* myjboss and jbossjava selinux-modules
@ 2008-03-03 13:42 selinux
2008-03-18 14:14 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: selinux @ 2008-03-03 13:42 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 942 bytes --]
Hi Gents,
We have spent the last two weeks on creating selinux-modules for jboss and
a custom-made jbossjava-module. I've attached the files to this message.
We would like you guys to take a look at our modules and tell us what we
did wrong. For instance we didn't use real domain-transitions (at least we
didn't use real domtrans()) to give jbossjava access to myjboss, do we
have to? Or is the way we work sufficient?
It is possible that we made some of the rules to coarse, if that's the
case, please let us know how we can make them better. This is our first
attempt to write a module and let it checked upstream but that doesn't
mean you have to be mild to us!
At the moment we use the (selinux)-user ejbca because in our current
system we are running ejbca on top of jboss, but we are changing it this
week to run as jboss.
Please sent changes as real patches so we can patch our source-code!
With regards,
Ronald van den Blink
[-- Attachment #2: jbossjava.fc --]
[-- Type: application/octet-stream, Size: 408 bytes --]
/usr/java(/.*)? gen_context(system_u:object_r:jbossjava_usr_java_t)
/usr/java/latest/bin(/.*)? gen_context(system_u:object_r:jbossjava_exec_t)
/usr/java/default/bin(/.*)? gen_context(system_u:object_r:jbossjava_exec_t)
/usr/java/jre1.6.0_04/bin(/.*)? gen_context(system_u:object_r:jbossjava_exec_t)
[-- Attachment #3: jbossjava.if --]
[-- Type: application/octet-stream, Size: 1511 bytes --]
## <summary>Java interface for JBoss</summary>
## <desc>
## <p>
## Module to give java access to JBoss without being
## unconfined
## </p>
## </desc>
########################################
## <summary>
## Search jbossjava read directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jbossjava_search_r_dir',`
gen_require(`
type jbossjava_usr_java_t;
type jbossjava_exec_t;
')
allow $1 jbossjava_usr_java_t:dir r_dir_perms;
allow $1 jbossjava_exec_t:dir r_dir_perms;
')
#######################################
## <summary>
## Execute jbossjava files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jbossjava_execute_file',`
gen_require(`
type jbossjava_exec_t;
type jbossjava_usr_java_t;
')
allow $1 jbossjava_exec_t:file exec_file_perms;
allow $1 jbossjava_usr_java_t:file exec_file_perms;
')
#######################################
## <summary>
## Read jbossjava linked files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jbossjava_read_lnk',`
gen_require(`
type jbossjava_usr_java_t;
')
allow $1 jbossjava_usr_java_t:lnk_file read_lnk_file_perms;
')
[-- Attachment #4: jbossjava.te --]
[-- Type: application/octet-stream, Size: 606 bytes --]
policy_module(jbossjava,1.0.0)
########################################
#
# Declarations
#
type jbossjava_t;
type jbossjava_usr_java_t;
type jbossjava_exec_t;
require {
type initrc_t;
}
domain_type(jbossjava_t)
init_daemon_domain(jbossjava_t, jbossjava_usr_java_t)
allow initrc_t jbossjava_usr_java_t:lnk_file read_lnk_file_perms;
# Type for the executable
files_type(jbossjava_exec_t)
domain_entry_file(jbossjava_t, jbossjava_exec_t)
files_list_usr(jbossjava_t)
files_read_etc_files(jbossjava_t)
files_read_usr_symlinks(jbossjava_t)
jboss_rx_files(jbossjava_t)
[-- Attachment #5: myjboss.fc --]
[-- Type: application/octet-stream, Size: 448 bytes --]
/var/run/jboss\.pid -- gen_context(ejbca:object_r:jboss_var_run_t)
/opt/jboss-4.2.2.GA/bin(/.*)? gen_context(ejbca:object_r:jboss_exec_t)
/var/log/jboss(/.*)? gen_context(ejbca:object_r:jboss_log_t)
/opt/jboss-4.2.2.GA(/.*)? gen_context(ejbca:object_r:jboss_opt_t)
/opt/jboss(/.*)? gen_context(ejbca:object_r:jboss_opt_t)
[-- Attachment #6: myjboss.if --]
[-- Type: application/octet-stream, Size: 3923 bytes --]
## <summary>myjboss module</summary>
########################################
## <summary>
## Execute a domain transition to run jboss.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`jboss_domtrans',`
gen_require(`
type jboss_t, jboss_exec_t;
')
domain_auto_trans($1,jboss_exec_t,jboss_t)
allow jboss_t $1:fd use;
allow jboss_t $1:fifo_file rw_file_perms;
allow jboss_t $1:process sigchld;
')
########################################
## <summary>
## Do not audit attempts to read,
## jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_dontaudit_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Allow domain to read, jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Search jboss rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_search_rw_dir',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Read jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_read_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file r_file_perms;
allow $1 jboss_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Create, read, write, and delete
## jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file manage_file_perms;
allow $1 jboss_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
## read, getattr and execute JBoss files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_rx_files',`
gen_require(`
type jboss_rx_t;
')
allow $1 jboss_rx_t:file exec_file_perms;
')
########################################
## <summary>
## Allow the specified domain to manage
## jboss pid file
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_pid',`
gen_require(`
type jboss_var_run_t;
')
manage_files_pattern($1,jboss_var_run_t,httpd_var_run_t)
files_pid_filetrans($1,jboss_var_run_t, file)
')
#Java
##allow jboss_t java_exec_t:file { read getattr execute execute_no_trans };
#allow jboss_t staff_javaplugin_tmp_t:dir { write search read remove_name getattr add_name };
#allow jboss_t staff_javaplugin_tmp_t:file { write read create unlink };
#files_list_usr(jboss_t)
#files_read_etc_files(jboss_t)
#files_read_usr_symlinks(jboss_t)
#allow jboss_t sysadm_home_dir_t:dir search;
[-- Attachment #7: myjboss.te --]
[-- Type: application/octet-stream, Size: 3031 bytes --]
policy_module(myjboss,1.1.2)
########################################
#
# Declarations
#
type jboss_t;
type jboss_exec_t;
type jboss_rx_t;
require {
type port_t;
type staff_tmp_t;
type sysadm_home_dir_t;
}
domain_type(jboss_t)
init_daemon_domain(jboss_t, jboss_exec_t)
role system_r types jboss_t;
auth_use_nsswitch(jboss_t)
files_read_etc_files(jboss_t)
#allow staff_t initrc_exec_t:file exec_file_perms;
type jboss_log_t;
logging_log_file(jboss_log_t)
type jboss_tmp_t;
files_tmp_file(jboss_tmp_t)
type jboss_opt_t;
files_type(jboss_opt_t) #DAN
type jboss_var_run_t;
files_pid_file(jboss_var_run_t) #DAN
type jboss_rw_t;
files_type(jboss_rw_t)
########################################
#
# jboss local policy
#
# Init script handling
domain_use_interactive_fds(jboss_t)
## internal communication is often done using fifo and unix sockets.
allow jboss_t self:fifo_file rw_file_perms;
allow jboss_t self:unix_stream_socket create_stream_socket_perms;
# Allow acces too our selves
allow jboss_t jboss_exec_t:dir r_dir_perms;
allow jboss_t jboss_opt_t:dir create_dir_perms;
allow jboss_t jboss_opt_t:file create_file_perms;
allow jboss_t self:process { execmem getsched };
allow jboss_t jboss_rw_t:file manage_file_perms;
allow jboss_t jboss_rw_t:dir create_dir_perms;
allow jboss_t jboss_tmp_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:dir create_dir_perms;
#files_pid_filetrans(jboss_t,jboss_tmp_t, { file dir })
allow jboss_t self:capability dac_override;
# Network
allow jboss_t port_t:tcp_socket { name_bind name_connect };
allow jboss_t self:tcp_socket { accept listen };
# Localization access
miscfiles_read_localization(jboss_t)
#lib access
libs_use_ld_so(jboss_t)
libs_use_lib_files(jboss_t)
libs_use_shared_libs(jboss_t)
# Call our own bin-dir
corecmd_exec_bin(jboss_t)
corecmd_read_bin_symlinks(jboss_t)
corecmd_search_bin(jboss_t)
corecmd_search_sbin(jboss_t)
# Radomizer access for ssl
dev_read_rand(jboss_t)
dev_read_urand(jboss_t)
# Network Access
allow jboss_t self:tcp_socket create_stream_socket_perms;
kernel_read_network_state(jboss_t)
kernel_search_network_state(jboss_t)
corenet_tcp_bind_http_cache_port(jboss_t)
corenet_tcp_bind_http_port(jboss_t)
corenet_tcp_bind_generic_node(jboss_t)
corenet_tcp_bind_inaddr_any_node(jboss_t)
corenet_tcp_bind_kerberos_master_port(jboss_t)
corenet_tcp_bind_lo_node(jboss_t)
corenet_non_ipsec_sendrecv(jboss_t)
corenet_tcp_connect_http_cache_port(jboss_t)
corenet_tcp_connect_http_port(jboss_t)
sysnet_dns_name_resolve(jboss_t)
files_pid_filetrans(jboss_t,jboss_rw_t, { file dir })
files_manage_generic_tmp_files(jboss_t)
files_manage_generic_tmp_dirs(jboss_t)
files_read_usr_symlinks(jboss_t)
kernel_read_system_state(jboss_t)
allow jboss_t self:process signal;
dontaudit jboss_t sysadm_home_dir_t:dir search;
#Go to jbossjava domain
jbossjava_read_lnk(jboss_t)
jbossjava_execute_file(jboss_t)
jbossjava_search_r_dir(jboss_t)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: myjboss and jbossjava selinux-modules
2008-03-03 13:42 myjboss and jbossjava selinux-modules selinux
@ 2008-03-18 14:14 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2008-03-18 14:14 UTC (permalink / raw)
To: selinux; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2488 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
selinux@a61.nl wrote:
> Hi Gents,
>
> We have spent the last two weeks on creating selinux-modules for jboss and
> a custom-made jbossjava-module. I've attached the files to this message.
>
> We would like you guys to take a look at our modules and tell us what we
> did wrong. For instance we didn't use real domain-transitions (at least we
> didn't use real domtrans()) to give jbossjava access to myjboss, do we
> have to? Or is the way we work sufficient?
>
> It is possible that we made some of the rules to coarse, if that's the
> case, please let us know how we can make them better. This is our first
> attempt to write a module and let it checked upstream but that doesn't
> mean you have to be mild to us!
>
> At the moment we use the (selinux)-user ejbca because in our current
> system we are running ejbca on top of jboss, but we are changing it this
> week to run as jboss.
>
> Please sent changes as real patches so we can patch our source-code!
>
>
> With regards,
>
>
> Ronald van den Blink
Just getting around to reviewing this.
myjboss.te
1 You have jboss_rx_t defined but never used.
2 init_daemon_domain contains domain_type(jboss_t)
3 you should try to avoid using gen_require in a te file, you should try
to use interfaces instead
userdom_dontaudit_search_sysadm_home_dirs(jboss_t)
for example.
staff_tmp_t is not used anywhere
4 type port_t should probably be jboss_port_t and then map the actual
ports jboss needs to connect/bind to.
Probably jboss_rw_t and jboss_opt_t should be combined to one type
files_pid_filetrans(jboss_t,jboss_rw_t, { file dir })
Should probably be
files_pid_filetrans(jboss_t,jboss_var_run_t, { file dir })
Does jboss_tmp_t needed? If yes you probably need
files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })
You are missing
allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;
Not sure you need this, or if jboss_t execs other jboss_exec_t you need
can_exec(jboss_t, jboss_exec_t)
allow jboss_t jboss_exec_t:dir r_dir_perms;
I would just remove the jbossjava stuff all together and use the
standard definitions of java.
I rewrote some of your defs and attached.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkffzjcACgkQrlYvE4MpobP2vACgonlpdAyBgqSiT4CVCv7A/mqH
TvEAoKXnUNCB3q6L9iCqfZ6arsORgs1z
=Xni2
-----END PGP SIGNATURE-----
[-- Attachment #2: myjboss.fc --]
[-- Type: text/plain, Size: 440 bytes --]
/var/run/jboss\.pid -- gen_context(ejbca:object_r:jboss_var_run_t)
/opt/jboss-4.2.2.GA/bin(/.*)? gen_context(ejbca:object_r:jboss_exec_t)
/var/log/jboss(/.*)? gen_context(ejbca:object_r:jboss_log_t)
/opt/jboss-4.2.2.GA(/.*)? gen_context(ejbca:object_r:jboss_rw_t)
/opt/jboss(/.*)? gen_context(ejbca:object_r:jboss_rw_t)
[-- Attachment #3: myjboss.if --]
[-- Type: text/plain, Size: 3003 bytes --]
## <summary>myjboss module</summary>
########################################
## <summary>
## Execute a domain transition to run jboss.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`jboss_domtrans',`
gen_require(`
type jboss_t, jboss_exec_t;
')
domain_auto_trans($1,jboss_exec_t,jboss_t)
allow jboss_t $1:fd use;
allow jboss_t $1:fifo_file rw_file_perms;
allow jboss_t $1:process sigchld;
')
########################################
## <summary>
## Do not audit attempts to read,
## jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_dontaudit_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Allow domain to read, jboss tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`jboss_read_tmp_files',`
gen_require(`
type jboss_tmp_t;
')
dontaudit $1 jboss_tmp_t:file r_file_perms;
')
########################################
## <summary>
## Search jboss rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_search_rw_dir',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Read jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_read_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file r_file_perms;
allow $1 jboss_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Create, read, write, and delete
## jboss rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_rw_files',`
gen_require(`
type jboss_rw_t;
')
allow $1 jboss_rw_t:file manage_file_perms;
allow $1 jboss_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to manage
## jboss pid file
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_manage_pid',`
gen_require(`
type jboss_var_run_t;
')
manage_files_pattern($1,jboss_var_run_t,httpd_var_run_t)
files_pid_filetrans($1,jboss_var_run_t, file)
')
[-- Attachment #4: myjboss.te --]
[-- Type: text/plain, Size: 2702 bytes --]
policy_module(myjboss,1.1.2)
########################################
#
# Declarations
#
type jboss_t;
type jboss_exec_t;
domain_type(jboss_t)
init_daemon_domain(jboss_t, jboss_exec_t)
role system_r types jboss_t;
type jboss_port_t;
ports_type(jboss_port_t)
type jboss_log_t;
logging_log_file(jboss_log_t)
type jboss_tmp_t;
files_tmp_file(jboss_tmp_t)
type jboss_rw_t;
files_type(jboss_rw_t)
type jboss_var_run_t;
files_pid_file(jboss_var_run_t)
########################################
#
# jboss local policy
#
# Init script handling
domain_use_interactive_fds(jboss_t)
allow jboss_t self:capability dac_override;
allow jboss_t self:process { execmem getsched signal };
## internal communication is often done using fifo and unix sockets.
allow jboss_t self:fifo_file rw_file_perms;
allow jboss_t self:unix_stream_socket create_stream_socket_perms;
allow jboss_t self:tcp_socket create_stream_socket_perms;
# Allow acces too our selves
allow jboss_t jboss_exec_t:dir r_dir_perms;
allow jboss_t jboss_rw_t:dir manage_dir_perms;
allow jboss_t jboss_rw_t:file manage_file_perms;
allow jboss_t jboss_log_t:dir manage_dir_perms;
allow jboss_t jboss_log_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:file manage_file_perms;
allow jboss_t jboss_tmp_t:dir create_dir_perms;
files_tmp_filetrans(jboss_t,jboss_tmp_t, { file dir })
files_read_etc_files(jboss_t)
# Network
allow jboss_t jboss_port_t:tcp_socket { name_bind name_connect };
# Localization access
miscfiles_read_localization(jboss_t)
auth_use_nsswitch(jboss_t)
#lib access
libs_use_ld_so(jboss_t)
libs_use_lib_files(jboss_t)
libs_use_shared_libs(jboss_t)
# Call our own bin-dir
corecmd_exec_bin(jboss_t)
corecmd_read_bin_symlinks(jboss_t)
corecmd_search_bin(jboss_t)
corecmd_search_sbin(jboss_t)
# Radomizer access for ssl
dev_read_rand(jboss_t)
dev_read_urand(jboss_t)
# Network Access
kernel_read_network_state(jboss_t)
kernel_search_network_state(jboss_t)
corenet_tcp_bind_http_cache_port(jboss_t)
corenet_tcp_bind_http_port(jboss_t)
corenet_tcp_bind_generic_node(jboss_t)
corenet_tcp_bind_inaddr_any_node(jboss_t)
corenet_tcp_bind_kerberos_master_port(jboss_t)
corenet_tcp_bind_lo_node(jboss_t)
corenet_non_ipsec_sendrecv(jboss_t)
corenet_tcp_connect_http_cache_port(jboss_t)
corenet_tcp_connect_http_port(jboss_t)
sysnet_dns_name_resolve(jboss_t)
files_pid_filetrans(jboss_t,jboss_var_log_t, { file dir })
files_manage_generic_tmp_files(jboss_t)
files_manage_generic_tmp_dirs(jboss_t)
files_read_usr_symlinks(jboss_t)
kernel_read_system_state(jboss_t)
dontaudit jboss_t sysadm_home_dir_t:dir search;
#Go to jbossjava domain
jbossjava_read_lnk(jboss_t)
jbossjava_execute_file(jboss_t)
jbossjava_search_r_dir(jboss_t)
[-- Attachment #5: myjboss.fc.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
[-- Attachment #6: myjboss.if.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
[-- Attachment #7: myjboss.te.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-03-18 14:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-03 13:42 myjboss and jbossjava selinux-modules selinux
2008-03-18 14:14 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.