Application_domain

Application_domain

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 751 bytes --]

My definition of the application domain, is any file that a normal user 
is expected to execute.   It can either have a  transition or not.  If I 
define application_domain then it will transition.  If I just define 
application_executable_file, then logged in users can execute it without 
a transition.

Daemons for the most part should NOT be application_domains.   This way 
we can dontaudit getattr of daemons that users would/should not be 
allowed to execute. 

Some applictions can be in both domains.  For example cvs, rsync can be 
run without transitioning by users but when run from an initscript they 
transition. 

This patch makes changes to the pool to match this.

I included the entire readahead patch in this patch as this should



[-- Attachment #2: application.patch --]
[-- Type: text/x-patch, Size: 5708 bytes --]

--- nsaserefpolicy/policy/modules/admin/acct.te	2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/acct.te	2007-08-02 10:58:36.000000000 -0400
@@ -9,6 +9,7 @@
 type acct_t;
 type acct_exec_t;
 init_system_domain(acct_t,acct_exec_t)
+application_executable_file(acct_exec_t)
 
 type acct_data_t;
 logging_log_file(acct_data_t)
--- nsaserefpolicy/policy/modules/admin/netutils.te	2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-02 10:58:36.000000000 -0400
@@ -29,6 +29,7 @@
 type traceroute_t;
 type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
+application_executable_file(traceroute_exec_t)
 role system_r types traceroute_t;
 
 ########################################
--- nsaserefpolicy/policy/modules/admin/rpm.te	2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/rpm.te	2007-08-02 10:58:36.000000000 -0400
@@ -9,6 +9,8 @@
 type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
+application_executable_file(rpm_exec_t)
+
 domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
--- nsaserefpolicy/policy/modules/services/cvs.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/cvs.te	2007-08-02 10:58:36.000000000 -0400
@@ -16,6 +16,7 @@
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+application_executable_file(cvs_exec_t)
 role system_r types cvs_t;
 
 type cvs_data_t; # customizable
--- nsaserefpolicy/policy/modules/services/rsync.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/rsync.te	2007-08-02 10:58:37.000000000 -0400
@@ -17,6 +17,7 @@
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
 type rsync_data_t;
--- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-02 10:58:37.000000000 -0400
@@ -24,7 +24,7 @@
 
 # Type for the ssh-agent executable.
 type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
 
 # ssh client executable.
 type ssh_exec_t;
--- nsaserefpolicy/policy/modules/system/application.if	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/application.if	2007-08-02 10:58:37.000000000 -0400
@@ -63,6 +63,26 @@
 
 ########################################
 ## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+       # Need this dontaudit or command completion fires hundreds of avcs
+       corecmd_dontaudit_exec_all_executables($1)
+       corecmd_exec_bin($1)
+       corecmd_exec_shell($1)
+       corecmd_exec_chroot($1)
+       application_exec($1)
+')
+
+########################################
+## <summary>
 ##	Create a domain which can be started by users
 ## </summary>
 ## <param name="domain">
--- nsaserefpolicy/policy/modules/system/fstools.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/fstools.te	2007-08-02 10:58:37.000000000 -0400
@@ -9,6 +9,7 @@
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
+application_executable_file(fsadm_exec_t)
 role system_r types fsadm_t;
 
 type fsadm_log_t;
--- nsaserefpolicy/policy/modules/system/init.if	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/init.if	2007-08-02 10:58:37.000000000 -0400
@@ -194,9 +194,13 @@
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute daemon;
 	')
 
-	application_domain($1,$2)
+	domain_type($1)
+	domain_entry_file($1,$2)
+
+	typeattribute $1 daemon;
 
 	role system_r types $1;
 
--- nsaserefpolicy/policy/modules/system/lvm.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/lvm.te	2007-08-02 10:58:37.000000000 -0400
@@ -16,6 +16,7 @@
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t,lvm_exec_t)
+application_executable_file(lvm_exec_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
 domain_obj_id_change_exemption(lvm_t)
--- nsaserefpolicy/policy/modules/system/mount.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/mount.te	2007-08-02 10:58:37.000000000 -0400
@@ -16,19 +23,21 @@
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
 role system_r types mount_t;
 
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-# causes problems with interfaces when
-# this is optionally declared in monolithic
-# policy--duplicate type declaration
 type unconfined_mount_t;
 application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
 
 ########################################
 #
--- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-02 10:58:37.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
 
+	application_exec_all($1_t)
+
+	auth_use_nsswitch($1_t)
+
 	kernel_read_kernel_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)

Re: Application_domain

[Christopher J. PeBenito]

On Thu, 2007-08-02 at 11:35 -0400, Daniel J Walsh wrote:
> My definition of the application domain, is any file that a normal
> user is expected to execute.   It can either have a  transition or
> not.  If I define application_domain then it will transition.  If I
> just define application_executable_file, then logged in users can
> execute it without a transition.
> 
> Daemons for the most part should NOT be application_domains.   This
> way we can dontaudit getattr of daemons that users would/should not be
> allowed to execute.
> 
> Some applictions can be in both domains.  For example cvs, rsync can
> be run without transitioning by users but when run from an initscript
> they transition.
> 
> This patch makes changes to the pool to match this.

If you look back at what you're changing, init_system_domains() are all
apps, so the call is in that interface.  Your patch undoes this.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Application_domain

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2007-08-02 at 11:35 -0400, Daniel J Walsh wrote:
>   
>> My definition of the application domain, is any file that a normal
>> user is expected to execute.   It can either have a  transition or
>> not.  If I define application_domain then it will transition.  If I
>> just define application_executable_file, then logged in users can
>> execute it without a transition.
>>
>> Daemons for the most part should NOT be application_domains.   This
>> way we can dontaudit getattr of daemons that users would/should not be
>> allowed to execute.
>>
>> Some applictions can be in both domains.  For example cvs, rsync can
>> be run without transitioning by users but when run from an initscript
>> they transition.
>>
>> This patch makes changes to the pool to match this.
>>     
>
> If you look back at what you're changing, init_system_domains() are all
> apps, so the call is in that interface.  Your patch undoes this.
>
>   
Ok I guess your right, even though some of these being user executables 
is a little shaky.

Reverting patch in rawhide.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.