Smalley
2005-02-04 12:42 ` Ivan Gyurdiev
2005-02-04 12:50 ` Stephen Smalley
2005-02-04 13:59 ` Daniel J Walsh
2005-02-04 14:10 ` Stephen Smalley
2005-02-04 15:28 ` Ivan Gyurdiev
2005-02-07 7:53 ` Ivan Gyurdiev
2005-02-07 19:33 ` Richard Hally
2005-02-07 19:34 ` Stephen Smalley
2005-02-10 15:16 ` James Carter
2004-10-25 21:40 latest diffs Daniel J Walsh
2004-10-27 14:35 ` James Carter
2004-10-20 15:24 Latest diffs Daniel J Walsh
2004-10-20 19:18 ` Colin Walters
2004-10-23 4:24 ` Russell Coker
2004-08-25 15:21 Latest Diffs Daniel J Walsh
2004-08-27 13:52 ` James Carter
2004-08-28 12:55 ` Russell Coker
2004-08-30 20:23 ` James Carter
2004-08-28 12:46 ` Russell Coker
2004-08-30 13:54 ` Daniel J Walsh
2004-08-30 15:50 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42DE679D.2080909@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=ivg2@cornell.edu \
--cc=jwcart2@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.