[refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: a.kuckartz@ping.de (Andreas Kuckartz)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
Date: 18 Sep 2013 15:47:43 +0200	[thread overview]
Message-ID: <5239AEFF.6000902@ping.de> (raw)
In-Reply-To: <52384CD9.60604@ping.de>

Any suggestions from here?

Cheers,
Andreas

-------- Original Message --------
Date: Tue, 17 Sep 2013 14:36:41 +0200
From: Andreas Kuckartz <a.kuckartz@ping.de>
To: selinux-user at lists.alioth.debian.org

I am running a Debian unstable system with SELinux in permissive mode.

I have appended the result of
$ cat /var/log/audit/audit.log | audit2allow -l -R

There are quite a few missing type enforcement (TE) allow rules.

In addition to that Iceweasel requires allow_execstack and allow_execmem
- which is not good. I have researched that and found these two old open
Firefox issues:

SELinux is preventing JIT from changing memory segment access
https://bugzilla.mozilla.org/show_bug.cgi?id=506693

Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
https://bugzilla.mozilla.org/show_bug.cgi?id=574119

What do you suggest on how to proceed?

Cheers,
Andreas

-------------- next part --------------

require {
	type apt_var_lib_t;
	type pulseaudio_t;
	type postgresql_t;
	type cupsd_var_run_t;
	type sysctl_vm_t;
	type initrc_t;
	type tmp_t;
	type logrotate_t;
	type dhcpc_t;
	type mount_tmp_t;
	type hostname_t;
	type auditctl_t;
	type var_run_t;
	type udev_tbl_t;
	type acct_t;
	type ping_t;
	type cupsd_t;
	type sysctl_crypto_t;
	type dpkg_exec_t;
	type system_mail_t;
	type crond_tmp_t;
	type unconfined_t;
	type gpg_t;
	type lib_t;
	type sysfs_t;
	type system_dbusd_t;
	type var_log_t;
	type proc_net_t;
	type exim_t;
	type cron_log_t;
	type kernel_t;
	type removable_device_t;
	type consolekit_t;
	type mnt_t;
	type dosfs_t;
	type var_t;
	type pcscd_t;
	type var_lib_t;
	type dpkg_var_lib_t;
	type ntp_drift_t;
	type fixed_disk_device_t;
	type initrc_var_run_t;
	type devicekit_disk_t;
	type mount_exec_t;
	class fifo_file write;
	class process { execmem setfscreate getcap setcap };
	class unix_stream_socket connectto;
	class netlink_kobject_uevent_socket { getattr setopt read bind create };
	class system module_request;
	class capability sys_rawio;
	class file { rename execute setattr read lock create execute_no_trans write getattr unlink open append };
	class filesystem { mount unmount };
	class sock_file { write create unlink };
	class blk_file { ioctl read open getattr };
	class dir { search read create mounton write getattr rmdir remove_name add_name };
}

#============= acct_t ==============
allow acct_t initrc_var_run_t:file { read lock open };

#============= auditctl_t ==============
allow auditctl_t var_t:file read;

#============= consolekit_t ==============
allow consolekit_t self:process setfscreate;

#============= cupsd_t ==============
allow cupsd_t var_run_t:sock_file unlink;

#============= devicekit_disk_t ==============
allow devicekit_disk_t udev_tbl_t:file { read open };

#============= dhcpc_t ==============
allow dhcpc_t ntp_drift_t:dir search;

#============= exim_t ==============
allow exim_t crond_tmp_t:file { read write };
allow exim_t dpkg_var_lib_t:file read;
allow exim_t sysctl_crypto_t:dir search;
allow exim_t sysctl_crypto_t:file { read getattr open };
allow exim_t sysfs_t:file { read open };
allow exim_t var_t:file read;

#============= gpg_t ==============
allow gpg_t cron_log_t:file { read getattr open };
#!!!! The source type 'gpg_t' can write to a 'dir' of the following types:
# gpg_secret_t, user_home_dir_t, gpg_agent_tmp_t, user_tmp_t, user_home_t, tmp_t

allow gpg_t var_log_t:dir { write add_name };
#!!!! The source type 'gpg_t' can write to a 'file' of the following types:
# gpg_secret_t, gpg_agent_tmp_t, user_tmp_t, user_home_t

allow gpg_t var_log_t:file { write create open };

#============= hostname_t ==============
allow hostname_t var_lib_t:file append;

#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# var_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, acct_data_t, var_spool_t, var_lib_t

allow logrotate_t cupsd_var_run_t:dir { write remove_name add_name };
allow logrotate_t cupsd_var_run_t:file { write create unlink };
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t sysfs_t:file { read open };
allow logrotate_t tmp_t:sock_file { create unlink };
allow logrotate_t var_run_t:sock_file write;

#============= pcscd_t ==============
allow pcscd_t self:netlink_kobject_uevent_socket read;

#============= ping_t ==============
allow ping_t self:process { getcap setcap };

#============= postgresql_t ==============
allow postgresql_t var_run_t:sock_file write;

#============= pulseaudio_t ==============
allow pulseaudio_t initrc_var_run_t:file { read getattr open };
#!!!! The source type 'pulseaudio_t' can write to a 'dir' of the following types:
# user_fonts_cache_t, user_tmp_t, pulseaudio_var_lib_t, pulseaudio_var_run_t, user_home_t, user_tmpfs_t, pulseaudio_home_t, var_lib_t, var_run_t, xdm_tmp_t

allow pulseaudio_t tmp_t:dir { write remove_name add_name };
allow pulseaudio_t tmp_t:file { write execute read create unlink open };

#============= system_dbusd_t ==============
allow system_dbusd_t apt_var_lib_t:dir getattr;
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t dosfs_t:dir write;
allow system_dbusd_t dosfs_t:filesystem { mount unmount };
allow system_dbusd_t dpkg_exec_t:file { read execute open execute_no_trans };
allow system_dbusd_t fixed_disk_device_t:blk_file { read ioctl open getattr };
allow system_dbusd_t initrc_var_run_t:file { read getattr open };
allow system_dbusd_t kernel_t:system module_request;
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t mnt_t:dir { write search rmdir remove_name create add_name mounton };
allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:file { rename setattr read lock create write getattr unlink open };
allow system_dbusd_t proc_net_t:file { read getattr open };
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
allow system_dbusd_t self:capability sys_rawio;
allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create setopt getattr };
allow system_dbusd_t sysctl_vm_t:dir search;
allow system_dbusd_t sysctl_vm_t:file { read open };
allow system_dbusd_t udev_tbl_t:file { read getattr open };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open };
allow system_dbusd_t var_run_t:fifo_file write;
allow system_dbusd_t var_t:dir read;

#============= system_mail_t ==============
allow system_mail_t crond_tmp_t:file getattr;
allow system_mail_t dpkg_var_lib_t:file read;
allow system_mail_t sysctl_crypto_t:dir search;
allow system_mail_t sysctl_crypto_t:file { read getattr open };
allow system_mail_t var_lib_t:file { read getattr open };

#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_execstack, allow_execmem

allow unconfined_t self:process execmem;

next      parent reply	other threads:[~2013-09-18 13:47 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <52384CD9.60604@ping.de>
2013-09-18 13:47 ` Andreas Kuckartz [this message]
2013-09-18 19:40   ` [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel Dominick Grift
2013-09-19  7:39     ` Andreas Kuckartz
2013-09-19 12:53       ` Mika Pflüger
2013-09-18 19:54   ` Dominick Grift
2013-09-18 20:10     ` Dominick Grift
2013-09-19  7:24       ` Andreas Kuckartz
2013-09-19  7:59         ` Dominick Grift
2013-09-19  9:07           ` Andreas Kuckartz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5239AEFF.6000902@ping.de \
    --to=a.kuckartz@ping.de \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.