* [refpolicy] Debian: Bind: FC of conf files
@ 2008-09-02 13:04 Václav Ovsík
2008-09-03 14:11 ` Christopher J. PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Václav Ovsík @ 2008-09-02 13:04 UTC (permalink / raw)
To: refpolicy
Hi,
I noticed bad context of a part of ISC Bind configuration files on
Debian. Default configuration uses multi-file named.conf. (named.conf
includes named.conf.options & named.conf.local) All parts should
probably have the same context (named_conf_t).
sid:/etc/bind# ls -Z
system_u:object_r:named_zone_t:s0 db.0
system_u:object_r:named_zone_t:s0 db.127
system_u:object_r:named_zone_t:s0 db.255
system_u:object_r:named_zone_t:s0 db.empty
system_u:object_r:named_zone_t:s0 db.local
system_u:object_r:named_zone_t:s0 db.root
system_u:object_r:named_conf_t:s0 named.conf
system_u:object_r:named_zone_t:s0 named.conf.local
system_u:object_r:named_zone_t:s0 named.conf.options
system_u:object_r:dnssec_t:s0 rndc.key
system_u:object_r:named_zone_t:s0 zones.rfc1918
sid:/etc/bind#
A patch fixes this.
Regards
--
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/services/bind.fc
===================================================================
--- selinux-policy-src.orig/policy/modules/services/bind.fc 2008-09-02 14:15:12.000000000 +0200
+++ selinux-policy-src/policy/modules/services/bind.fc 2008-09-02 14:17:11.000000000 +0200
@@ -15,6 +15,8 @@
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
')
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] Debian: Bind: FC of conf files 2008-09-02 13:04 [refpolicy] Debian: Bind: FC of conf files Václav Ovsík @ 2008-09-03 14:11 ` Christopher J. PeBenito 2008-09-03 14:27 ` [refpolicy] Latest bind policy differences Daniel J Walsh 2008-09-03 14:33 ` [refpolicy] logrotate /squid policy Daniel J Walsh 0 siblings, 2 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2008-09-03 14:11 UTC (permalink / raw) To: refpolicy On Tue, 2008-09-02 at 15:04 +0200, V?clav Ovs?k wrote: > I noticed bad context of a part of ISC Bind configuration files on > Debian. Default configuration uses multi-file named.conf. (named.conf > includes named.conf.options & named.conf.local) All parts should > probably have the same context (named_conf_t). > > sid:/etc/bind# ls -Z > system_u:object_r:named_zone_t:s0 db.0 > system_u:object_r:named_zone_t:s0 db.127 > system_u:object_r:named_zone_t:s0 db.255 > system_u:object_r:named_zone_t:s0 db.empty > system_u:object_r:named_zone_t:s0 db.local > system_u:object_r:named_zone_t:s0 db.root > system_u:object_r:named_conf_t:s0 named.conf > system_u:object_r:named_zone_t:s0 named.conf.local > system_u:object_r:named_zone_t:s0 named.conf.options > system_u:object_r:dnssec_t:s0 rndc.key > system_u:object_r:named_zone_t:s0 zones.rfc1918 > sid:/etc/bind# Merged. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] Latest bind policy differences. 2008-09-03 14:11 ` Christopher J. PeBenito @ 2008-09-03 14:27 ` Daniel J Walsh 2008-09-15 17:02 ` Christopher J. PeBenito 2008-09-03 14:33 ` [refpolicy] logrotate /squid policy Daniel J Walsh 1 sibling, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2008-09-03 14:27 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 named_t needs getcap ndc_t needs to tcp bind all nodes. Script and _admin handling. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAki+nscACgkQrlYvE4MpobOjngCeKxZcZAhNXzX/3nrBhxlIairt 4jQAoNLS00rAnv6OW+V3xSnhgkMerPvz =ebNE -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: services_bind.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20080903/4a350e38/attachment.ksh -------------- next part -------------- A non-text attachment was scrubbed... Name: services_bind.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080903/4a350e38/attachment.obj ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] Latest bind policy differences. 2008-09-03 14:27 ` [refpolicy] Latest bind policy differences Daniel J Walsh @ 2008-09-15 17:02 ` Christopher J. PeBenito 0 siblings, 0 replies; 5+ messages in thread From: Christopher J. PeBenito @ 2008-09-15 17:02 UTC (permalink / raw) To: refpolicy On Wed, 2008-09-03 at 10:27 -0400, Daniel J Walsh wrote: > named_t needs getcap > > ndc_t needs to tcp bind all nodes. > > Script and _admin handling. Merged, except I need a patch for your admin_pattern() support macro. > plain text document attachment (services_bind.patch) > --- nsaserefpolicy/policy/modules/services/bind.fc 2008-09-03 10:17:00.000000000 -0400 > +++ serefpolicy-3.5.6/policy/modules/services/bind.fc 2008-09-03 08:33:21.000000000 -0400 > @@ -51,3 +49,5 @@ > /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) > /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) > ') > + > +/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_script_exec_t,s0) > --- nsaserefpolicy/policy/modules/services/bind.if 2008-08-07 11:15:11.000000000 -0400 > +++ serefpolicy-3.5.6/policy/modules/services/bind.if 2008-09-03 10:22:49.000000000 -0400 > @@ -254,3 +254,87 @@ > interface(`bind_udp_chat_named',` > refpolicywarn(`$0($*) has been deprecated.') > ') > + > +######################################## > +## <summary> > +## Execute bind server in the bind domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## The type of the process performing this action. > +## </summary> > +## </param> > +# > +# > +interface(`bind_script_domtrans',` > + gen_require(` > + type bind_script_exec_t; > + ') > + > + init_script_domtrans_spec($1, bind_script_exec_t) > +') > + > +######################################## > +## <summary> > +## All of the rules required to administrate > +## an bind environment > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## The role to be allowed to manage the bind domain. > +## </summary> > +## </param> > +## <param name="terminal"> > +## <summary> > +## The type of the user terminal. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`bind_admin',` > + gen_require(` > + type named_t, named_tmp_t, named_log_t; > + type named_conf_t, named_var_lib_t, named_var_run_t; > + type named_cache_t, named_zone_t; > + type dnssec_t, ndc_t; > + type named_script_exec_t; > + ') > + > + allow $1 named_t:process { ptrace signal_perms }; > + ps_process_pattern($1, named_t) > + > + allow $1 ndc_t:process { ptrace signal_perms }; > + ps_process_pattern($1, ndc_t) > + > + bind_run_ndc($1, $2, $3) > + > + # Allow named_t to restart the apache service > + bind_script_domtrans($1) > + domain_system_change_exemption($1) > + role_transition $2 named_script_exec_t system_r; > + allow $2 system_r; > + > + files_list_tmp($1) > + admin_pattern($1, named_tmp_t) > + > + logging_list_logs($1) > + admin_pattern($1, named_log_t) > + > + files_list_etc($1) > + admin_pattern($1, named_conf_t) > + > + admin_pattern($1, named_cache_t) > + admin_pattern($1, named_zone_t) > + admin_pattern($1, dnssec_t) > + > + files_list_var_lib($1) > + admin_pattern($1, named_var_lib_t) > + > + files_list_pids($1) > + admin_pattern($1, named_var_run_t) > +') > --- nsaserefpolicy/policy/modules/services/bind.te 2008-09-03 10:17:00.000000000 -0400 > +++ serefpolicy-3.5.6/policy/modules/services/bind.te 2008-09-03 08:33:21.000000000 -0400 > @@ -53,6 +53,9 @@ > init_system_domain(ndc_t, ndc_exec_t) > role system_r types ndc_t; > > +type named_script_exec_t; > +init_script_file(named_script_exec_t) > + > ######################################## > # > # Named local policy > @@ -60,7 +63,7 @@ > > allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; > dontaudit named_t self:capability sys_tty_config; > -allow named_t self:process { setsched setcap setrlimit signal_perms }; > +allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; > allow named_t self:fifo_file rw_fifo_file_perms; > allow named_t self:unix_stream_socket create_stream_socket_perms; > allow named_t self:unix_dgram_socket create_socket_perms; > @@ -223,6 +225,7 @@ > corenet_tcp_sendrecv_all_nodes(ndc_t) > corenet_tcp_sendrecv_all_ports(ndc_t) > corenet_tcp_connect_rndc_port(ndc_t) > +corenet_tcp_bind_all_nodes(ndc_t) > corenet_sendrecv_rndc_client_packets(ndc_t) > > domain_use_interactive_fds(ndc_t) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] logrotate /squid policy. 2008-09-03 14:11 ` Christopher J. PeBenito 2008-09-03 14:27 ` [refpolicy] Latest bind policy differences Daniel J Walsh @ 2008-09-03 14:33 ` Daniel J Walsh 1 sibling, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2008-09-03 14:33 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 logrotate needs to be able to search all directories to find random locations people place log files. Needs to signal squid versus a domtrans. Add cgi support to squid. squid binds to http, wccp, pgpkeyserver ports Better integration with cron. Squid needs kill capability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAki+oC4ACgkQrlYvE4MpobML/QCgy/hamnBSX/ZT8W1L+oNbiXLM wgIAni86LmmB0cq+FxzXeKvqjB+ACaS8 =YEix -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: admin_logrotate.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20080903/29666df0/attachment-0001.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: admin_logrotate.patch.sig Type: application/octet-stream Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080903/29666df0/attachment-0001.obj ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-09-15 17:02 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-09-02 13:04 [refpolicy] Debian: Bind: FC of conf files Václav Ovsík 2008-09-03 14:11 ` Christopher J. PeBenito 2008-09-03 14:27 ` [refpolicy] Latest bind policy differences Daniel J Walsh 2008-09-15 17:02 ` Christopher J. PeBenito 2008-09-03 14:33 ` [refpolicy] logrotate /squid policy Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.