Re: [PATCH 1/1] refpolicy: make proftpd be able to work

[Pascal Ouyang <xin.ouyang@windriver.com>]

于 14-2-13 下午4:13, Rongqing Li 写道:
>
>
> On 02/11/2014 01:31 PM, rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> ---
>>   ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85
>> ++++++++++++++++++++
>>   .../refpolicy/refpolicy_2.20130424.inc             |    1 +
>>   2 files changed, 86 insertions(+)
>>   create mode 100644
>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>>
>> diff --git
>> a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>> new file mode 100644
>> index 0000000..9521fcf
>> --- /dev/null
>> +++
>> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>>
>> @@ -0,0 +1,85 @@
>> +ftp: make proftpd be able to work
>> +
>> +Upstream-Status: pending
>> +
>> +1. proftpd need not to access and communicate with avahi, so
>> dontaudit them
>> +2. ftpd_t is transited to mls_systemhigh, the running created files
>> under
>> +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
>> +
>> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
>> +---
>> + policy/modules/contrib/avahi.if |   40
>> +++++++++++++++++++++++++++++++++++++++
>> + policy/modules/contrib/ftp.te   |    6 ++++++
>> + 2 files changed, 46 insertions(+)
>> +
>> +diff --git a/policy/modules/contrib/avahi.if
>> b/policy/modules/contrib/avahi.if
>> +index aebe7cb..0e7a748 100644
>> +--- a/policy/modules/contrib/avahi.if
>> ++++ b/policy/modules/contrib/avahi.if
>> +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
>> +
>> + ########################################
>> + ## <summary>
>> ++##    Do not audit attempts to rw
>> ++##    avahi var directories.
>> ++## </summary>
>> ++## <param name="domain">
>> ++##    <summary>
>> ++##    Domain to not audit.
>> ++##    </summary>
>> ++## </param>
>> ++#
>> ++interface(`avahi_dontaudit_rw_var',`
>> ++    gen_require(`
>> ++        type avahi_var_run_t;
>> ++    ')
>> ++
>> ++    dontaudit $1 avahi_var_run_t:file rw_term_perms;
>> ++')
>> ++
>> ++
>> ++########################################
>> ++## <summary>
>> ++##    Do not audit attempts to connectto
>> ++##    avahi unix socket.
>> ++## </summary>
>> ++## <param name="domain">
>> ++##    <summary>
>> ++##    Domain to not audit.
>> ++##    </summary>
>> ++## </param>
>> ++#
>> ++interface(`avahi_dontaudit_connectto',`
>> ++    gen_require(`
>> ++        type avahi_t;
>> ++    ')
>> ++
>> ++    dontaudit $1 avahi_t:unix_stream_socket connectto;
>> ++')
>> ++
>> ++
>> ++########################################
>> ++## <summary>
>> + ##    All of the rules required to
>> + ##    administrate an avahi environment.
>> + ## </summary>
>> +diff --git a/policy/modules/contrib/ftp.te
>> b/policy/modules/contrib/ftp.te
>> +index 544c512..12492d2 100644
>> +--- a/policy/modules/contrib/ftp.te
>> ++++ b/policy/modules/contrib/ftp.te
>> +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
>> + type ftpdctl_tmp_t;
>> + files_tmp_file(ftpdctl_tmp_t)
>> +
>> ++mls_file_write_all_levels(ftpd_t)
>> ++
>> ++avahi_dontaudit_connectto(ftpd_t)
>> ++
>> ++avahi_dontaudit_rw_var(ftpd_t)
>
>
> Please drop it, we should not donaudit ftpd_t to connect avahi.
> we should allow this operation, since ftpd_t call libnss which
> will create socket and connect these socket.
>
>
>
> 1846  open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
> 1846  read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
> ..., 832) = 832
> 1846  fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
> 1846  mmap(NULL, 2105160, PROT_READ|PROT_EXEC,
> MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
> = 0x7f49e1a63000
> 1846  mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
> 1846  mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP
> _DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
> 1846  close(3)                          = 0
> 1846  socket(PF_LOCAL, SOCK_STREAM, 0)  = 3
> 1846  fcntl(3, F_GETFD)                 = 0
> 1846  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
> 1846  connect(3, {sa_family=AF_LOCAL,
> sun_path="/var/run/avahi-daemon/socket"},
> 110) = 0
>
>
>
> -Roy
>
>> ++
>> + type sftpd_t;
>> + domain_type(sftpd_t)
>> + role system_r types sftpd_t;
>> +--
>> +1.7.10.4
>> +
>> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> b/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> index 5d55030..422c974 100644
>> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
>> @@ -53,6 +53,7 @@ SRC_URI +=
>> "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
>>
>> file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
>>
>> file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
>>               file://portmap-allow-portmap-to-create-socket.patch \
>> +            file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
>>              "
>>
>>   # Backport from upstream
>>
>

By auth_use_nsswith(ftpd)

ftpd_t already works well with nsswitch now. So, please find the root 
cause in other places.

Thanks. :)

-- 
- Pascal