From: Daniel J Walsh <dwalsh@redhat.com>
To: selinux@a61.nl
Cc: selinux@tycho.nsa.gov
Subject: Re: myjboss and jbossjava selinux-modules
Date: Tue, 18 Mar 2008 10:14:31 -0400 [thread overview]
Message-ID: <47DFCE47.8020408@redhat.com> (raw)
In-Reply-To: <53028.80.95.164.250.1204551758.squirrel@rvandenblink.nl>
[-- Attachment #1: Type: text/plain, Size: 2488 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
selinux@a61.nl wrote:
> Hi Gents,
>
> We have spent the last two weeks on creating selinux-modules for jboss and
> a custom-made jbossjava-module. I've attached the files to this message.
>
> We would like you guys to take a look at our modules and tell us what we
> did wrong. For instance we didn't use real domain-transitions (at least we
> didn't use real domtrans()) to give jbossjava access to myjboss, do we
> have to? Or is the way we work sufficient?
>
> It is possible that we made some of the rules to coarse, if that's the
> case, please let us know how we can make them better. This is our first
> attempt to write a module and let it checked upstream but that doesn't
> mean you have to be mild to us!
>
> At the moment we use the (selinux)-user ejbca because in our current
> system we are running ejbca on top of jboss, but we are changing it this
> week to run as jboss.
>
> Please sent changes as real patches so we can patch our source-code!
>
>
> With regards,
>
>
> Ronald van den Blink
Just getting around to reviewing this.
myjboss.te
1 You have jboss_rx_t defined but never used.
2 init_daemon_domain contains domain_type(jboss_t)
3 you should try to avoid using gen_require in a te file, you should try
to use interfaces instead
userdom_dontaudit_search_sysadm_home_dirs(jboss_t)
for example.
staff_tmp_t is not used anywhere
4 type port_t should probably be jboss_port_t and then map the actual
ports jboss needs to connect/bind to.
Probably jboss_rw_t and jboss_opt_t should be combined to one type
files_pid_filetrans(jboss_t,jboss_rw_t, { file dir })
Should probably be
files_pid_filetrans(jboss_t,jboss_var_run_t, { file dir })
Does jboss_tmp_t needed? If yes you probably need
files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })
You are missing
allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;
Not sure you need this, or if jboss_t execs other jboss_exec_t you need
can_exec(jboss_t, jboss_exec_t)
allow jboss_t jboss_exec_t:dir r_dir_perms;
I would just remove the jbossjava stuff all together and use the
standard definitions of java.
I rewrote some of your defs and attached.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkffzjcACgkQrlYvE4MpobP2vACgonlpdAyBgqSiT4CVCv7A/mqH
TvEAoKXnUNCB3q6L9iCqfZ6arsORgs1z
=Xni2
-----END PGP SIGNATURE-----
[-- Attachment #2: myjboss.fc --]
[-- Type: text/plain, Size: 440 bytes --]
/var/run/jboss\.pid -- gen_context(ejbca:object_r:jboss_var_run_t)
/opt/jboss-4.2.2.GA/bin(/.*)? gen_context(ejbca:object_r:jboss_exec_t)
/var/log/jboss(/.*)? gen_context(ejbca:object_r:jboss_log_t)
/opt/jboss-4.2.2.GA(/.*)? gen_context(ejbca:object_r:jboss_rw_t)
/opt/jboss(/.*)? gen_context(ejbca:object_r:jboss_rw_t)
[-- Attachment #3: myjboss.if --]
[-- Type: text/plain, Size: 3003 bytes --]
## <summary>myjboss module</summary>
########################################
## <summary>
## Execute a domain transition to run jboss.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`jboss_domtrans',`
gen_require(`
type jboss_t, jboss_exec_t;
')
domain_auto_trans($1,jboss_exec_t,jboss_t)
allow jboss_t $1:fd use;
allow jboss_t $1:fifo_file rw_file_perms;
allow jboss_t $1:process sigchld;
')
########################################
## <summary>
## Do not audit attempts to read,
## jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_dontaudit_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Allow domain to read, jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Search jboss rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_search_rw_dir',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Read jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_read_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file r_file_perms;
allow $1 jboss_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Create, read, write, and delete
## jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file manage_file_perms;
allow $1 jboss_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to manage
## jboss pid file
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_pid',`
gen_require(`
type jboss_var_run_t;
')
manage_files_pattern($1,jboss_var_run_t,httpd_var_run_t)
files_pid_filetrans($1,jboss_var_run_t, file)
')
[-- Attachment #4: myjboss.te --]
[-- Type: text/plain, Size: 2702 bytes --]
policy_module(myjboss,1.1.2)
########################################
#
# Declarations
#
type jboss_t;
type jboss_exec_t;
domain_type(jboss_t)
init_daemon_domain(jboss_t, jboss_exec_t)
role system_r types jboss_t;
type jboss_port_t;
ports_type(jboss_port_t)
type jboss_log_t;
logging_log_file(jboss_log_t)
type jboss_tmp_t;
files_tmp_file(jboss_tmp_t)
type jboss_rw_t;
files_type(jboss_rw_t)
type jboss_var_run_t;
files_pid_file(jboss_var_run_t)
########################################
#
# jboss local policy
#
# Init script handling
domain_use_interactive_fds(jboss_t)
allow jboss_t self:capability dac_override;
allow jboss_t self:process { execmem getsched signal };
## internal communication is often done using fifo and unix sockets.
allow jboss_t self:fifo_file rw_file_perms;
allow jboss_t self:unix_stream_socket create_stream_socket_perms;
allow jboss_t self:tcp_socket create_stream_socket_perms;
# Allow acces too our selves
allow jboss_t jboss_exec_t:dir r_dir_perms;
allow jboss_t jboss_rw_t:dir manage_dir_perms;
allow jboss_t jboss_rw_t:file manage_file_perms;
allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:dir create_dir_perms;
files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })
files_read_etc_files(jboss_t)
# Network
allow jboss_t jboss_port_t:tcp_socket { name_bind name_connect };
# Localization access
miscfiles_read_localization(jboss_t)
auth_use_nsswitch(jboss_t)
#lib access
libs_use_ld_so(jboss_t)
libs_use_lib_files(jboss_t)
libs_use_shared_libs(jboss_t)
# Call our own bin-dir
corecmd_exec_bin(jboss_t)
corecmd_read_bin_symlinks(jboss_t)
corecmd_search_bin(jboss_t)
corecmd_search_sbin(jboss_t)
# Radomizer access for ssl
dev_read_rand(jboss_t)
dev_read_urand(jboss_t)
# Network Access
kernel_read_network_state(jboss_t)
kernel_search_network_state(jboss_t)
corenet_tcp_bind_http_cache_port(jboss_t)
corenet_tcp_bind_http_port(jboss_t)
corenet_tcp_bind_generic_node(jboss_t)
corenet_tcp_bind_inaddr_any_node(jboss_t)
corenet_tcp_bind_kerberos_master_port(jboss_t)
corenet_tcp_bind_lo_node(jboss_t)
corenet_non_ipsec_sendrecv(jboss_t)
corenet_tcp_connect_http_cache_port(jboss_t)
corenet_tcp_connect_http_port(jboss_t)
sysnet_dns_name_resolve(jboss_t)
files_pid_filetrans(jboss_t,jboss_var_log_t, { file dir })
files_manage_generic_tmp_files(jboss_t)
files_manage_generic_tmp_dirs(jboss_t)
files_read_usr_symlinks(jboss_t)
kernel_read_system_state(jboss_t)
dontaudit jboss_t sysadm_home_dir_t:dir search;
#Go to jbossjava domain
jbossjava_read_lnk(jboss_t)
jbossjava_execute_file(jboss_t)
jbossjava_search_r_dir(jboss_t)
[-- Attachment #5: myjboss.fc.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
[-- Attachment #6: myjboss.if.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
[-- Attachment #7: myjboss.te.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
prev parent reply other threads:[~2008-03-18 14:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-03 13:42 myjboss and jbossjava selinux-modules selinux
2008-03-18 14:14 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47DFCE47.8020408@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@a61.nl \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.