Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Daniel J Walsh <dwalsh@redhat.com>]

Klaus Weidner wrote:
> On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
>   
>> So polyinstantiation is broken, it used to work at one point. The 
>> following is the log of what seems to be causing the failure. I'm 
>> looking into this, but it would be nice to have someone more adept at 
>> policy wrangling to jump in and save the day.
>>     
>
> The current LSPP ks script sets up policy and contexts to support
> polyinstantiation. I've attached the policy, here's the script fragment.
> Polyinstantiation parent dirs need to be polyparent_t, and
> /etc/security/namespace.init needs to be pam_exec_t or something similar.
>
> (Don't use chcon, define persistent file contexts instead to ensure that
> they don't get overwritten on the next autorelabel. And remember how nice
> it is that SELinux doesn't do path based security ;-)
>
> -Klaus
>
> ConfigurePolyinstantiation() {
>
>     Title " Configure polyinstantiation"
>
>     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
>         local DIRS=$(
>                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
>         )
>         Log "Creating base dirs: $DIRS"
>         mkdir -m 0 $DIRS
>
>         local D
>         for D in $DIRS; do
>                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
>                         s/\/$//;
>                         s/\([.*?]\)/\\\1/;
>                 ')
>         done
>         restorecon $DIRS
>
>         # FIXME: following should be fixed in upstream package?
>         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
>         restorecon /etc/security/namespace.init
>
>         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
>
>     else
>         Log "configuration update declined."
>         _FAILURE=1
>     fi
> }
>
>   
> ------------------------------------------------------------------------
>
> ## Customized SELinux policy for LSPP evaluated configuration
>
> policy_module(lspp_policy,1.0)
>
> #############################################################################
> ### Additional audit
> #############################################################################
>
> gen_require(`
> 	attribute domain;
> ')
>
> # Audit setting of security relevant process attributes
> # These settings are OPTIONAL
> auditallow domain self:process setcurrent;
> auditallow domain self:process setexec;
> auditallow domain self:process setfscreate;
>   
This gives every process on the system the ability to do these 
commands.  Why do you need this?
> #auditallow domain self:process setsocketcreate; # FIXME
> #auditallow domain self:process setipccreate; # FIXME
>
> #############################################################################
> ### Relabeling printer devices
> #############################################################################
>
> gen_require(`
> 	type secadm_t, printer_device_t;
> ')
>
> allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
>
>   
I have just added
        dev_relabel_all_dev_nodes(secadm_t)
in selinux-policy-2.3.19-4.

Which should cover this.

> #############################################################################
> ### Polyinstantiation support
> #############################################################################
>
> gen_require(`
>         type newrole_t, sshd_t, local_login_t;
> 	type user_t, staff_t;
> 	type tmp_t, user_home_dir_t, staff_home_dir_t;
> 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
> 	attribute userdomain;
> ')
>
> type polyparent_t;
> type polymember_t;
> files_poly_parent(polyparent_t)
> files_poly_member(polymember_t)
>
>   
There is a new boolean allow_polyinstantiation, which should turn on 
some of this support.
If we are missing something, this should get back into the policy package.
> ## FIXME: these don't work?
> #allow userdomain polyparent_t:dir manage_dir_perms;
> #allow userdomain polymember_t:dir manage_dir_perms;
> #type_member userdomain polyparent_t:dir polymember_t;
> #allow user_t polymember_t:dir manage_dir_perms;
> #allow staff_t polymember_t:dir manage_dir_perms;
>
> files_poly(tmp_t)
> files_poly(user_home_dir_t)
> files_poly(staff_home_dir_t)
>
> type_member user_t tmp_t:dir user_tmp_t;
> type_member staff_t tmp_t:dir staff_tmp_t;
>
> type_member user_t user_home_dir_t:dir user_home_t;
> type_member staff_t staff_home_dir_t:dir staff_home_t;
>
> files_polyinstantiate_all(sshd_t)
> files_polyinstantiate_all(local_login_t)
> files_polyinstantiate_all(newrole_t)
>   
Only newole_t does not have this priv in current policy,   Added for 
2.3.19-4.
> ### additional polyinst workarounds
> ### (FIXME, should these be fixed in refpolicy?)
>
> gen_require(`
> 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
> ')
>
> # let newrole execute the PAM framework (it didn't d<o that originally)
> auth_exec_pam(newrole_t)
>
> # sshd needs to write the faillog / tallylog file
> # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
> auth_rw_faillog(sshd_t)
> auth_rw_faillog(newrole_t)
> auth_rw_faillog(staff_su_t)
> auth_rw_faillog(run_init_t)
>   
Latest policy has these rules
> # this seems to be missing from refpolicy files_polyinstantiate_all()?
> allow sshd_t polyparent_t:dir {read search create remove_name};
> allow local_login_t polyparent_t:dir {read search create remove_name};
> allow newrole_t polyparent_t:dir {read search create remove_name};
>
> # need to be able to execute /etc/security/namespace.init
> # (that file needs to be labeled as bin_t, default label is bad)
> allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
> allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
> allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.