targeted policy patch

targeted policy patch

[Serge Hallyn]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

Hi,

In order to compile the sf.net targeted policy on a gentoo system with
the sf.net checkpolicy, I needed the following patch.  It does several
small things, the last of which I expect is actually wrong, but at
least gets me a compiling policy:

1. preserves kernel.te to get its type declaration.
2. fixes what i assume is a type, 'rm -rf domains/misc/used' instead of unused
3. deletes setfiles.fc, since setfiles_exec_t is not declared in the policy
4. adds the unrestricted attribute to the insmod_t domain.  This stops
a conflict with the neverallow rule for ~signal -> unconfined_t.

thanks,
-serge

[-- Attachment #2: targeted_nits.patch --]
[-- Type: application/octet-stream, Size: 1883 bytes --]

Index: policy/selinux-policy-targeted.spec
===================================================================
--- policy.orig/selinux-policy-targeted.spec	2005-05-19 09:56:03.000000000 -0500
+++ policy/selinux-policy-targeted.spec	2005-05-19 09:57:28.000000000 -0500
@@ -48,8 +48,10 @@
 for i in amanda.te apache.te chkpwd.te cups.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te init.te initrc.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te spamd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te winbind.te ypbind.te ypserv.te zebra.te; do
 mv domains/program/unused/$i domains/program/ 
 done 
+cp domains/misc/unused/kernel.te domains/misc
 rm -rf domains/program/unused 
-rm -rf domains/misc/used 
+rm -rf domains/misc/unused 
+rm file_contexts/program/setfiles.fc
 cp -R %{type}/* .
 echo "define(\`targeted_policy')"  > tunables/tunable.tun
 echo "define(\`hide_broken_symptoms')"  >> tunables/tunable.tun
Index: policy/domains/program/modutil.te
===================================================================
--- policy.orig/domains/program/modutil.te	2005-05-19 09:56:03.000000000 -0500
+++ policy/domains/program/modutil.te	2005-05-19 09:58:17.000000000 -0500
@@ -70,7 +70,7 @@
 # Rules for the insmod_t domain.
 #
 
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, unrestricted, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;

Re: targeted policy patch

[Stephen Smalley]

On Thu, 2005-05-19 at 10:11 -0500, Serge Hallyn wrote:
> Hi,
> 
> In order to compile the sf.net targeted policy on a gentoo system with
> the sf.net checkpolicy, I needed the following patch.  It does several
> small things, the last of which I expect is actually wrong, but at
> least gets me a compiling policy:
> 
> 1. preserves kernel.te to get its type declaration.
> 2. fixes what i assume is a type, 'rm -rf domains/misc/used' instead of unused
> 3. deletes setfiles.fc, since setfiles_exec_t is not declared in the policy
> 4. adds the unrestricted attribute to the insmod_t domain.  This stops
> a conflict with the neverallow rule for ~signal -> unconfined_t.

I'd advise using the targeted policy spec file from the Fedora Core CVS
tree instead; we only update our spec files occasionally (e.g. prior to
an updated release on nsa.gov) and they are only intended as examples.
FC4 targeted policy includes many more domains.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: targeted policy patch

[Serge Hallyn]

Ah, ok, thanks.

What about the strict policy?  Should I use that out of fc as well?

thanks,
-serge

On 5/19/05, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2005-05-19 at 10:11 -0500, Serge Hallyn wrote:
> > Hi,
> >
> > In order to compile the sf.net targeted policy on a gentoo system with
> > the sf.net checkpolicy, I needed the following patch.  It does several
> > small things, the last of which I expect is actually wrong, but at
> > least gets me a compiling policy:
> >
> > 1. preserves kernel.te to get its type declaration.
> > 2. fixes what i assume is a type, 'rm -rf domains/misc/used' instead of unused
> > 3. deletes setfiles.fc, since setfiles_exec_t is not declared in the policy
> > 4. adds the unrestricted attribute to the insmod_t domain.  This stops
> > a conflict with the neverallow rule for ~signal -> unconfined_t.
> 
> I'd advise using the targeted policy spec file from the Fedora Core CVS
> tree instead; we only update our spec files occasionally (e.g. prior to
> an updated release on nsa.gov) and they are only intended as examples.
> FC4 targeted policy includes many more domains.
> 
> --
> Stephen Smalley
> National Security Agency
> 
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

targeted policy patch

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

The attached patch is needed to quiet mdadm (and programs that do similar 
things) for the case of unlabeled device nodes.  In Debian a typical install 
of etch with SE Linux will result in /dev/.static/dev containing a lot of 
unlabeled device nodes from the root filesystem (through a bind mount).

As for device_t, that's the default type upon creation and the type that new 
device nodes get before we assign a type to them.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 745 bytes --]

--- modules/kernel/devices.if.orig	2006-12-05 23:35:28.000000000 +1100
+++ modules/kernel/devices.if	2006-12-05 23:38:55.000000000 +1100
@@ -598,9 +598,11 @@
 interface(`dev_dontaudit_getattr_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type file_t;
+		type device_t;
 	')
 
-	dontaudit $1 device_node:blk_file getattr;
+	dontaudit $1 { device_node file_t device_t }:blk_file getattr;
 ')
 
 ########################################
@@ -616,9 +618,11 @@
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type file_t;
+		type device_t;
 	')
 
-	allow $1 device_node:chr_file getattr;
+	allow $1 { device_node file_t device_t }:chr_file getattr;
 ')
 
 ########################################

Re: targeted policy patch

[Christopher J. PeBenito]

On Tue, 2006-12-05 at 23:42 +1100, Russell Coker wrote:
> The attached patch is needed to quiet mdadm (and programs that do similar 
> things) for the case of unlabeled device nodes.  In Debian a typical install 
> of etch with SE Linux will result in /dev/.static/dev containing a lot of 
> unlabeled device nodes from the root filesystem (through a bind mount).
> 
> As for device_t, that's the default type upon creation and the type that new 
> device nodes get before we assign a type to them.

A couple things.  First, file_t cannot be referenced by name here,
because it is not owned by this module.  I'm not convinced it should be
added to this interface because its not generally applicable to any
domain that uses this interface.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.