Re: Don't audit restart of nscd daemon in strict policy

Re: Don't audit restart of nscd daemon in strict policy

[Christopher J. PeBenito]

On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch===
> --- nsaserefpolicy/policy/modules/services/nscd.te	2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/services/nscd.te	2007-02-26 11:02:34.000000000 -0500
> @@ -117,6 +117,9 @@
>  	term_dontaudit_use_unallocated_ttys(nscd_t)
>  	term_dontaudit_use_generic_ptys(nscd_t)
>  	files_dontaudit_read_root_files(nscd_t)
> +',`
> +	userdom_dontaudit_use_sysadm_ttys(nscd_t)
> +	userdom_dontaudit_use_sysadm_ptys(nscd_t)
>  ')
>  
>  optional_policy(`

This should go with a run interface.  Then you can get the transition,
the role, and dontaudit the terminals.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Don't audit restart of nscd daemon in strict policy

[Christopher J. PeBenito]

On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch===
> --- nsaserefpolicy/policy/modules/services/nscd.te	2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/services/nscd.te	2007-02-26 11:02:34.000000000 -0500
> @@ -117,6 +117,9 @@
>  	term_dontaudit_use_unallocated_ttys(nscd_t)
>  	term_dontaudit_use_generic_ptys(nscd_t)
>  	files_dontaudit_read_root_files(nscd_t)
> +',`
> +	userdom_dontaudit_use_sysadm_ttys(nscd_t)
> +	userdom_dontaudit_use_sysadm_ptys(nscd_t)
>  ')
>  
>  optional_policy(`

This should go with a run interface, then you get the transition, the
role and these dontaudits.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Don't audit restart of nscd daemon in strict policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

Christopher J. PeBenito wrote:
> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
>   
>> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch===
>> --- nsaserefpolicy/policy/modules/services/nscd.te	2007-02-19 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.5/policy/modules/services/nscd.te	2007-02-26 11:02:34.000000000 -0500
>> @@ -117,6 +117,9 @@
>>  	term_dontaudit_use_unallocated_ttys(nscd_t)
>>  	term_dontaudit_use_generic_ptys(nscd_t)
>>  	files_dontaudit_read_root_files(nscd_t)
>> +',`
>> +	userdom_dontaudit_use_sysadm_ttys(nscd_t)
>> +	userdom_dontaudit_use_sysadm_ptys(nscd_t)
>>  ')
>>  
>>  optional_policy(`
>>     
>
> This should go with a run interface, then you get the transition, the
> role and these dontaudits.
>
>   
Ok how about this one.

[-- Attachment #2: nscd.patch --]
[-- Type: text/x-patch, Size: 1403 bytes --]

--- nsaserefpolicy/policy/modules/services/nscd.if	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/nscd.if	2007-03-06 13:33:06.000000000 -0500
@@ -173,3 +173,35 @@
 
 	allow $1 nscd_t:nscd *;
 ')
+
+########################################
+## <summary>
+##	Execute nscd in the nscd domain, and
+##	allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the nscd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the nscd domain to use.
+##	</summary>
+## </param>
+#
+interface(`nscd_run',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	nscd_domtrans($1)
+	role $2 types nscd_t;
+	dontaudit nscd_t $3:chr_file rw_term_perms;
+')
+
--- nsaserefpolicy/policy/modules/system/userdomain.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/system/userdomain.te	2007-03-06 13:33:25.000000000 -0500
@@ -423,6 +438,10 @@
 	')
 
 	optional_policy(`
+		nscd_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
+	optional_policy(`
 		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)

Re: Don't audit restart of nscd daemon in strict policy

[Christopher J. PeBenito]

On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
> >> +',`
> >> +    userdom_dontaudit_use_sysadm_ttys(nscd_t)
> >> +    userdom_dontaudit_use_sysadm_ptys(nscd_t)
> >
> > This should go with a run interface, then you get the transition, the
> > role and these dontaudits.
> >   
> Ok how about this one.

Yes, thats what I had in mind, but I thought that the purpose was that
nscd was restarted from usermanage_t.  If so, the nscd_run() call should
go in usermanage_run_useradd().  See rpm_run() for what I was thinking.

> +interface(`nscd_run',`
> +       gen_require(`
> +               type nscd_t;
> +       ')
> +
> +       nscd_domtrans($1)
> +       role $2 types nscd_t;
> +       dontaudit nscd_t $3:chr_file rw_term_perms;
> +')
> +
> --- nsaserefpolicy/policy/modules/system/userdomain.te  2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te       2007-03-06 13:33:25.000000000 -0500
> @@ -423,6 +438,10 @@
>         ')
>  
>         optional_policy(`
> +               nscd_run(sysadm_t,sysadm_r,admin_terminal)
> +       ')
> +
> +       optional_policy(`
>                 usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
>                 usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
>                 usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Don't audit restart of nscd daemon in strict policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1615 bytes --]

Christopher J. PeBenito wrote:
> On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
>>>       
>>>> +',`
>>>> +    userdom_dontaudit_use_sysadm_ttys(nscd_t)
>>>> +    userdom_dontaudit_use_sysadm_ptys(nscd_t)
>>>>         
>>> This should go with a run interface, then you get the transition, the
>>> role and these dontaudits.
>>>   
>>>       
>> Ok how about this one.
>>     
>
> Yes, thats what I had in mind, but I thought that the purpose was that
> nscd was restarted from usermanage_t.  If so, the nscd_run() call should
> go in usermanage_run_useradd().  See rpm_run() for what I was thinking.
>
>   
>> +interface(`nscd_run',`
>> +       gen_require(`
>> +               type nscd_t;
>> +       ')
>> +
>> +       nscd_domtrans($1)
>> +       role $2 types nscd_t;
>> +       dontaudit nscd_t $3:chr_file rw_term_perms;
>> +')
>> +
>> --- nsaserefpolicy/policy/modules/system/userdomain.te  2007-02-19 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te       2007-03-06 13:33:25.000000000 -0500
>> @@ -423,6 +438,10 @@
>>         ')
>>  
>>         optional_policy(`
>> +               nscd_run(sysadm_t,sysadm_r,admin_terminal)
>> +       ')
>> +
>> +       optional_policy(`
>>                 usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
>>                 usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
>>                 usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) 
>>     
Ok one more pass. 



[-- Attachment #2: nscd_run.patch --]
[-- Type: text/x-patch, Size: 2335 bytes --]

--- nsaserefpolicy/policy/modules/admin/usermanage.if	2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/admin/usermanage.if	2007-03-07 15:06:39.000000000 -0500
@@ -69,6 +69,7 @@
 	files_search_usr($1)
 	corecmd_search_sbin($1)
 	domtrans_pattern($1,groupadd_exec_t,groupadd_t)
+	nscd_run(groupadd_t, $2, $3);
 ')
 
 ########################################
@@ -206,6 +207,7 @@
 	usermanage_domtrans_admin_passwd($1)
 	role $2 types sysadm_passwd_t;
 	allow sysadm_passwd_t $3:chr_file rw_term_perms;
+	nscd_run(sysadm_passwd_t, $2, $3);
 ')
 
 ########################################
@@ -258,6 +260,7 @@
 	usermanage_domtrans_useradd($1)
 	role $2 types useradd_t;
 	allow useradd_t $3:chr_file rw_term_perms;
+	nscd_run(useradd_t, $2, $3);
 ')
 
 ########################################
--- nsaserefpolicy/policy/modules/services/nscd.if	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/nscd.if	2007-03-06 14:13:31.000000000 -0500
@@ -173,3 +173,35 @@
 
 	allow $1 nscd_t:nscd *;
 ')
+
+########################################
+## <summary>
+##	Execute nscd in the nscd domain, and
+##	allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the nscd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the nscd domain to use.
+##	</summary>
+## </param>
+#
+interface(`nscd_run',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	nscd_domtrans($1)
+	role $2 types nscd_t;
+	dontaudit nscd_t $3:chr_file rw_term_perms;
+')
+
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/admin/usermanage.te	2007-03-06 14:13:31.000000000 -0500
@@ -257,10 +257,6 @@
 ')
 
 optional_policy(`
-	nscd_domtrans(groupadd_t)
-')
-
-optional_policy(`
 	rpm_use_fds(groupadd_t)
 	rpm_rw_pipes(groupadd_t)
 ')
@@ -444,7 +440,6 @@
 ')
 
 optional_policy(`
-	nscd_domtrans(sysadm_passwd_t)
 	nscd_socket_use(sysadm_passwd_t)
 ')
 
@@ -540,10 +535,6 @@
 ')
 
 optional_policy(`
-	nscd_domtrans(useradd_t)
-')
-
-optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')

Re: Don't audit restart of nscd daemon in strict policy

[Christopher J. PeBenito]

On Wed, 2007-03-07 at 15:21 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote:
> >   
> >> Christopher J. PeBenito wrote:
> >>     
> >>> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
> >>>       
> >>>> +',`
> >>>> +    userdom_dontaudit_use_sysadm_ttys(nscd_t)
> >>>> +    userdom_dontaudit_use_sysadm_ptys(nscd_t)
> >>>>         
> >>> This should go with a run interface, then you get the transition, the
> >>> role and these dontaudits.
> >>>   
> >>>       
> >> Ok how about this one.

Yes thats it, merged.  I fixed the groupadd one, which was in the
domtrans interface rather than run.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.