Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

[Daniel J Walsh <dwalsh@redhat.com>]

Stephen Smalley wrote:
> On Thu, 2006-10-19 at 08:34 -0400, Daniel J Walsh wrote:
>   
>> Klaus Weidner wrote:
>>     
>>> On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
>>>   
>>>       
>>>> So polyinstantiation is broken, it used to work at one point. The 
>>>> following is the log of what seems to be causing the failure. I'm 
>>>> looking into this, but it would be nice to have someone more adept at 
>>>> policy wrangling to jump in and save the day.
>>>>     
>>>>         
>>> The current LSPP ks script sets up policy and contexts to support
>>> polyinstantiation. I've attached the policy, here's the script fragment.
>>> Polyinstantiation parent dirs need to be polyparent_t, and
>>> /etc/security/namespace.init needs to be pam_exec_t or something similar.
>>>
>>> (Don't use chcon, define persistent file contexts instead to ensure that
>>> they don't get overwritten on the next autorelabel. And remember how nice
>>> it is that SELinux doesn't do path based security ;-)
>>>
>>> -Klaus
>>>
>>> ConfigurePolyinstantiation() {
>>>
>>>     Title " Configure polyinstantiation"
>>>
>>>     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
>>>         local DIRS=$(
>>>                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
>>>         )
>>>         Log "Creating base dirs: $DIRS"
>>>         mkdir -m 0 $DIRS
>>>
>>>         local D
>>>         for D in $DIRS; do
>>>                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
>>>                         s/\/$//;
>>>                         s/\([.*?]\)/\\\1/;
>>>                 ')
>>>         done
>>>         restorecon $DIRS
>>>
>>>         # FIXME: following should be fixed in upstream package?
>>>         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
>>>         restorecon /etc/security/namespace.init
>>>
>>>         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
>>>
>>>     else
>>>         Log "configuration update declined."
>>>         _FAILURE=1
>>>     fi
>>> }
>>>
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> ## Customized SELinux policy for LSPP evaluated configuration
>>>
>>> policy_module(lspp_policy,1.0)
>>>
>>> #############################################################################
>>> ### Additional audit
>>> #############################################################################
>>>
>>> gen_require(`
>>> 	attribute domain;
>>> ')
>>>
>>> # Audit setting of security relevant process attributes
>>> # These settings are OPTIONAL
>>> auditallow domain self:process setcurrent;
>>> auditallow domain self:process setexec;
>>> auditallow domain self:process setfscreate;
>>>   
>>>       
>> This gives every process on the system the ability to do these 
>> commands.  Why do you need this?
>>     
>
> No - they are just auditallow statements, not allow statements, so they
> merely enable auditing when they are allowed - they don't allow anything
> new.  This is for auditing of all changes to the process
> security-relevant attributes.
>
>   
Sorry, you are right.  I guess I am looking at too many lines of policy...
>>> #auditallow domain self:process setsocketcreate; # FIXME
>>> #auditallow domain self:process setipccreate; # FIXME
>>>
>>> #############################################################################
>>> ### Relabeling printer devices
>>> #############################################################################
>>>
>>> gen_require(`
>>> 	type secadm_t, printer_device_t;
>>> ')
>>>
>>> allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
>>>
>>>   
>>>       
>> I have just added
>>         dev_relabel_all_dev_nodes(secadm_t)
>> in selinux-policy-2.3.19-4.
>>
>> Which should cover this.
>>
>>     
>>> #############################################################################
>>> ### Polyinstantiation support
>>> #############################################################################
>>>
>>> gen_require(`
>>>         type newrole_t, sshd_t, local_login_t;
>>> 	type user_t, staff_t;
>>> 	type tmp_t, user_home_dir_t, staff_home_dir_t;
>>> 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
>>> 	attribute userdomain;
>>> ')
>>>
>>> type polyparent_t;
>>> type polymember_t;
>>> files_poly_parent(polyparent_t)
>>> files_poly_member(polymember_t)
>>>
>>>   
>>>       
>> There is a new boolean allow_polyinstantiation, which should turn on 
>> some of this support.
>> If we are missing something, this should get back into the policy package.
>>     
>>> ## FIXME: these don't work?
>>> #allow userdomain polyparent_t:dir manage_dir_perms;
>>> #allow userdomain polymember_t:dir manage_dir_perms;
>>> #type_member userdomain polyparent_t:dir polymember_t;
>>> #allow user_t polymember_t:dir manage_dir_perms;
>>> #allow staff_t polymember_t:dir manage_dir_perms;
>>>
>>> files_poly(tmp_t)
>>> files_poly(user_home_dir_t)
>>> files_poly(staff_home_dir_t)
>>>
>>> type_member user_t tmp_t:dir user_tmp_t;
>>> type_member staff_t tmp_t:dir staff_tmp_t;
>>>
>>> type_member user_t user_home_dir_t:dir user_home_t;
>>> type_member staff_t staff_home_dir_t:dir staff_home_t;
>>>
>>> files_polyinstantiate_all(sshd_t)
>>> files_polyinstantiate_all(local_login_t)
>>> files_polyinstantiate_all(newrole_t)
>>>   
>>>       
>> Only newole_t does not have this priv in current policy,   Added for 
>> 2.3.19-4.
>>     
>>> ### additional polyinst workarounds
>>> ### (FIXME, should these be fixed in refpolicy?)
>>>
>>> gen_require(`
>>> 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
>>> ')
>>>
>>> # let newrole execute the PAM framework (it didn't d<o that originally)
>>> auth_exec_pam(newrole_t)
>>>
>>> # sshd needs to write the faillog / tallylog file
>>> # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
>>> auth_rw_faillog(sshd_t)
>>> auth_rw_faillog(newrole_t)
>>> auth_rw_faillog(staff_su_t)
>>> auth_rw_faillog(run_init_t)
>>>   
>>>       
>> Latest policy has these rules
>>     
>>> # this seems to be missing from refpolicy files_polyinstantiate_all()?
>>> allow sshd_t polyparent_t:dir {read search create remove_name};
>>> allow local_login_t polyparent_t:dir {read search create remove_name};
>>> allow newrole_t polyparent_t:dir {read search create remove_name};
>>>
>>> # need to be able to execute /etc/security/namespace.init
>>> # (that file needs to be labeled as bin_t, default label is bad)
>>> allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
>>> allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
>>> allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
>>>
>>>   
>>>       
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>     


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.