policy issues in 2.3.18-10 - sshd & polyinstantiation

policy issues in 2.3.18-10 - sshd & polyinstantiation

[Michael C Thompson]

So polyinstantiation is broken, it used to work at one point. The 
following is the log of what seems to be causing the failure. I'm 
looking into this, but it would be nice to have someone more adept at 
policy wrangling to jump in and save the day.

Thanks,
Mike


type=USER_AUTH msg=audit(1161119055.423:230): user pid=2095 uid=0 
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: 
authentication acct=ealuser : exe="/usr/sbin/sshd" 
(hostname=pendarric.austin.ibm.com, addr=9.41.46.108, terminal=ssh 
res=success)'
type=USER_ACCT msg=audit(1161119055.443:231): user pid=2095 uid=0 
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: 
accounting acct=ealuser : exe="/usr/sbin/sshd" 
(hostname=pendarric.austin.ibm.com, addr=9.41.46.108, terminal=ssh 
res=success)'
type=LOGIN msg=audit(1161119055.455:232): login pid=2098 uid=0 old 
auid=4294967295 new auid=500

type=AVC msg=audit(1161119055.475:233): avc:  denied  { relabelfrom } 
for  pid=2098 comm="sshd" name="ealuser" dev=hda3 ino=356226 
scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1161119055.475:233): arch=14 syscall=211 
success=no exit=-13 a0=6 a1=7f2607c a2=8084e18 a3=28 items=0 ppid=2093 
pid=2098 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 
fsgid=500 tty=(none) comm="sshd" exe="/usr/sbin/sshd" 
subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)

type=USER_START msg=audit(1161119055.483:234): user pid=2098 uid=0
auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: session 
open acct=ealuser : exe="/usr/sbin/sshd" 
(hostname=pendarric.austin.ibm.com, addr=9.41.46.108, terminal=ssh 
res=failed)'
type=CRED_REFR msg=audit(1161119055.487:235): user pid=2098 uid=0 
auid=500 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: setcred 
acct=ealuser : exe="/usr/sbin/sshd" (hostname=pendarric.austin.ibm.com, 
addr=9.41.46.108, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1161119055.527:236): user pid=2093 uid=0 
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 
msg='uid=500: exe="/usr/sbin/sshd" (hostname=pendarric.austin.ibm.com, 
addr=9.41.46.108, terminal=/dev/pts/5 res=success)'


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Klaus Weidner]

[-- Attachment #1: Type: text/plain, Size: 1722 bytes --]

On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
> So polyinstantiation is broken, it used to work at one point. The 
> following is the log of what seems to be causing the failure. I'm 
> looking into this, but it would be nice to have someone more adept at 
> policy wrangling to jump in and save the day.

The current LSPP ks script sets up policy and contexts to support
polyinstantiation. I've attached the policy, here's the script fragment.
Polyinstantiation parent dirs need to be polyparent_t, and
/etc/security/namespace.init needs to be pam_exec_t or something similar.

(Don't use chcon, define persistent file contexts instead to ensure that
they don't get overwritten on the next autorelabel. And remember how nice
it is that SELinux doesn't do path based security ;-)

-Klaus

ConfigurePolyinstantiation() {

    Title " Configure polyinstantiation"

    if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
        local DIRS=$(
                awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
        )
        Log "Creating base dirs: $DIRS"
        mkdir -m 0 $DIRS

        local D
        for D in $DIRS; do
                semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
                        s/\/$//;
                        s/\([.*?]\)/\\\1/;
                ')
        done
        restorecon $DIRS

        # FIXME: following should be fixed in upstream package?
        semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
        restorecon /etc/security/namespace.init

        Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF

    else
        Log "configuration update declined."
        _FAILURE=1
    fi
}


[-- Attachment #2: lspp_policy.te --]
[-- Type: text/plain, Size: 3208 bytes --]

## Customized SELinux policy for LSPP evaluated configuration

policy_module(lspp_policy,1.0)

#############################################################################
### Additional audit
#############################################################################

gen_require(`
	attribute domain;
')

# Audit setting of security relevant process attributes
# These settings are OPTIONAL
auditallow domain self:process setcurrent;
auditallow domain self:process setexec;
auditallow domain self:process setfscreate;
#auditallow domain self:process setsocketcreate; # FIXME
#auditallow domain self:process setipccreate; # FIXME

#############################################################################
### Relabeling printer devices
#############################################################################

gen_require(`
	type secadm_t, printer_device_t;
')

allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};

#############################################################################
### Polyinstantiation support
#############################################################################

gen_require(`
        type newrole_t, sshd_t, local_login_t;
	type user_t, staff_t;
	type tmp_t, user_home_dir_t, staff_home_dir_t;
	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
	attribute userdomain;
')

type polyparent_t;
type polymember_t;
files_poly_parent(polyparent_t)
files_poly_member(polymember_t)

## FIXME: these don't work?
#allow userdomain polyparent_t:dir manage_dir_perms;
#allow userdomain polymember_t:dir manage_dir_perms;
#type_member userdomain polyparent_t:dir polymember_t;
#allow user_t polymember_t:dir manage_dir_perms;
#allow staff_t polymember_t:dir manage_dir_perms;

files_poly(tmp_t)
files_poly(user_home_dir_t)
files_poly(staff_home_dir_t)

type_member user_t tmp_t:dir user_tmp_t;
type_member staff_t tmp_t:dir staff_tmp_t;

type_member user_t user_home_dir_t:dir user_home_t;
type_member staff_t staff_home_dir_t:dir staff_home_t;

files_polyinstantiate_all(sshd_t)
files_polyinstantiate_all(local_login_t)
files_polyinstantiate_all(newrole_t)

### additional polyinst workarounds
### (FIXME, should these be fixed in refpolicy?)

gen_require(`
	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
')

# let newrole execute the PAM framework (it didn't do that originally)
auth_exec_pam(newrole_t)

# sshd needs to write the faillog / tallylog file
# FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
auth_rw_faillog(sshd_t)
auth_rw_faillog(newrole_t)
auth_rw_faillog(staff_su_t)
auth_rw_faillog(run_init_t)

# this seems to be missing from refpolicy files_polyinstantiate_all()?
allow sshd_t polyparent_t:dir {read search create remove_name};
allow local_login_t polyparent_t:dir {read search create remove_name};
allow newrole_t polyparent_t:dir {read search create remove_name};

# need to be able to execute /etc/security/namespace.init
# (that file needs to be labeled as bin_t, default label is bad)
allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
allow newrole_t bin_t:file {read execute execute_no_trans ioctl};

Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Daniel J Walsh]

Klaus Weidner wrote:
> On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
>   
>> So polyinstantiation is broken, it used to work at one point. The 
>> following is the log of what seems to be causing the failure. I'm 
>> looking into this, but it would be nice to have someone more adept at 
>> policy wrangling to jump in and save the day.
>>     
>
> The current LSPP ks script sets up policy and contexts to support
> polyinstantiation. I've attached the policy, here's the script fragment.
> Polyinstantiation parent dirs need to be polyparent_t, and
> /etc/security/namespace.init needs to be pam_exec_t or something similar.
>
> (Don't use chcon, define persistent file contexts instead to ensure that
> they don't get overwritten on the next autorelabel. And remember how nice
> it is that SELinux doesn't do path based security ;-)
>
> -Klaus
>
> ConfigurePolyinstantiation() {
>
>     Title " Configure polyinstantiation"
>
>     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
>         local DIRS=$(
>                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
>         )
>         Log "Creating base dirs: $DIRS"
>         mkdir -m 0 $DIRS
>
>         local D
>         for D in $DIRS; do
>                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
>                         s/\/$//;
>                         s/\([.*?]\)/\\\1/;
>                 ')
>         done
>         restorecon $DIRS
>
>         # FIXME: following should be fixed in upstream package?
>         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
>         restorecon /etc/security/namespace.init
>
>         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
>
>     else
>         Log "configuration update declined."
>         _FAILURE=1
>     fi
> }
>
>   
> ------------------------------------------------------------------------
>
> ## Customized SELinux policy for LSPP evaluated configuration
>
> policy_module(lspp_policy,1.0)
>
> #############################################################################
> ### Additional audit
> #############################################################################
>
> gen_require(`
> 	attribute domain;
> ')
>
> # Audit setting of security relevant process attributes
> # These settings are OPTIONAL
> auditallow domain self:process setcurrent;
> auditallow domain self:process setexec;
> auditallow domain self:process setfscreate;
>   
This gives every process on the system the ability to do these 
commands.  Why do you need this?
> #auditallow domain self:process setsocketcreate; # FIXME
> #auditallow domain self:process setipccreate; # FIXME
>
> #############################################################################
> ### Relabeling printer devices
> #############################################################################
>
> gen_require(`
> 	type secadm_t, printer_device_t;
> ')
>
> allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
>
>   
I have just added
        dev_relabel_all_dev_nodes(secadm_t)
in selinux-policy-2.3.19-4.

Which should cover this.

> #############################################################################
> ### Polyinstantiation support
> #############################################################################
>
> gen_require(`
>         type newrole_t, sshd_t, local_login_t;
> 	type user_t, staff_t;
> 	type tmp_t, user_home_dir_t, staff_home_dir_t;
> 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
> 	attribute userdomain;
> ')
>
> type polyparent_t;
> type polymember_t;
> files_poly_parent(polyparent_t)
> files_poly_member(polymember_t)
>
>   
There is a new boolean allow_polyinstantiation, which should turn on 
some of this support.
If we are missing something, this should get back into the policy package.
> ## FIXME: these don't work?
> #allow userdomain polyparent_t:dir manage_dir_perms;
> #allow userdomain polymember_t:dir manage_dir_perms;
> #type_member userdomain polyparent_t:dir polymember_t;
> #allow user_t polymember_t:dir manage_dir_perms;
> #allow staff_t polymember_t:dir manage_dir_perms;
>
> files_poly(tmp_t)
> files_poly(user_home_dir_t)
> files_poly(staff_home_dir_t)
>
> type_member user_t tmp_t:dir user_tmp_t;
> type_member staff_t tmp_t:dir staff_tmp_t;
>
> type_member user_t user_home_dir_t:dir user_home_t;
> type_member staff_t staff_home_dir_t:dir staff_home_t;
>
> files_polyinstantiate_all(sshd_t)
> files_polyinstantiate_all(local_login_t)
> files_polyinstantiate_all(newrole_t)
>   
Only newole_t does not have this priv in current policy,   Added for 
2.3.19-4.
> ### additional polyinst workarounds
> ### (FIXME, should these be fixed in refpolicy?)
>
> gen_require(`
> 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
> ')
>
> # let newrole execute the PAM framework (it didn't d<o that originally)
> auth_exec_pam(newrole_t)
>
> # sshd needs to write the faillog / tallylog file
> # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
> auth_rw_faillog(sshd_t)
> auth_rw_faillog(newrole_t)
> auth_rw_faillog(staff_su_t)
> auth_rw_faillog(run_init_t)
>   
Latest policy has these rules
> # this seems to be missing from refpolicy files_polyinstantiate_all()?
> allow sshd_t polyparent_t:dir {read search create remove_name};
> allow local_login_t polyparent_t:dir {read search create remove_name};
> allow newrole_t polyparent_t:dir {read search create remove_name};
>
> # need to be able to execute /etc/security/namespace.init
> # (that file needs to be labeled as bin_t, default label is bad)
> allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
> allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
> allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Stephen Smalley]

On Thu, 2006-10-19 at 08:34 -0400, Daniel J Walsh wrote:
> Klaus Weidner wrote:
> > On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
> >   
> >> So polyinstantiation is broken, it used to work at one point. The 
> >> following is the log of what seems to be causing the failure. I'm 
> >> looking into this, but it would be nice to have someone more adept at 
> >> policy wrangling to jump in and save the day.
> >>     
> >
> > The current LSPP ks script sets up policy and contexts to support
> > polyinstantiation. I've attached the policy, here's the script fragment.
> > Polyinstantiation parent dirs need to be polyparent_t, and
> > /etc/security/namespace.init needs to be pam_exec_t or something similar.
> >
> > (Don't use chcon, define persistent file contexts instead to ensure that
> > they don't get overwritten on the next autorelabel. And remember how nice
> > it is that SELinux doesn't do path based security ;-)
> >
> > -Klaus
> >
> > ConfigurePolyinstantiation() {
> >
> >     Title " Configure polyinstantiation"
> >
> >     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
> >         local DIRS=$(
> >                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
> >         )
> >         Log "Creating base dirs: $DIRS"
> >         mkdir -m 0 $DIRS
> >
> >         local D
> >         for D in $DIRS; do
> >                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
> >                         s/\/$//;
> >                         s/\([.*?]\)/\\\1/;
> >                 ')
> >         done
> >         restorecon $DIRS
> >
> >         # FIXME: following should be fixed in upstream package?
> >         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
> >         restorecon /etc/security/namespace.init
> >
> >         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
> >
> >     else
> >         Log "configuration update declined."
> >         _FAILURE=1
> >     fi
> > }
> >
> >   
> > ------------------------------------------------------------------------
> >
> > ## Customized SELinux policy for LSPP evaluated configuration
> >
> > policy_module(lspp_policy,1.0)
> >
> > #############################################################################
> > ### Additional audit
> > #############################################################################
> >
> > gen_require(`
> > 	attribute domain;
> > ')
> >
> > # Audit setting of security relevant process attributes
> > # These settings are OPTIONAL
> > auditallow domain self:process setcurrent;
> > auditallow domain self:process setexec;
> > auditallow domain self:process setfscreate;
> >   
> This gives every process on the system the ability to do these 
> commands.  Why do you need this?

No - they are just auditallow statements, not allow statements, so they
merely enable auditing when they are allowed - they don't allow anything
new.  This is for auditing of all changes to the process
security-relevant attributes.

> > #auditallow domain self:process setsocketcreate; # FIXME
> > #auditallow domain self:process setipccreate; # FIXME
> >
> > #############################################################################
> > ### Relabeling printer devices
> > #############################################################################
> >
> > gen_require(`
> > 	type secadm_t, printer_device_t;
> > ')
> >
> > allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
> >
> >   
> I have just added
>         dev_relabel_all_dev_nodes(secadm_t)
> in selinux-policy-2.3.19-4.
> 
> Which should cover this.
> 
> > #############################################################################
> > ### Polyinstantiation support
> > #############################################################################
> >
> > gen_require(`
> >         type newrole_t, sshd_t, local_login_t;
> > 	type user_t, staff_t;
> > 	type tmp_t, user_home_dir_t, staff_home_dir_t;
> > 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
> > 	attribute userdomain;
> > ')
> >
> > type polyparent_t;
> > type polymember_t;
> > files_poly_parent(polyparent_t)
> > files_poly_member(polymember_t)
> >
> >   
> There is a new boolean allow_polyinstantiation, which should turn on 
> some of this support.
> If we are missing something, this should get back into the policy package.
> > ## FIXME: these don't work?
> > #allow userdomain polyparent_t:dir manage_dir_perms;
> > #allow userdomain polymember_t:dir manage_dir_perms;
> > #type_member userdomain polyparent_t:dir polymember_t;
> > #allow user_t polymember_t:dir manage_dir_perms;
> > #allow staff_t polymember_t:dir manage_dir_perms;
> >
> > files_poly(tmp_t)
> > files_poly(user_home_dir_t)
> > files_poly(staff_home_dir_t)
> >
> > type_member user_t tmp_t:dir user_tmp_t;
> > type_member staff_t tmp_t:dir staff_tmp_t;
> >
> > type_member user_t user_home_dir_t:dir user_home_t;
> > type_member staff_t staff_home_dir_t:dir staff_home_t;
> >
> > files_polyinstantiate_all(sshd_t)
> > files_polyinstantiate_all(local_login_t)
> > files_polyinstantiate_all(newrole_t)
> >   
> Only newole_t does not have this priv in current policy,   Added for 
> 2.3.19-4.
> > ### additional polyinst workarounds
> > ### (FIXME, should these be fixed in refpolicy?)
> >
> > gen_require(`
> > 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
> > ')
> >
> > # let newrole execute the PAM framework (it didn't d<o that originally)
> > auth_exec_pam(newrole_t)
> >
> > # sshd needs to write the faillog / tallylog file
> > # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
> > auth_rw_faillog(sshd_t)
> > auth_rw_faillog(newrole_t)
> > auth_rw_faillog(staff_su_t)
> > auth_rw_faillog(run_init_t)
> >   
> Latest policy has these rules
> > # this seems to be missing from refpolicy files_polyinstantiate_all()?
> > allow sshd_t polyparent_t:dir {read search create remove_name};
> > allow local_login_t polyparent_t:dir {read search create remove_name};
> > allow newrole_t polyparent_t:dir {read search create remove_name};
> >
> > # need to be able to execute /etc/security/namespace.init
> > # (that file needs to be labeled as bin_t, default label is bad)
> > allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
> > allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
> > allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
> >
> >   
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2006-10-19 at 08:34 -0400, Daniel J Walsh wrote:
>   
>> Klaus Weidner wrote:
>>     
>>> On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
>>>   
>>>       
>>>> So polyinstantiation is broken, it used to work at one point. The 
>>>> following is the log of what seems to be causing the failure. I'm 
>>>> looking into this, but it would be nice to have someone more adept at 
>>>> policy wrangling to jump in and save the day.
>>>>     
>>>>         
>>> The current LSPP ks script sets up policy and contexts to support
>>> polyinstantiation. I've attached the policy, here's the script fragment.
>>> Polyinstantiation parent dirs need to be polyparent_t, and
>>> /etc/security/namespace.init needs to be pam_exec_t or something similar.
>>>
>>> (Don't use chcon, define persistent file contexts instead to ensure that
>>> they don't get overwritten on the next autorelabel. And remember how nice
>>> it is that SELinux doesn't do path based security ;-)
>>>
>>> -Klaus
>>>
>>> ConfigurePolyinstantiation() {
>>>
>>>     Title " Configure polyinstantiation"
>>>
>>>     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
>>>         local DIRS=$(
>>>                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
>>>         )
>>>         Log "Creating base dirs: $DIRS"
>>>         mkdir -m 0 $DIRS
>>>
>>>         local D
>>>         for D in $DIRS; do
>>>                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
>>>                         s/\/$//;
>>>                         s/\([.*?]\)/\\\1/;
>>>                 ')
>>>         done
>>>         restorecon $DIRS
>>>
>>>         # FIXME: following should be fixed in upstream package?
>>>         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
>>>         restorecon /etc/security/namespace.init
>>>
>>>         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
>>>
>>>     else
>>>         Log "configuration update declined."
>>>         _FAILURE=1
>>>     fi
>>> }
>>>
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> ## Customized SELinux policy for LSPP evaluated configuration
>>>
>>> policy_module(lspp_policy,1.0)
>>>
>>> #############################################################################
>>> ### Additional audit
>>> #############################################################################
>>>
>>> gen_require(`
>>> 	attribute domain;
>>> ')
>>>
>>> # Audit setting of security relevant process attributes
>>> # These settings are OPTIONAL
>>> auditallow domain self:process setcurrent;
>>> auditallow domain self:process setexec;
>>> auditallow domain self:process setfscreate;
>>>   
>>>       
>> This gives every process on the system the ability to do these 
>> commands.  Why do you need this?
>>     
>
> No - they are just auditallow statements, not allow statements, so they
> merely enable auditing when they are allowed - they don't allow anything
> new.  This is for auditing of all changes to the process
> security-relevant attributes.
>
>   
Sorry, you are right.  I guess I am looking at too many lines of policy...
>>> #auditallow domain self:process setsocketcreate; # FIXME
>>> #auditallow domain self:process setipccreate; # FIXME
>>>
>>> #############################################################################
>>> ### Relabeling printer devices
>>> #############################################################################
>>>
>>> gen_require(`
>>> 	type secadm_t, printer_device_t;
>>> ')
>>>
>>> allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
>>>
>>>   
>>>       
>> I have just added
>>         dev_relabel_all_dev_nodes(secadm_t)
>> in selinux-policy-2.3.19-4.
>>
>> Which should cover this.
>>
>>     
>>> #############################################################################
>>> ### Polyinstantiation support
>>> #############################################################################
>>>
>>> gen_require(`
>>>         type newrole_t, sshd_t, local_login_t;
>>> 	type user_t, staff_t;
>>> 	type tmp_t, user_home_dir_t, staff_home_dir_t;
>>> 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
>>> 	attribute userdomain;
>>> ')
>>>
>>> type polyparent_t;
>>> type polymember_t;
>>> files_poly_parent(polyparent_t)
>>> files_poly_member(polymember_t)
>>>
>>>   
>>>       
>> There is a new boolean allow_polyinstantiation, which should turn on 
>> some of this support.
>> If we are missing something, this should get back into the policy package.
>>     
>>> ## FIXME: these don't work?
>>> #allow userdomain polyparent_t:dir manage_dir_perms;
>>> #allow userdomain polymember_t:dir manage_dir_perms;
>>> #type_member userdomain polyparent_t:dir polymember_t;
>>> #allow user_t polymember_t:dir manage_dir_perms;
>>> #allow staff_t polymember_t:dir manage_dir_perms;
>>>
>>> files_poly(tmp_t)
>>> files_poly(user_home_dir_t)
>>> files_poly(staff_home_dir_t)
>>>
>>> type_member user_t tmp_t:dir user_tmp_t;
>>> type_member staff_t tmp_t:dir staff_tmp_t;
>>>
>>> type_member user_t user_home_dir_t:dir user_home_t;
>>> type_member staff_t staff_home_dir_t:dir staff_home_t;
>>>
>>> files_polyinstantiate_all(sshd_t)
>>> files_polyinstantiate_all(local_login_t)
>>> files_polyinstantiate_all(newrole_t)
>>>   
>>>       
>> Only newole_t does not have this priv in current policy,   Added for 
>> 2.3.19-4.
>>     
>>> ### additional polyinst workarounds
>>> ### (FIXME, should these be fixed in refpolicy?)
>>>
>>> gen_require(`
>>> 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
>>> ')
>>>
>>> # let newrole execute the PAM framework (it didn't d<o that originally)
>>> auth_exec_pam(newrole_t)
>>>
>>> # sshd needs to write the faillog / tallylog file
>>> # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
>>> auth_rw_faillog(sshd_t)
>>> auth_rw_faillog(newrole_t)
>>> auth_rw_faillog(staff_su_t)
>>> auth_rw_faillog(run_init_t)
>>>   
>>>       
>> Latest policy has these rules
>>     
>>> # this seems to be missing from refpolicy files_polyinstantiate_all()?
>>> allow sshd_t polyparent_t:dir {read search create remove_name};
>>> allow local_login_t polyparent_t:dir {read search create remove_name};
>>> allow newrole_t polyparent_t:dir {read search create remove_name};
>>>
>>> # need to be able to execute /etc/security/namespace.init
>>> # (that file needs to be labeled as bin_t, default label is bad)
>>> allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
>>> allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
>>> allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
>>>
>>>   
>>>       
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>     


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.