firefox3

firefox3

[Justin Mattock]

I'm trying to tighten up firefox, from what I can see over here:
when I use firefox I usually change roles to  user_r
then run firefox. Now I noticed when I execute firefox in sysadm_r
firefox is able to start up(when in enforce mode).  I remember in the
past firefox would not
start in sysadm_r only user_r for me. Is there something I'm missing,
or is this something new. (below are the allow rules for firefox)

allow sysadm_xserver_t user_mozilla_t:shm { associate getattr read
unix_read unix_write write };
allow sysadm_xserver_t user_mozilla_tmpfs_t:file { read write };
allow sysadm_xserver_t user_mplayer_t:shm { associate getattr read
unix_read unix_write write };
allow sysadm_xserver_t user_mplayer_tmpfs_t:file { read write };
allow sysadm_xserver_t user_t:shm { associate getattr read unix_read
unix_write write };
allow sysadm_xserver_t user_tmpfs_t:file { read write };
allow user_mozilla_t apmd_t:dir { getattr search };
allow user_mozilla_t apmd_t:file read;
allow user_mozilla_t bluetooth_t:dir { getattr search };
allow user_mozilla_t bluetooth_t:file read;
allow user_mozilla_t crond_t:dir { getattr search };
allow user_mozilla_t crond_t:file read;
allow user_mozilla_t devpts_t:dir search;
allow user_mozilla_t gconf_etc_t:dir { getattr read search };
allow user_mozilla_t gconf_etc_t:file { getattr read };
allow user_mozilla_t getty_t:dir { getattr search };
allow user_mozilla_t getty_t:file read;
allow user_mozilla_t hald_t:dir { getattr search };
allow user_mozilla_t hald_t:file read;
allow user_mozilla_t init_t:dir { getattr search };
allow user_mozilla_t init_t:file read;
allow user_mozilla_t initrc_t:dir { getattr search };
allow user_mozilla_t initrc_t:file read;
allow user_mozilla_t initrc_var_run_t:dir search;
allow user_mozilla_t initrc_var_run_t:sock_file write;
allow user_mozilla_t kernel_t:dir { getattr search };
allow user_mozilla_t kernel_t:file read;
allow user_mozilla_t klogd_t:dir { getattr search };
allow user_mozilla_t klogd_t:file read;
allow user_mozilla_t lib_t:file execute_no_trans;
allow user_mozilla_t local_login_t:dir { getattr search };
allow user_mozilla_t local_login_t:file read;
allow user_mozilla_t newrole_t:dir { getattr search };
allow user_mozilla_t newrole_t:fd use;
allow user_mozilla_t newrole_t:file read;
allow user_mozilla_t newrole_t:lnk_file read;
allow user_mozilla_t staff_t:dir { getattr search };
allow user_mozilla_t staff_t:file read;
allow user_mozilla_t sysadm_gconf_home_t:dir { add_name getattr read
remove_name search write };
allow user_mozilla_t sysadm_gconf_home_t:file { append create getattr
read rename unlink write };
allow user_mozilla_t sysadm_home_dir_t:dir { getattr search };
allow user_mozilla_t sysadm_home_t:dir { add_name getattr read
remove_name search write };
allow user_mozilla_t sysadm_home_t:file { append create getattr read
rename unlink };
allow user_mozilla_t sysadm_mozilla_home_t:dir { add_name create
getattr read remove_name rmdir search write };
allow user_mozilla_t sysadm_mozilla_home_t:file { create getattr lock
read rename unlink write };
allow user_mozilla_t sysadm_mozilla_home_t:lnk_file { create unlink };
allow user_mozilla_t sysadm_sudo_t:dir { getattr search };
allow user_mozilla_t sysadm_sudo_t:file read;
allow user_mozilla_t sysadm_t:dir { getattr search };
allow user_mozilla_t sysadm_t:file read;
allow user_mozilla_t sysadm_t:lnk_file read;
allow user_mozilla_t sysadm_tty_device_t:chr_file getattr;
allow user_mozilla_t sysadm_xauth_home_t:file { getattr read };
allow user_mozilla_t sysadm_xserver_t:dir { getattr search };
allow user_mozilla_t sysadm_xserver_t:file read;
allow user_mozilla_t sysadm_xserver_t:unix_stream_socket connectto;
allow user_mozilla_t syslogd_t:dir { getattr search };
allow user_mozilla_t syslogd_t:file read;
allow user_mozilla_t system_dbusd_t:dir { getattr search };
allow user_mozilla_t system_dbusd_t:file read;
allow user_mozilla_t tmp_t:dir { add_name create remove_name rmdir
setattr write };
allow user_mozilla_t tmp_t:file { create getattr link lock read unlink write };
allow user_mozilla_t tmp_t:sock_file { create unlink write };
allow user_mozilla_t udev_t:dir { getattr search };
allow user_mozilla_t udev_t:file read;
allow user_mozilla_t user_devpts_t:chr_file { getattr ioctl read write };
allow user_mozilla_t user_t:dir { getattr search };
allow user_mozilla_t user_t:file read;
allow user_mozilla_t user_t:lnk_file read;
allow user_mozilla_t user_t:sem { associate getattr read setattr
unix_read unix_write write };
allow user_mozilla_t user_t:shm { associate getattr read setattr
unix_read unix_write write };
allow user_mozilla_t user_tmpfs_t:file { read write };
allow user_mozilla_t v4l_device_t:chr_file { read write };

###########make enableaudit

allow user_mozilla_t security_t:dir { getattr search };
allow user_mozilla_t security_t:file read;
allow user_mozilla_t security_t:filesystem getattr;
allow user_mozilla_t selinux_config_t:dir search;
allow user_mozilla_t selinux_config_t:file { getattr read };
allow user_mozilla_t tmp_t:dir read;

Is this safe?  should I comment out some of the allow rules
and if so which ones.
regards;


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: firefox3

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

On Thu, 2008-07-17 at 22:39 +0000, Justin Mattock wrote:
> I'm trying to tighten up firefox, from what I can see over here:

I do not encourage people to run Firefox as sysadm_t, and i recommend
you use staff_t as your default domain. Sysadm_t is a domain specific
just for sysadmin tasks. Plus sysadm_t is being (kind of) replaced by
unconfined_t in the targeted policy. 

Also i think sysadm, user and staff do not transition once they run
Firefox, but that they run Firefox in the user domain by default.

In Fedora 9 only xguest_t domain by default can run Firefox in the
Mozilla domain by setting the boolean.

However Nsplugin is now by default confined to the nsplugin_t domain and
so even though you may not transition to mozilla_t as staff or user, you
will still be protected by nsplugin_t.

To see in what domain Firefox is running execute ps auxZ | grep -i
firefox.
-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: firefox3

[Justin Mattock]

On Fri, Jul 18, 2008 at 12:07 PM, Dominick Grift <domg472@gmail.com> wrote:
> On Thu, 2008-07-17 at 22:39 +0000, Justin Mattock wrote:
>> I'm trying to tighten up firefox, from what I can see over here:
>
> I do not encourage people to run Firefox as sysadm_t, and i recommend
> you use staff_t as your default domain. Sysadm_t is a domain specific
> just for sysadmin tasks. Plus sysadm_t is being (kind of) replaced by
> unconfined_t in the targeted policy.
>
> Also i think sysadm, user and staff do not transition once they run
> Firefox, but that they run Firefox in the user domain by default.
>
> In Fedora 9 only xguest_t domain by default can run Firefox in the
> Mozilla domain by setting the boolean.
>
> However Nsplugin is now by default confined to the nsplugin_t domain and
> so even though you may not transition to mozilla_t as staff or user, you
> will still be protected by nsplugin_t.
>
> To see in what domain Firefox is running execute ps auxZ | grep -i
> firefox.
> --
> Dominick Grift <domg472@gmail.com>
>

Hello;
when doing ps I see firefox as what I had intended it
to be in user_r:user_t, The interesting thing that I'm seeing
is firefox will start under sysadm_r. when it shouldn't.
Now keep in mind this is something I've noticed with the new firefox3
the beta version of firefox3 was using gconf differently.
from looking at the allow rules maybe:
allow user_mozilla_t sysadm_gconf_home_t:dir { add_name getattr read
remove_name search write };
allow user_mozilla_t sysadm_gconf_home_t:file { append create getattr
read rename unlink write };
is what is causing sysadm to start firefox.(now from what I'm seeing
even though sysadm can start firefox, you can't do much with it due to the
rules not being defined. it's more of a question to me as to why
is it starting in that role. Anyways I'll have a look into my other rules
that might be causing this; just to be safe.
regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: firefox3

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Mattock wrote:
> On Fri, Jul 18, 2008 at 12:07 PM, Dominick Grift <domg472@gmail.com> wrote:
>> On Thu, 2008-07-17 at 22:39 +0000, Justin Mattock wrote:
>>> I'm trying to tighten up firefox, from what I can see over here:
>> I do not encourage people to run Firefox as sysadm_t, and i recommend
>> you use staff_t as your default domain. Sysadm_t is a domain specific
>> just for sysadmin tasks. Plus sysadm_t is being (kind of) replaced by
>> unconfined_t in the targeted policy.
>>
>> Also i think sysadm, user and staff do not transition once they run
>> Firefox, but that they run Firefox in the user domain by default.
>>
>> In Fedora 9 only xguest_t domain by default can run Firefox in the
>> Mozilla domain by setting the boolean.
>>
>> However Nsplugin is now by default confined to the nsplugin_t domain and
>> so even though you may not transition to mozilla_t as staff or user, you
>> will still be protected by nsplugin_t.
>>
>> To see in what domain Firefox is running execute ps auxZ | grep -i
>> firefox.
>> --
>> Dominick Grift <domg472@gmail.com>
>>
> 
> Hello;
> when doing ps I see firefox as what I had intended it
> to be in user_r:user_t, The interesting thing that I'm seeing
> is firefox will start under sysadm_r. when it shouldn't.
> Now keep in mind this is something I've noticed with the new firefox3
> the beta version of firefox3 was using gconf differently.
> from looking at the allow rules maybe:
> allow user_mozilla_t sysadm_gconf_home_t:dir { add_name getattr read
> remove_name search write };
> allow user_mozilla_t sysadm_gconf_home_t:file { append create getattr
> read rename unlink write };
> is what is causing sysadm to start firefox.(now from what I'm seeing
> even though sysadm can start firefox, you can't do much with it due to the
> rules not being defined. it's more of a question to me as to why
> is it starting in that role. Anyways I'll have a look into my other rules
> that might be causing this; just to be safe.
> regards;
> 
Is firefox defined as an application domain?  If so can sysadm_t execute
_NOTRANS application domains?  I would bet you firefox is running as
sysadm_t rather then sysadm_mozilla_t or sysadm_firefox_t.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiA1ocACgkQrlYvE4MpobPj6wCgnCLi7tjLTrSe/SNblfR68rIX
LbgAoNhG+dvHqSczszz3k9IuzNUM+VcK
=mKRC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: firefox3

[Justin Mattock]

On Fri, Jul 18, 2008 at 5:44 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Justin Mattock wrote:
>> On Fri, Jul 18, 2008 at 12:07 PM, Dominick Grift <domg472@gmail.com> wrote:
>>> On Thu, 2008-07-17 at 22:39 +0000, Justin Mattock wrote:
>>>> I'm trying to tighten up firefox, from what I can see over here:
>>> I do not encourage people to run Firefox as sysadm_t, and i recommend
>>> you use staff_t as your default domain. Sysadm_t is a domain specific
>>> just for sysadmin tasks. Plus sysadm_t is being (kind of) replaced by
>>> unconfined_t in the targeted policy.
>>>
>>> Also i think sysadm, user and staff do not transition once they run
>>> Firefox, but that they run Firefox in the user domain by default.
>>>
>>> In Fedora 9 only xguest_t domain by default can run Firefox in the
>>> Mozilla domain by setting the boolean.
>>>
>>> However Nsplugin is now by default confined to the nsplugin_t domain and
>>> so even though you may not transition to mozilla_t as staff or user, you
>>> will still be protected by nsplugin_t.
>>>
>>> To see in what domain Firefox is running execute ps auxZ | grep -i
>>> firefox.
>>> --
>>> Dominick Grift <domg472@gmail.com>
>>>
>>
>> Hello;
>> when doing ps I see firefox as what I had intended it
>> to be in user_r:user_t, The interesting thing that I'm seeing
>> is firefox will start under sysadm_r. when it shouldn't.
>> Now keep in mind this is something I've noticed with the new firefox3
>> the beta version of firefox3 was using gconf differently.
>> from looking at the allow rules maybe:
>> allow user_mozilla_t sysadm_gconf_home_t:dir { add_name getattr read
>> remove_name search write };
>> allow user_mozilla_t sysadm_gconf_home_t:file { append create getattr
>> read rename unlink write };
>> is what is causing sysadm to start firefox.(now from what I'm seeing
>> even though sysadm can start firefox, you can't do much with it due to the
>> rules not being defined. it's more of a question to me as to why
>> is it starting in that role. Anyways I'll have a look into my other rules
>> that might be causing this; just to be safe.
>> regards;
>>
> Is firefox defined as an application domain?  If so can sysadm_t execute
> _NOTRANS application domains?  I would bet you firefox is running as
> sysadm_t rather then sysadm_mozilla_t or sysadm_firefox_t.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkiA1ocACgkQrlYvE4MpobPj6wCgnCLi7tjLTrSe/SNblfR68rIX
> LbgAoNhG+dvHqSczszz3k9IuzNUM+VcK
> =mKRC
> -----END PGP SIGNATURE-----
>

I'm not sure; below are the allow rules that I have defined
in the policy(I'm using the latest refpolicy on nubuntu)
hopefully I didn't miss any:
allow sysadm_xserver_t user_mozilla_t:shm { associate getattr read
unix_read unix_write write };
allow sysadm_xserver_t user_mozilla_tmpfs_t:file { read write };
allow user_mozilla_t apmd_t:dir { getattr search };
allow user_mozilla_t apmd_t:file read;
allow user_mozilla_t bluetooth_t:dir { getattr search };
allow user_mozilla_t bluetooth_t:file read;
allow user_mozilla_t crond_t:dir { getattr search };
allow user_mozilla_t crond_t:file read;
allow user_mozilla_t devpts_t:dir search;
allow user_mozilla_t gconf_etc_t:dir { getattr read search };
allow user_mozilla_t gconf_etc_t:file { getattr read };
allow user_mozilla_t getty_t:dir { getattr search };
allow user_mozilla_t getty_t:file read;
allow user_mozilla_t hald_t:dir { getattr search };
allow user_mozilla_t hald_t:file read;
allow user_mozilla_t init_t:dir { getattr search };
allow user_mozilla_t init_t:file read;
allow user_mozilla_t initrc_t:dir { getattr search };
allow user_mozilla_t initrc_t:file read;
allow user_mozilla_t initrc_var_run_t:dir search;
allow user_mozilla_t initrc_var_run_t:sock_file write;
allow user_mozilla_t kernel_t:dir { getattr search };
allow user_mozilla_t kernel_t:file read;
allow user_mozilla_t klogd_t:dir { getattr search };
allow user_mozilla_t klogd_t:file read;
allow user_mozilla_t lib_t:file execute_no_trans;
allow user_mozilla_t local_login_t:dir { getattr search };
allow user_mozilla_t local_login_t:file read;
allow user_mozilla_t newrole_t:dir { getattr search };
allow user_mozilla_t newrole_t:fd use;
allow user_mozilla_t newrole_t:file read;
allow user_mozilla_t newrole_t:lnk_file read;
allow user_mozilla_t staff_t:dir { getattr search };
allow user_mozilla_t staff_t:file read;
allow user_mozilla_t sysadm_gconf_home_t:dir { add_name getattr read
remove_name search write };
allow user_mozilla_t sysadm_gconf_home_t:file { append create getattr
read rename unlink write };
allow user_mozilla_t sysadm_home_dir_t:dir { getattr search };
allow user_mozilla_t sysadm_home_t:dir { add_name getattr read
remove_name search write };
allow user_mozilla_t sysadm_home_t:file { append create getattr read
rename unlink };
allow user_mozilla_t sysadm_mozilla_home_t:dir { add_name create
getattr read remove_name rmdir search write };
allow user_mozilla_t sysadm_mozilla_home_t:file { create getattr lock
read rename unlink write };
allow user_mozilla_t sysadm_mozilla_home_t:lnk_file { create unlink };
allow user_mozilla_t sysadm_sudo_t:dir { getattr search };
allow user_mozilla_t sysadm_sudo_t:file read;
allow user_mozilla_t sysadm_t:dir { getattr search };
allow user_mozilla_t sysadm_t:file read;
allow user_mozilla_t sysadm_t:lnk_file read;
allow user_mozilla_t sysadm_tty_device_t:chr_file getattr;
allow user_mozilla_t sysadm_xauth_home_t:file { getattr read };
allow user_mozilla_t sysadm_xserver_t:dir { getattr search };
allow user_mozilla_t sysadm_xserver_t:file read;
allow user_mozilla_t sysadm_xserver_t:unix_stream_socket connectto;
allow user_mozilla_t syslogd_t:dir { getattr search };
allow user_mozilla_t syslogd_t:file read;
allow user_mozilla_t system_dbusd_t:dir { getattr search };
allow user_mozilla_t system_dbusd_t:file read;
allow user_mozilla_t tmp_t:dir { add_name create remove_name rmdir
setattr write };
allow user_mozilla_t tmp_t:file { create getattr link lock read unlink write };
allow user_mozilla_t tmp_t:sock_file { create unlink write };
allow user_mozilla_t udev_t:dir { getattr search };
allow user_mozilla_t udev_t:file read;
allow user_mozilla_t user_devpts_t:chr_file { getattr ioctl read write };
allow user_mozilla_t user_t:dir { getattr search };
allow user_mozilla_t user_t:file read;
allow user_mozilla_t user_t:lnk_file read;
allow user_mozilla_t user_t:sem { associate getattr read setattr
unix_read unix_write write };
allow user_mozilla_t user_t:shm { associate getattr read setattr
unix_read unix_write write };
allow user_mozilla_t user_tmpfs_t:file { read write };
allow user_mozilla_t v4l_device_t:chr_file { read write };

################################ make enableaudit

allow user_mozilla_t security_t:dir { getattr search };
allow user_mozilla_t security_t:file read;
allow user_mozilla_t security_t:filesystem getattr;
allow user_mozilla_t selinux_config_t:dir search;
allow user_mozilla_t selinux_config_t:file { getattr read };
allow user_mozilla_t tmp_t:dir read;

Also I did an update with SID so maybe something got messed up,
or added.
regards;


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.