[PATCH 0/1] refpolicy: make proftpd be able to work

[PATCH 0/1] refpolicy: make proftpd be able to work

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

The following changes since commit 8089f0d19f757ecf65f957d6a196e66c90bd7911:

  refpolicy: allow portmap to create portmap_t type socket (2014-02-10 15:54:14 +0800)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/refpolicy-proftpd
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/refpolicy-proftpd

Roy Li (1):
  refpolicy: make proftpd be able to work

 ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 86 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch

-- 
1.7.10.4

[PATCH 1/1] refpolicy: make proftpd be able to work

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 86 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
new file mode 100644
index 0000000..9521fcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
@@ -0,0 +1,85 @@
+ftp: make proftpd be able to work
+
+Upstream-Status: pending
+
+1. proftpd need not to access and communicate with avahi, so dontaudit them
+2. ftpd_t is transited to mls_systemhigh, the running created files under
+/var/run is in mls_systemlow, so put ftpd_t to write_all_levels  
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/contrib/avahi.if |   40 +++++++++++++++++++++++++++++++++++++++
+ policy/modules/contrib/ftp.te   |    6 ++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
+index aebe7cb..0e7a748 100644
+--- a/policy/modules/contrib/avahi.if
++++ b/policy/modules/contrib/avahi.if
+@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to rw 
++##	avahi var directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`avahi_dontaudit_rw_var',`
++	gen_require(`
++		type avahi_var_run_t;
++	')
++
++	dontaudit $1 avahi_var_run_t:file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++##	Do not audit attempts to connectto 
++##	avahi unix socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`avahi_dontaudit_connectto',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	dontaudit $1 avahi_t:unix_stream_socket connectto;
++')
++
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an avahi environment.
+ ## </summary>
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..12492d2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+ 
++mls_file_write_all_levels(ftpd_t)
++
++avahi_dontaudit_connectto(ftpd_t)
++
++avahi_dontaudit_rw_var(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 5d55030..422c974 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
             file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
             file://portmap-allow-portmap-to-create-socket.patch \
+            file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4

Re: [PATCH 1/1] refpolicy: make proftpd be able to work

[Rongqing Li]

On 02/11/2014 01:31 PM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85 ++++++++++++++++++++
>   .../refpolicy/refpolicy_2.20130424.inc             |    1 +
>   2 files changed, 86 insertions(+)
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>
> diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
> new file mode 100644
> index 0000000..9521fcf
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
> @@ -0,0 +1,85 @@
> +ftp: make proftpd be able to work
> +
> +Upstream-Status: pending
> +
> +1. proftpd need not to access and communicate with avahi, so dontaudit them
> +2. ftpd_t is transited to mls_systemhigh, the running created files under
> +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +---
> + policy/modules/contrib/avahi.if |   40 +++++++++++++++++++++++++++++++++++++++
> + policy/modules/contrib/ftp.te   |    6 ++++++
> + 2 files changed, 46 insertions(+)
> +
> +diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
> +index aebe7cb..0e7a748 100644
> +--- a/policy/modules/contrib/avahi.if
> ++++ b/policy/modules/contrib/avahi.if
> +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
> +
> + ########################################
> + ## <summary>
> ++##	Do not audit attempts to rw
> ++##	avahi var directories.
> ++## </summary>
> ++## <param name="domain">
> ++##	<summary>
> ++##	Domain to not audit.
> ++##	</summary>
> ++## </param>
> ++#
> ++interface(`avahi_dontaudit_rw_var',`
> ++	gen_require(`
> ++		type avahi_var_run_t;
> ++	')
> ++
> ++	dontaudit $1 avahi_var_run_t:file rw_term_perms;
> ++')
> ++
> ++
> ++########################################
> ++## <summary>
> ++##	Do not audit attempts to connectto
> ++##	avahi unix socket.
> ++## </summary>
> ++## <param name="domain">
> ++##	<summary>
> ++##	Domain to not audit.
> ++##	</summary>
> ++## </param>
> ++#
> ++interface(`avahi_dontaudit_connectto',`
> ++	gen_require(`
> ++		type avahi_t;
> ++	')
> ++
> ++	dontaudit $1 avahi_t:unix_stream_socket connectto;
> ++')
> ++
> ++
> ++########################################
> ++## <summary>
> + ##	All of the rules required to
> + ##	administrate an avahi environment.
> + ## </summary>
> +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
> +index 544c512..12492d2 100644
> +--- a/policy/modules/contrib/ftp.te
> ++++ b/policy/modules/contrib/ftp.te
> +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
> + type ftpdctl_tmp_t;
> + files_tmp_file(ftpdctl_tmp_t)
> +
> ++mls_file_write_all_levels(ftpd_t)
> ++
> ++avahi_dontaudit_connectto(ftpd_t)
> ++
> ++avahi_dontaudit_rw_var(ftpd_t)


Please drop it, we should not donaudit ftpd_t to connect avahi.
we should allow this operation, since ftpd_t call libnss which
will create socket and connect these socket.



1846  open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
1846  read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
..., 832) = 832
1846  fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
1846  mmap(NULL, 2105160, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x7f49e1a63000
1846  mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
1846  mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP
_DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
1846  close(3)                          = 0
1846  socket(PF_LOCAL, SOCK_STREAM, 0)  = 3
1846  fcntl(3, F_GETFD)                 = 0
1846  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
1846  connect(3, {sa_family=AF_LOCAL, 
sun_path="/var/run/avahi-daemon/socket"},
110) = 0



-Roy

> ++
> + type sftpd_t;
> + domain_type(sftpd_t)
> + role system_r types sftpd_t;
> +--
> +1.7.10.4
> +
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> index 5d55030..422c974 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> @@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
>               file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
>               file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
>               file://portmap-allow-portmap-to-create-socket.patch \
> +            file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
>              "
>
>   # Backport from upstream
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 1/1] refpolicy: make proftpd be able to work

[Pascal Ouyang]

于 14-2-13 下午4:13, Rongqing Li 写道:
>
>
> On 02/11/2014 01:31 PM, rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> ---
>>   ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85
>> ++++++++++++++++++++
>>   .../refpolicy/refpolicy_2.20130424.inc             |    1 +
>>   2 files changed, 86 insertions(+)
>>   create mode 100644
>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>>
>> diff --git
>> a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>> new file mode 100644
>> index 0000000..9521fcf
>> --- /dev/null
>> +++
>> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>> @@ -0,0 +1,85 @@
>> +ftp: make proftpd be able to work
>> +
>> +Upstream-Status: pending
>> +
>> +1. proftpd need not to access and communicate with avahi, so
>> dontaudit them
>> +2. ftpd_t is transited to mls_systemhigh, the running created files
>> under
>> +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +---
>> + policy/modules/contrib/avahi.if |   40
>> +++++++++++++++++++++++++++++++++++++++
>> + policy/modules/contrib/ftp.te   |    6 ++++++
>> + 2 files changed, 46 insertions(+)
>> +
>> +diff --git a/policy/modules/contrib/avahi.if
>> b/policy/modules/contrib/avahi.if
>> +index aebe7cb..0e7a748 100644
>> +--- a/policy/modules/contrib/avahi.if
>> ++++ b/policy/modules/contrib/avahi.if
>> +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
>> +
>> + ########################################
>> + ## <summary>
>> ++##    Do not audit attempts to rw
>> ++##    avahi var directories.
>> ++## </summary>
>> ++## <param name="domain">
>> ++##    <summary>
>> ++##    Domain to not audit.
>> ++##    </summary>
>> ++## </param>
>> ++#
>> ++interface(`avahi_dontaudit_rw_var',`
>> ++    gen_require(`
>> ++        type avahi_var_run_t;
>> ++    ')
>> ++
>> ++    dontaudit $1 avahi_var_run_t:file rw_term_perms;
>> ++')
>> ++
>> ++
>> ++########################################
>> ++## <summary>
>> ++##    Do not audit attempts to connectto
>> ++##    avahi unix socket.
>> ++## </summary>
>> ++## <param name="domain">
>> ++##    <summary>
>> ++##    Domain to not audit.
>> ++##    </summary>
>> ++## </param>
>> ++#
>> ++interface(`avahi_dontaudit_connectto',`
>> ++    gen_require(`
>> ++        type avahi_t;
>> ++    ')
>> ++
>> ++    dontaudit $1 avahi_t:unix_stream_socket connectto;
>> ++')
>> ++
>> ++
>> ++########################################
>> ++## <summary>
>> + ##    All of the rules required to
>> + ##    administrate an avahi environment.
>> + ## </summary>
>> +diff --git a/policy/modules/contrib/ftp.te
>> b/policy/modules/contrib/ftp.te
>> +index 544c512..12492d2 100644
>> +--- a/policy/modules/contrib/ftp.te
>> ++++ b/policy/modules/contrib/ftp.te
>> +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
>> + type ftpdctl_tmp_t;
>> + files_tmp_file(ftpdctl_tmp_t)
>> +
>> ++mls_file_write_all_levels(ftpd_t)
>> ++
>> ++avahi_dontaudit_connectto(ftpd_t)
>> ++
>> ++avahi_dontaudit_rw_var(ftpd_t)
>
>
> Please drop it, we should not donaudit ftpd_t to connect avahi.
> we should allow this operation, since ftpd_t call libnss which
> will create socket and connect these socket.
>
>
>
> 1846  open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
> 1846  read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
> ..., 832) = 832
> 1846  fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
> 1846  mmap(NULL, 2105160, PROT_READ|PROT_EXEC,
> MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f49e1a63000
> 1846  mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
> 1846  mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP
> _DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
> 1846  close(3)                          = 0
> 1846  socket(PF_LOCAL, SOCK_STREAM, 0)  = 3
> 1846  fcntl(3, F_GETFD)                 = 0
> 1846  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
> 1846  connect(3, {sa_family=AF_LOCAL,
> sun_path="/var/run/avahi-daemon/socket"},
> 110) = 0
>
>
>
> -Roy
>
>> ++
>> + type sftpd_t;
>> + domain_type(sftpd_t)
>> + role system_r types sftpd_t;
>> +--
>> +1.7.10.4
>> +
>> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> b/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> index 5d55030..422c974 100644
>> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> @@ -53,6 +53,7 @@ SRC_URI +=
>> "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
>>
>> file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
>>
>> file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
>>               file://portmap-allow-portmap-to-create-socket.patch \
>> +            file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
>>              "
>>
>>   # Backport from upstream
>>
>

By auth_use_nsswith(ftpd)

ftpd_t already works well with nsswitch now. So, please find the root 
cause in other places.

Thanks. :)

-- 
- Pascal

[PATCH 1/1] refpolicy: make proftpd be able to work

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../ftp-add-ftpd_t-to-mlsfilewrite.patch           |   39 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 40 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch
new file mode 100644
index 0000000..49da4b6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch
@@ -0,0 +1,39 @@
+From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Mon, 10 Feb 2014 18:10:12 +0800
+Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
+
+Proftpd will create file under /var/run, but its mls is in high, and
+can not write to lowlevel
+
+Upstream-Status: Pending
+
+type=AVC msg=audit(1392347709.621:15): avc:  denied  { write } for  pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=AVC msg=audit(1392347709.621:15): avc:  denied  { add_name } for  pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
+type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
+
+root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name 
+   allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
+root@localhost:~#
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/contrib/ftp.te |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..12a31dd 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+ 
++mls_file_write_all_levels(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 9e5e426..24c0608 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -54,6 +54,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
             file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
             file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
+            file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4