* Remove unconfined_domain from ldconfig
@ 2007-03-23 19:39 Daniel J Walsh
2007-04-10 19:35 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-03-23 19:39 UTC (permalink / raw)
To: Christopher J. PeBenito, SE Linux
[-- Attachment #1: Type: text/plain, Size: 54 bytes --]
Removed textrel_shlib_t from all mozilla libraries.
[-- Attachment #2: libraries.patch --]
[-- Type: text/x-patch, Size: 2491 bytes --]
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-03-01 10:01:49.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/libraries.fc 2007-03-22 15:06:59.000000000 -0400
@@ -202,12 +202,6 @@
/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/seamonkey.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-03-01 10:01:49.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/libraries.te 2007-03-22 15:08:18.000000000 -0400
@@ -51,6 +51,11 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_tmp_t;
+files_tmp_file(ldconfig_tmp_t)
+
+allow ldconfig_t self:capability sys_chroot;
+
allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
@@ -74,6 +79,13 @@
libs_use_ld_so(ldconfig_t)
libs_use_shared_libs(ldconfig_t)
+manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
+files_read_generic_tmp_symlinks(ldconfig_t)
+
+miscfiles_read_localization(ldconfig_t)
+
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
@@ -86,10 +98,16 @@
ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file read_file_perms;
- unconfined_domain(ldconfig_t)
+ term_dontaudit_use_generic_ptys(ldconfig_t)
+ term_dontaudit_use_unallocated_ttys(ldconfig_t)
')
optional_policy(`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
')
+
+optional_policy(`
+ rpm_manage_script_tmp_files(ldconfig_t)
+')
+
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Remove unconfined_domain from ldconfig
2007-03-23 19:39 Remove unconfined_domain from ldconfig Daniel J Walsh
@ 2007-04-10 19:35 ` Christopher J. PeBenito
2007-04-10 19:42 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-04-10 19:35 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Fri, 2007-03-23 at 15:39 -0400, Daniel J Walsh wrote:
> Removed textrel_shlib_t from all mozilla libraries.
Merged, except for the last part with managing rpm script temp files,
which seems odd.
>
>
>
>
>
> differences
> between files
> attachment
> (libraries.patch), "libraries.patch"
>
> --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-03-01
> 10:01:49.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/system/libraries.fc 2007-03-22
> 15:06:59.000000000 -0400
> @@ -202,12 +202,6 @@
> /usr/lib(64)?/.*/program/libsoffice\.so
> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)*
> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>
> -/usr/lib(64)?/firefox.*
> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/lib(64)?/mozilla.*
> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/lib(64)?/seamonkey.*
> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/lib(64)?/sunbird.*
> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/lib(64)?/thunderbird.*
> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> -
> # Fedora Extras packages: ladspa, imlib2, ocaml
> /usr/lib(64)?/ladspa/analogue_osc_1416\.so
> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so
> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> --- nsaserefpolicy/policy/modules/system/libraries.te 2007-03-01
> 10:01:49.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/system/libraries.te 2007-03-22
> 15:08:18.000000000 -0400
> @@ -51,6 +51,11 @@
> init_system_domain(ldconfig_t,ldconfig_exec_t)
> role system_r types ldconfig_t;
>
> +type ldconfig_tmp_t;
> +files_tmp_file(ldconfig_tmp_t)
> +
> +allow ldconfig_t self:capability sys_chroot;
> +
> allow ldconfig_t ld_so_cache_t:file manage_file_perms;
> files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
>
> @@ -74,6 +79,13 @@
> libs_use_ld_so(ldconfig_t)
> libs_use_shared_libs(ldconfig_t)
>
> +manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
> +manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
> +files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
> +files_read_generic_tmp_symlinks(ldconfig_t)
> +
> +miscfiles_read_localization(ldconfig_t)
> +
> logging_send_syslog_msg(ldconfig_t)
>
> userdom_use_all_users_fds(ldconfig_t)
> @@ -86,10 +98,16 @@
>
> ifdef(`targeted_policy',`
> allow ldconfig_t lib_t:file read_file_perms;
> - unconfined_domain(ldconfig_t)
> + term_dontaudit_use_generic_ptys(ldconfig_t)
> + term_dontaudit_use_unallocated_ttys(ldconfig_t)
> ')
>
> optional_policy(`
> # dontaudit access to /usr/lib/apache, normal programs cannot
> read these libs anyway
> apache_dontaudit_search_modules(ldconfig_t)
> ')
> +
> +optional_policy(`
> + rpm_manage_script_tmp_files(ldconfig_t)
> +')
> +
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Remove unconfined_domain from ldconfig
2007-04-10 19:35 ` Christopher J. PeBenito
@ 2007-04-10 19:42 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2007-04-10 19:42 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SE Linux
Christopher J. PeBenito wrote:
> On Fri, 2007-03-23 at 15:39 -0400, Daniel J Walsh wrote:
>
>> Removed textrel_shlib_t from all mozilla libraries.
>>
>
> Merged, except for the last part with managing rpm script temp files,
> which seems odd.
>
>
>>
>>
>>
>> differences
>> between files
>> attachment
>> (libraries.patch), "libraries.patch"
>>
>> --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-03-01
>> 10:01:49.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/system/libraries.fc 2007-03-22
>> 15:06:59.000000000 -0400
>> @@ -202,12 +202,6 @@
>> /usr/lib(64)?/.*/program/libsoffice\.so
>> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)*
>> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>>
>> -/usr/lib(64)?/firefox.*
>> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> -/usr/lib(64)?/mozilla.*
>> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> -/usr/lib(64)?/seamonkey.*
>> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> -/usr/lib(64)?/sunbird.*
>> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> -/usr/lib(64)?/thunderbird.*
>> \.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> -
>> # Fedora Extras packages: ladspa, imlib2, ocaml
>> /usr/lib(64)?/ladspa/analogue_osc_1416\.so
>> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> /usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so
>> -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>> --- nsaserefpolicy/policy/modules/system/libraries.te 2007-03-01
>> 10:01:49.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/system/libraries.te 2007-03-22
>> 15:08:18.000000000 -0400
>> @@ -51,6 +51,11 @@
>> init_system_domain(ldconfig_t,ldconfig_exec_t)
>> role system_r types ldconfig_t;
>>
>> +type ldconfig_tmp_t;
>> +files_tmp_file(ldconfig_tmp_t)
>> +
>> +allow ldconfig_t self:capability sys_chroot;
>> +
>> allow ldconfig_t ld_so_cache_t:file manage_file_perms;
>> files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
>>
>> @@ -74,6 +79,13 @@
>> libs_use_ld_so(ldconfig_t)
>> libs_use_shared_libs(ldconfig_t)
>>
>> +manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
>> +manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
>> +files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
>> +files_read_generic_tmp_symlinks(ldconfig_t)
>> +
>> +miscfiles_read_localization(ldconfig_t)
>> +
>> logging_send_syslog_msg(ldconfig_t)
>>
>> userdom_use_all_users_fds(ldconfig_t)
>> @@ -86,10 +98,16 @@
>>
>> ifdef(`targeted_policy',`
>> allow ldconfig_t lib_t:file read_file_perms;
>> - unconfined_domain(ldconfig_t)
>> + term_dontaudit_use_generic_ptys(ldconfig_t)
>> + term_dontaudit_use_unallocated_ttys(ldconfig_t)
>> ')
>>
>> optional_policy(`
>> # dontaudit access to /usr/lib/apache, normal programs cannot
>> read these libs anyway
>> apache_dontaudit_search_modules(ldconfig_t)
>> ')
>> +
>> +optional_policy(`
>> + rpm_manage_script_tmp_files(ldconfig_t)
>> +')
>> +
>>
>>
When you install a kernel the postinstall builds a initrd image in tmp
and executes ldconfig on it. If you don't allow this kernel installs
blow up.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-10 19:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-23 19:39 Remove unconfined_domain from ldconfig Daniel J Walsh
2007-04-10 19:35 ` Christopher J. PeBenito
2007-04-10 19:42 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.