policy compile fixes

policy compile fixes

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 737 bytes --]

This patch fixes a few compile problems with latest policy:
        consoletype.te: firstboot.te may not be there
        cups.fc: cupsd_config only exists if hald.te is available
        apache_macros.te: allow_ypbind is only declared if ypbind.te is
                          available

Add a few file_contexts.

Conditionalize the file_type_auto_trans rule in apache.te, otherwise log
files get created with the wrong context.

Add can_exec($1_ssh_t, { shell_exec_t bin_t }), it is needed for some
programs like x11-ssh-askpass (and I suspect sftp_server).

Please apply.
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: compile-fixes.patch --]
[-- Type: text/plain, Size: 5624 bytes --]

diff -ur orig/domains/program/sulogin.te mod/domains/program/sulogin.te
--- orig/domains/program/sulogin.te	2004-10-14 13:09:52.000000000 +0200
+++ mod/domains/program/sulogin.te	2004-10-14 13:22:35.000000000 +0200
@@ -12,7 +12,7 @@
 type sulogin_exec_t, file_type, exec_type, sysadmfile;
 role system_r types sulogin_t;
 
-general_domain_access(sulogin_t);
+general_domain_access(sulogin_t)
 
 domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
 uses_shlib(sulogin_t)
diff -ur orig/domains/program/unused/apache.te mod/domains/program/unused/apache.te
--- orig/domains/program/unused/apache.te	2004-10-14 13:09:52.000000000 +0200
+++ mod/domains/program/unused/apache.te	2004-10-14 13:22:34.000000000 +0200
@@ -285,12 +285,14 @@
 allow httpd_t tmp_t:sock_file rw_file_perms;
 ') dnl targeted policy
 
+ifdef(`distro_redhat', `
 #
 # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
 # This is a bug but it still exists in FC2
 #
 type httpd_runtime_t, file_type, sysadmfile;
 file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file)
+') dnl distro_redhat
 #
 # Customer reported the following
 #
diff -ur orig/domains/program/unused/consoletype.te mod/domains/program/unused/consoletype.te
--- orig/domains/program/unused/consoletype.te	2004-09-28 09:34:16.000000000 +0200
+++ mod/domains/program/unused/consoletype.te	2004-10-14 13:22:35.000000000 +0200
@@ -54,6 +54,8 @@
 ifdef(`distro_redhat', `
 allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
 ')
+ifdef(`firstboot.te', `
 allow consoletype_t firstboot_t:fifo_file { write };
+')
 dontaudit consoletype_t proc_t:file { read };
 dontaudit consoletype_t root_t:file { read };
Nur in mod/domains/program/unused: consoletype.te.orig.
diff -ur orig/file_contexts/program/apache.fc mod/file_contexts/program/apache.fc
--- orig/file_contexts/program/apache.fc	2004-09-21 22:24:43.000000000 +0200
+++ mod/file_contexts/program/apache.fc	2004-10-14 13:22:34.000000000 +0200
@@ -26,6 +26,7 @@
 /var/cache/ssl.*\.sem	--	system_u:object_r:httpd_cache_t
 /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
 /var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
+/var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
 /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
 /usr/lib/apache-ssl(/.*)? --	system_u:object_r:httpd_exec_t
 /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
diff -ur orig/file_contexts/program/cups.fc mod/file_contexts/program/cups.fc
--- orig/file_contexts/program/cups.fc	2004-10-14 13:09:54.000000000 +0200
+++ mod/file_contexts/program/cups.fc	2004-10-14 13:22:35.000000000 +0200
@@ -18,8 +18,11 @@
 /usr/lib(64)?/cups/backend/.* --	system_u:object_r:cupsd_exec_t
 /usr/lib(64)?/cups/daemon/.*	 --	system_u:object_r:cupsd_exec_t
 /usr/sbin/cupsd		--	system_u:object_r:cupsd_exec_t
+ifdef(`hald.te', `
+# cupsd_config depends on hald
 /usr/bin/cups-config-daemon --	system_u:object_r:cupsd_config_exec_t
 /usr/sbin/hal_lpadmin --	system_u:object_r:cupsd_config_exec_t
+')
 /usr/sbin/printconf-backend --	system_u:object_r:sbin_t
 /var/log/cups(/.*)?		system_u:object_r:cupsd_log_t
 /var/spool/cups(/.*)?		system_u:object_r:print_spool_t
diff -ur orig/file_contexts/program/initrc.fc mod/file_contexts/program/initrc.fc
--- orig/file_contexts/program/initrc.fc	2004-09-21 22:24:43.000000000 +0200
+++ mod/file_contexts/program/initrc.fc	2004-10-14 13:22:35.000000000 +0200
@@ -11,6 +11,11 @@
 /var/run/runlevel\.dir		system_u:object_r:initrc_var_run_t
 /var/run/random-seed	--	system_u:object_r:initrc_var_run_t
 /var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t
+ifdef(`distro_suse', `
+/var/run/sysconfig(/.*)?	system_u:object_r:initrc_var_run_t
+/var/run/keymap		--	system_u:object_r:initrc_var_run_t
+/var/run/numlock-on	--	system_u:object_r:initrc_var_run_t
+')
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	system_u:object_r:initrc_exec_t
diff -ur orig/file_contexts/program/ssh.fc mod/file_contexts/program/ssh.fc
--- orig/file_contexts/program/ssh.fc	2004-03-09 16:31:36.000000000 +0100
+++ mod/file_contexts/program/ssh.fc	2004-10-14 13:22:35.000000000 +0200
@@ -12,3 +12,6 @@
 /usr/lib(64)?/misc/sftp-server --	system_u:object_r:bin_t
 /usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t
 /usr/lib(64)?/sftp-server	--	system_u:object_r:bin_t
+ifdef(`distro_suse', `
+/usr/lib(64)?/ssh/.*	--	system_u:object_r:bin_t
+')
diff -ur orig/macros/program/apache_macros.te mod/macros/program/apache_macros.te
--- orig/macros/program/apache_macros.te	2004-10-14 13:09:56.000000000 +0200
+++ mod/macros/program/apache_macros.te	2004-10-14 13:22:35.000000000 +0200
@@ -64,9 +64,11 @@
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
 }
+ifdef(`ypbind.te', `
 if (httpd_enable_cgi && allow_ypbind) {
 uncond_can_ypbind(httpd_$1_script_t)
 }
+')
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
diff -ur orig/macros/program/ssh_macros.te mod/macros/program/ssh_macros.te
--- orig/macros/program/ssh_macros.te	2004-10-14 13:09:56.000000000 +0200
+++ mod/macros/program/ssh_macros.te	2004-10-14 13:22:35.000000000 +0200
@@ -92,6 +92,9 @@
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
 
+# run helper programs - needed eg for x11-ssh-askpass
+can_exec($1_ssh_t, { shell_exec_t bin_t })
+
 # Read the ssh key file.
 allow $1_ssh_t sshd_key_t:file r_file_perms;
 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: policy compile fixes

[Kodungallur Varma]

Hi all,

       when I "make load" a new policy I have the following sequence
in the console..

-------------------------------------------------
[root@sun policy]# make load
mkdir -p /etc/security/selinux
/usr/bin/checkpolicy -o /etc/security/selinux/policy.17 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  5 users, 7 roles, 1244 types, 1 bools
security:  30 classes, 303377 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 17) to
/etc/security/selinux/policy.17
/usr/bin/checkpolicy -c 15 -o /etc/security/selinux/policy.15 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  5 users, 7 roles, 1244 types, 1 bools
security:  30 classes, 303377 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 15) to
/etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
/usr/bin/checkpolicy -c 16 -o /etc/security/selinux/policy.16 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  5 users, 7 roles, 1244 types, 1 bools
security:  30 classes, 303377 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 16) to
/etc/security/selinux/policy.16
/usr/sbin/load_policy /etc/security/selinux/policy.`cat /selinux/policyvers`
Can't open '/etc/security/selinux/policy.18':  No such file or directory
make: *** [tmp/load] Error 2
----------------------------------------------------
the last two lines...why is it trying to open policy.18...I dont even
have it and in the last line it says error. is there some way to fix
it. thanx a lot..

Ram




On Thu, 14 Oct 2004 13:35:36 +0200, Thomas Bleher
<bleher@informatik.uni-muenchen.de> wrote:
> This patch fixes a few compile problems with latest policy:
>         consoletype.te: firstboot.te may not be there
>         cups.fc: cupsd_config only exists if hald.te is available
>         apache_macros.te: allow_ypbind is only declared if ypbind.te is
>                           available
> 
> Add a few file_contexts.
> 
> Conditionalize the file_type_auto_trans rule in apache.te, otherwise log
> files get created with the wrong context.
> 
> Add can_exec($1_ssh_t, { shell_exec_t bin_t }), it is needed for some
> programs like x11-ssh-askpass (and I suspect sftp_server).
> 
> Please apply.
> Thomas
> 
> --
> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
> GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7
> 
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy compile fixes

[James Carter]

Merged with the exception of the cups.fc stuff.

Currently, the policy Makefile is not set up so that the fc files can
use an ifdef(`somefile.te',

If there is interest in adding that support though, it can be done.

On Thu, 2004-10-14 at 07:35, Thomas Bleher wrote:
> This patch fixes a few compile problems with latest policy:
>         consoletype.te: firstboot.te may not be there
>         cups.fc: cupsd_config only exists if hald.te is available
>         apache_macros.te: allow_ypbind is only declared if ypbind.te is
>                           available
> 
> Add a few file_contexts.
> 
> Conditionalize the file_type_auto_trans rule in apache.te, otherwise log
> files get created with the wrong context.
> 
> Add can_exec($1_ssh_t, { shell_exec_t bin_t }), it is needed for some
> programs like x11-ssh-askpass (and I suspect sftp_server).
> 
> Please apply.
> Thomas
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy compile fixes

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

* James Carter <jwcart2@epoch.ncsc.mil> [2004-10-14 23:35]:
> Merged with the exception of the cups.fc stuff.
> 
> Currently, the policy Makefile is not set up so that the fc files can
> use an ifdef(`somefile.te',
> 
> If there is interest in adding that support though, it can be done.

It just seemed easiest this way. 
Other possibility would be to unconditionally define
cupsd_config_exec_t and be done with it.
I do not care either way, it just has to be handled.

> On Thu, 2004-10-14 at 07:35, Thomas Bleher wrote:
> > This patch fixes a few compile problems with latest policy:
> >         consoletype.te: firstboot.te may not be there
> >         cups.fc: cupsd_config only exists if hald.te is available
> >         apache_macros.te: allow_ypbind is only declared if ypbind.te is
> >                           available

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: policy compile fixes

[Russell Coker]

On Fri, 15 Oct 2004 09:24, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> > Currently, the policy Makefile is not set up so that the fc files can
> > use an ifdef(`somefile.te',
> >
> > If there is interest in adding that support though, it can be done.
>
> It just seemed easiest this way.

I agree, it's something that should be done.

Putting tmp/program_used_flags.te as the first entry for the FCFILES 
declaration should be all that's needed.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.