* Re: Don't audit restart of nscd daemon in strict policy [not found] <200702261729.l1QHTPdT030641@localhost.localdomain> @ 2007-03-06 15:56 ` Christopher J. PeBenito 2007-03-06 15:57 ` Christopher J. PeBenito 1 sibling, 0 replies; 6+ messages in thread From: Christopher J. PeBenito @ 2007-03-06 15:56 UTC (permalink / raw) To: dwalsh; +Cc: selinux On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: > ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch=== > --- nsaserefpolicy/policy/modules/services/nscd.te 2007-02-19 11:32:53.000000000 -0500 > +++ serefpolicy-2.5.5/policy/modules/services/nscd.te 2007-02-26 11:02:34.000000000 -0500 > @@ -117,6 +117,9 @@ > term_dontaudit_use_unallocated_ttys(nscd_t) > term_dontaudit_use_generic_ptys(nscd_t) > files_dontaudit_read_root_files(nscd_t) > +',` > + userdom_dontaudit_use_sysadm_ttys(nscd_t) > + userdom_dontaudit_use_sysadm_ptys(nscd_t) > ') > > optional_policy(` This should go with a run interface. Then you can get the transition, the role, and dontaudit the terminals. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Don't audit restart of nscd daemon in strict policy [not found] <200702261729.l1QHTPdT030641@localhost.localdomain> 2007-03-06 15:56 ` Don't audit restart of nscd daemon in strict policy Christopher J. PeBenito @ 2007-03-06 15:57 ` Christopher J. PeBenito 2007-03-06 18:43 ` Daniel J Walsh 1 sibling, 1 reply; 6+ messages in thread From: Christopher J. PeBenito @ 2007-03-06 15:57 UTC (permalink / raw) To: dwalsh; +Cc: selinux On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: > ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch=== > --- nsaserefpolicy/policy/modules/services/nscd.te 2007-02-19 11:32:53.000000000 -0500 > +++ serefpolicy-2.5.5/policy/modules/services/nscd.te 2007-02-26 11:02:34.000000000 -0500 > @@ -117,6 +117,9 @@ > term_dontaudit_use_unallocated_ttys(nscd_t) > term_dontaudit_use_generic_ptys(nscd_t) > files_dontaudit_read_root_files(nscd_t) > +',` > + userdom_dontaudit_use_sysadm_ttys(nscd_t) > + userdom_dontaudit_use_sysadm_ptys(nscd_t) > ') > > optional_policy(` This should go with a run interface, then you get the transition, the role and these dontaudits. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Don't audit restart of nscd daemon in strict policy 2007-03-06 15:57 ` Christopher J. PeBenito @ 2007-03-06 18:43 ` Daniel J Walsh 2007-03-07 16:23 ` Christopher J. PeBenito 0 siblings, 1 reply; 6+ messages in thread From: Daniel J Walsh @ 2007-03-06 18:43 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 813 bytes --] Christopher J. PeBenito wrote: > On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: > >> ===File /tmp/patches/done/nsaserefpolicy_policy_modules_services_nscd.patch=== >> --- nsaserefpolicy/policy/modules/services/nscd.te 2007-02-19 11:32:53.000000000 -0500 >> +++ serefpolicy-2.5.5/policy/modules/services/nscd.te 2007-02-26 11:02:34.000000000 -0500 >> @@ -117,6 +117,9 @@ >> term_dontaudit_use_unallocated_ttys(nscd_t) >> term_dontaudit_use_generic_ptys(nscd_t) >> files_dontaudit_read_root_files(nscd_t) >> +',` >> + userdom_dontaudit_use_sysadm_ttys(nscd_t) >> + userdom_dontaudit_use_sysadm_ptys(nscd_t) >> ') >> >> optional_policy(` >> > > This should go with a run interface, then you get the transition, the > role and these dontaudits. > > Ok how about this one. [-- Attachment #2: nscd.patch --] [-- Type: text/x-patch, Size: 1403 bytes --] --- nsaserefpolicy/policy/modules/services/nscd.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-2.5.8/policy/modules/services/nscd.if 2007-03-06 13:33:06.000000000 -0500 @@ -173,3 +173,35 @@ allow $1 nscd_t:nscd *; ') + +######################################## +## <summary> +## Execute nscd in the nscd domain, and +## allow the specified role the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the nscd domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the nscd domain to use. +## </summary> +## </param> +# +interface(`nscd_run',` + gen_require(` + type nscd_t; + ') + + nscd_domtrans($1) + role $2 types nscd_t; + dontaudit nscd_t $3:chr_file rw_term_perms; +') + --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te 2007-03-06 13:33:25.000000000 -0500 @@ -423,6 +438,10 @@ ') optional_policy(` + nscd_run(sysadm_t,sysadm_r,admin_terminal) + ') + + optional_policy(` usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Don't audit restart of nscd daemon in strict policy 2007-03-06 18:43 ` Daniel J Walsh @ 2007-03-07 16:23 ` Christopher J. PeBenito 2007-03-07 20:21 ` Daniel J Walsh 0 siblings, 1 reply; 6+ messages in thread From: Christopher J. PeBenito @ 2007-03-07 16:23 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > > On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: > >> +',` > >> + userdom_dontaudit_use_sysadm_ttys(nscd_t) > >> + userdom_dontaudit_use_sysadm_ptys(nscd_t) > > > > This should go with a run interface, then you get the transition, the > > role and these dontaudits. > > > Ok how about this one. Yes, thats what I had in mind, but I thought that the purpose was that nscd was restarted from usermanage_t. If so, the nscd_run() call should go in usermanage_run_useradd(). See rpm_run() for what I was thinking. > +interface(`nscd_run',` > + gen_require(` > + type nscd_t; > + ') > + > + nscd_domtrans($1) > + role $2 types nscd_t; > + dontaudit nscd_t $3:chr_file rw_term_perms; > +') > + > --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19 11:32:53.000000000 -0500 > +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te 2007-03-06 13:33:25.000000000 -0500 > @@ -423,6 +438,10 @@ > ') > > optional_policy(` > + nscd_run(sysadm_t,sysadm_r,admin_terminal) > + ') > + > + optional_policy(` > usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) > usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) > usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Don't audit restart of nscd daemon in strict policy 2007-03-07 16:23 ` Christopher J. PeBenito @ 2007-03-07 20:21 ` Daniel J Walsh 2007-03-08 14:11 ` Christopher J. PeBenito 0 siblings, 1 reply; 6+ messages in thread From: Daniel J Walsh @ 2007-03-07 20:21 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 1615 bytes --] Christopher J. PeBenito wrote: > On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote: > >> Christopher J. PeBenito wrote: >> >>> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: >>> >>>> +',` >>>> + userdom_dontaudit_use_sysadm_ttys(nscd_t) >>>> + userdom_dontaudit_use_sysadm_ptys(nscd_t) >>>> >>> This should go with a run interface, then you get the transition, the >>> role and these dontaudits. >>> >>> >> Ok how about this one. >> > > Yes, thats what I had in mind, but I thought that the purpose was that > nscd was restarted from usermanage_t. If so, the nscd_run() call should > go in usermanage_run_useradd(). See rpm_run() for what I was thinking. > > >> +interface(`nscd_run',` >> + gen_require(` >> + type nscd_t; >> + ') >> + >> + nscd_domtrans($1) >> + role $2 types nscd_t; >> + dontaudit nscd_t $3:chr_file rw_term_perms; >> +') >> + >> --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19 11:32:53.000000000 -0500 >> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te 2007-03-06 13:33:25.000000000 -0500 >> @@ -423,6 +438,10 @@ >> ') >> >> optional_policy(` >> + nscd_run(sysadm_t,sysadm_r,admin_terminal) >> + ') >> + >> + optional_policy(` >> usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) >> usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) >> usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) >> Ok one more pass. [-- Attachment #2: nscd_run.patch --] [-- Type: text/x-patch, Size: 2335 bytes --] --- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-01-02 12:57:51.000000000 -0500 +++ serefpolicy-2.5.8/policy/modules/admin/usermanage.if 2007-03-07 15:06:39.000000000 -0500 @@ -69,6 +69,7 @@ files_search_usr($1) corecmd_search_sbin($1) domtrans_pattern($1,groupadd_exec_t,groupadd_t) + nscd_run(groupadd_t, $2, $3); ') ######################################## @@ -206,6 +207,7 @@ usermanage_domtrans_admin_passwd($1) role $2 types sysadm_passwd_t; allow sysadm_passwd_t $3:chr_file rw_term_perms; + nscd_run(sysadm_passwd_t, $2, $3); ') ######################################## @@ -258,6 +260,7 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; allow useradd_t $3:chr_file rw_term_perms; + nscd_run(useradd_t, $2, $3); ') ######################################## --- nsaserefpolicy/policy/modules/services/nscd.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-2.5.8/policy/modules/services/nscd.if 2007-03-06 14:13:31.000000000 -0500 @@ -173,3 +173,35 @@ allow $1 nscd_t:nscd *; ') + +######################################## +## <summary> +## Execute nscd in the nscd domain, and +## allow the specified role the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the nscd domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the nscd domain to use. +## </summary> +## </param> +# +interface(`nscd_run',` + gen_require(` + type nscd_t; + ') + + nscd_domtrans($1) + role $2 types nscd_t; + dontaudit nscd_t $3:chr_file rw_term_perms; +') + --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-2.5.8/policy/modules/admin/usermanage.te 2007-03-06 14:13:31.000000000 -0500 @@ -257,10 +257,6 @@ ') optional_policy(` - nscd_domtrans(groupadd_t) -') - -optional_policy(` rpm_use_fds(groupadd_t) rpm_rw_pipes(groupadd_t) ') @@ -444,7 +440,6 @@ ') optional_policy(` - nscd_domtrans(sysadm_passwd_t) nscd_socket_use(sysadm_passwd_t) ') @@ -540,10 +535,6 @@ ') optional_policy(` - nscd_domtrans(useradd_t) -') - -optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Don't audit restart of nscd daemon in strict policy 2007-03-07 20:21 ` Daniel J Walsh @ 2007-03-08 14:11 ` Christopher J. PeBenito 0 siblings, 0 replies; 6+ messages in thread From: Christopher J. PeBenito @ 2007-03-08 14:11 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux On Wed, 2007-03-07 at 15:21 -0500, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > > On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote: > > > >> Christopher J. PeBenito wrote: > >> > >>> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote: > >>> > >>>> +',` > >>>> + userdom_dontaudit_use_sysadm_ttys(nscd_t) > >>>> + userdom_dontaudit_use_sysadm_ptys(nscd_t) > >>>> > >>> This should go with a run interface, then you get the transition, the > >>> role and these dontaudits. > >>> > >>> > >> Ok how about this one. Yes thats it, merged. I fixed the groupadd one, which was in the domtrans interface rather than run. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-03-08 14:11 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200702261729.l1QHTPdT030641@localhost.localdomain>
2007-03-06 15:56 ` Don't audit restart of nscd daemon in strict policy Christopher J. PeBenito
2007-03-06 15:57 ` Christopher J. PeBenito
2007-03-06 18:43 ` Daniel J Walsh
2007-03-07 16:23 ` Christopher J. PeBenito
2007-03-07 20:21 ` Daniel J Walsh
2007-03-08 14:11 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.