- This message: [ Message body ]
- Next message: Ivan Gyurdiev: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Previous message: Stephen Smalley: "Re: policy hierarchy patch"
- Next in thread: Ivan Gyurdiev: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
-
Reply: Ivan Gyurdiev: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Reply: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
Parts of this patch are rather controversial and might break things.
Please comment if anything needs to be changed.
Changelog:
- Introduces new type - ROLE_untrusted_content_t.
This will be the "downloads" folder type that I proposed earlier.
I started a discussion on the Gnome Usability list about further
separation, but so far it doesn't seem to be making progress.
Mozilla and gift gain the ability to create files of this type.
The parent folder must be manually created for mozilla (for now)
and already exists for giFT.
Mozilla has been changed to create files of this type under /tmp,
but under /tmp/orbit-* it still uses the old ROLE_mozilla_tmp_t type.
Mplayer and lpr are granted rights to read this "untrusted" type as
part of the mozilla policy. This may not be what we want, but
that's what used to be the case before the patch - they could read
ROLE_mozilla_tmp_t.
2) Introduce new types for gnome - ROLE_gnome_settings_t, and
ROLE_gnome_data_t. This looks to me like too low level of granularity
for labeling, but I didn't know what would be appropriate - at
least it seems better than the existing types (ROLE_home_t, and
ROLE_mozilla_home_t (why mozilla for .gconf?))
Those types are used
for .gnome, .gnome2, .gnome_private, .gnome2_private, .gconf,
.local, .thumbnails, .themes, .icons,
and are fully accessible from ROLE_t. However, now applications
can be granted access to this particular type, rather than
ROLE_home_t, or ROLE_mozilla_home_t.
3) Introduce new type for .fonts.cache-1 - ROLE_font_cache_t.
Change dontaudit for gift and mozilla to allow reading this file.
4) Miscellaneous fix: Allow load_policy to read /proc/filesystems,
or else it just refuses to load in enforcing mode.
5) Miscellaneous fix: Remove duplicate file label from inetd.fc
that's causing trouble (uuico)
6) Grant the user the ability to relabel to/from directories of type
ROLE_home_t. Why not?
7) Add nscd_client_domain to mozilla, as it seems to be needed after all
8) Allow mozilla to search bin_t for plugins, and other minor stuff...
9) Is this going to be a problem?
-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
Mozilla refused to even start until
allowed to { search getattr } ROLE_gnome_settings_t, which is the
new type for those folders...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ok I see the first thing that's wrong with this patch...
ROLE_t can't access ROLE_untrusted_content_t.
ROLE_untrusted_content_t is marked both $1_file_type and customizable.
It seems to me that one of those things should imply access (at least
read, getattr, relabelto, relabelfrom) by the ROLE_t type, or is that
not the case? Which one?
Also, is there a reason why certain types are declared in both
admin_macros and user_macros? I put this new type in both, following
a pattern with the other types, but I don't see why this stuff can't
go into base_user_macros for a single copy.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Wed, 2005-04-13 at 23:42 -0400, Ivan Gyurdiev wrote:
> Ok I see the first thing that's wrong with this patch...
Attached is a new version - resynced against latest policy, and removed
miscellaneous patches.
- Allowed ROLE_t full access to ROLE_untrusted_content_t (should this be
only relabelfrom instead? how do we want to protect the default user
context from untrusted content? )
- Added types: mime_types_t, ROLE_mime_types_t, and read_mime_types()
macro - it's used in mozilla
- Added type ROLE_fonts_t. It should be used for per/user (home) fonts,
but I'm not sure where those are stored - for now I just marked
$HOME/.fonts. Added read_fonts() macro to read those, and read
the .font.cache-1 file, and changed a bunch of programs to use that.
Removed X's privilege to read ROLE_home_t, and replaced with this macro.
Moved fonts contexts into fontconfig.fc
- Gave giFT name_connect permission
Any comments?
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
> Attached is a new version - resynced against latest policy, and removed
> miscellaneous patches.
...and yet another one. Fix more bugs, resync again against policy,
allow ROLE_t to read mime types, and restrict games from reading home_t
to reading gnome settings/data.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Ivan Gyurdiev wrote:
>>Attached is a new version - resynced against latest policy, and removed
>>miscellaneous patches.
>>
>>
>
>...and yet another one. Fix more bugs, resync again against policy,
>allow ROLE_t to read mime types, and restrict games from reading home_t
>to reading gnome settings/data.
>
>
>
>
>
>------------------------------------------------------------------------
>
>diff -aru policy.old/domains/program/fontconfig.te policy/domains/program/fontconfig.te
>--- policy.old/domains/program/fontconfig.te 2005-04-13 21:52:20.000000000 -0400
>+++ policy/domains/program/fontconfig.te 2005-04-13 20:00:52.000000000 -0400
>@@ -0,0 +1,7 @@
>+#
>+# Fontconfig related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+
>+# Look in fontconfig_macros.te
>diff -aru policy.old/domains/program/gnome.te policy/domains/program/gnome.te
>--- policy.old/domains/program/gnome.te 2005-04-13 21:52:20.000000000 -0400
>+++ policy/domains/program/gnome.te 2005-04-13 19:30:07.000000000 -0400
>@@ -0,0 +1,7 @@
>+#
>+# GNOME related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+
>+# Look in gnome_macros.te
>diff -aru policy.old/domains/program/mailcap.te policy/domains/program/mailcap.te
>--- policy.old/domains/program/mailcap.te 2005-04-14 20:17:32.000000000 -0400
>+++ policy/domains/program/mailcap.te 2005-04-14 21:10:34.000000000 -0400
>@@ -0,0 +1,9 @@
>+#
>+# Mailcap related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+
>+type mime_types_t, file_type, sysadmfile;
>+
>+# Look in mailcap_macros.te
>diff -aru policy.old/file_contexts/program/gnome.fc policy/file_contexts/program/gnome.fc
>--- policy.old/file_contexts/program/gnome.fc 2005-04-13 21:52:10.000000000 -0400
>+++ policy/file_contexts/program/gnome.fc 2005-04-14 20:32:29.000000000 -0400
>@@ -0,0 +1,7 @@
>+HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gnome_settings_t
>+HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
>+HOME_DIR/\.gnome(2)?_private?(/.*)? system_u:object_r:ROLE_gnome_settings_t
>+HOME_DIR/\.local(/.*)? system_u:object_r:ROLE_gnome_data_t
>+HOME_DIR/\.themes(/.*)? system_u:object_r:ROLE_gnome_data_t
>+HOME_DIR/\.icons(/.*)? system_u:object_r:ROLE_gnome_data_t
>+HOME_DIR/\.thumbnails(/.*)? system_u:object_r:ROLE_gnome_data_t
>diff -aru policy.old/file_contexts/program/mailcap.fc policy/file_contexts/program/mailcap.fc
>--- policy.old/file_contexts/program/mailcap.fc 2005-04-14 20:17:39.000000000 -0400
>+++ policy/file_contexts/program/mailcap.fc 2005-04-15 03:36:56.000000000 -0400
>@@ -0,0 +1,8 @@
>+#
>+# Mime types
>+#
>+
>+/etc/mailcap -- system_u:object_r:mime_types_t
>+/etc/mime.types -- system_u:object_r:mime_types_t
>+HOME_DIR/\.mailcap -- system_u:object_r:ROLE_mime_types_t
>+HOME_DIR/\.mime\.types -- system_u:object_r:ROLE_mime_types_t
>diff -aru policy.old/file_contexts/program/mozilla.fc policy/file_contexts/program/mozilla.fc
>--- policy.old/file_contexts/program/mozilla.fc 2005-04-13 21:02:52.000000000 -0400
>+++ policy/file_contexts/program/mozilla.fc 2005-04-13 21:03:26.000000000 -0400
>@@ -4,8 +4,6 @@
> HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
> HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
> HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t
>-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t
>-HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
> HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t
> HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
> /usr/bin/netscape -- system_u:object_r:mozilla_exec_t
>diff -aru policy.old/file_contexts/types.fc policy/file_contexts/types.fc
>--- policy.old/file_contexts/types.fc 2005-04-15 03:29:49.000000000 -0400
>+++ policy/file_contexts/types.fc 2005-04-15 03:30:01.000000000 -0400
>@@ -387,17 +387,6 @@
> /usr/X11R6/man(/.*)? system_u:object_r:man_t
>
> #
>-# Fonts dir
>-#
>-/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t
>-ifdef(`distro_debian', `
>-/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t
>-')
>-/usr/share/fonts(/.*)? system_u:object_r:fonts_t
>-/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t
>-/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t
>-
>-#
> # /var/run
> #
> /var/run(/.*)? system_u:object_r:var_run_t
>diff -aru policy.old/macros/admin_macros.te policy/macros/admin_macros.te
>--- policy.old/macros/admin_macros.te 2005-04-12 12:23:17.000000000 -0400
>+++ policy/macros/admin_macros.te 2005-04-15 03:12:13.000000000 -0400
>@@ -14,11 +14,17 @@
> #
> undefine(`admin_domain')
> define(`admin_domain',`
>+
> # Type for home directory.
> attribute $1_file_type;
> type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
> type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
>
>+# Type for network content.
>+type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable;
>+create_dir_file($1_t, $1_untrusted_content_t)
>+allow $1_t $1_untrusted_content_t:{ dir file } { relabelto relabelfrom };
>+
> # Type and access for pty devices.
> can_create_pty($1, `, admin_tty_type')
>
>diff -aru policy.old/macros/base_user_macros.te policy/macros/base_user_macros.te
>--- policy.old/macros/base_user_macros.te 2005-04-12 12:20:28.000000000 -0400
>+++ policy/macros/base_user_macros.te 2005-04-15 03:16:52.000000000 -0400
>@@ -69,7 +69,7 @@
>
> # Create, access, and remove files in home directory.
> file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
>-allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
>+allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
> can_setfscreate($1_t)
>
> allow $1_t autofs_t:dir { search getattr };
>@@ -184,6 +184,9 @@
> ifdef(`cdrecord.te', `cdrecord_domain($1)')
> ifdef(`mplayer.te', `mplayer_domains($1)')
> ifdef(`gift.te', `gift_domains($1)')
>+ifdef(`gnome.te', `gnome_domain($1)')
>+ifdef(`fontconfig.te', `fontconfig_domain($1)')
>+ifdef(`mailcap.te', `mailcap_domain($1)')
>
> # Instantiate a derived domain for user cron jobs.
> ifdef(`crond.te', `crond_domain($1)')
>@@ -344,6 +347,9 @@
> allow $1_t default_t:notdevfile_class_set r_file_perms;
> }
>
>+# Read mime types
>+read_mime_types($1_t, $1)
>+
> read_sysctl($1_t);
>
> #
>diff -aru policy.old/macros/global_macros.te policy/macros/global_macros.te
>--- policy.old/macros/global_macros.te 2005-04-15 03:28:12.000000000 -0400
>+++ policy/macros/global_macros.te 2005-04-15 03:27:54.000000000 -0400
>@@ -156,6 +156,28 @@
> r_dir_file($1, locale_t)
> ')
>
>+##################################
>+#
>+# read_mime_types(domain, role)
>+#
>+# Permission for reading mime types
>+#
>+define(`read_mime_types', `
>+allow $1 mime_types_t:file r_file_perms;
>+allow $1 $2_mime_types_t:file r_file_perms;
>+')
>+
>+###################################
>+#
>+# read_fonts(domain, role)
>+#
>+# Permission for reading fonts
>+#
>+define(`read_fonts', `
>+r_dir_file($1, fonts_t)
>+r_dir_file($1, $2_fonts_t)
>+allow $1 $2_fonts_cache_t:file r_file_perms;
>+')
>
> ###################################
> #
>diff -aru policy.old/macros/program/fontconfig_macros.te policy/macros/program/fontconfig_macros.te
>--- policy.old/macros/program/fontconfig_macros.te 2005-04-13 21:51:58.000000000 -0400
>+++ policy/macros/program/fontconfig_macros.te 2005-04-14 20:51:12.000000000 -0400
>@@ -0,0 +1,15 @@
>+#
>+# Fontconfig related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+# fontconfig_domain(role_prefix)
>+
>+define(`fontconfig_domain', `
>+
>+type $1_fonts_t, file_type, $1_file_type, sysadmfile, customizable;
>+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
>+
>+create_dir_file($1_t, $1_fonts_cache_t)
>+
>+') dnl gnome_domain
>diff -aru policy.old/macros/program/games_domain.te policy/macros/program/games_domain.te
>--- policy.old/macros/program/games_domain.te 2005-04-14 16:34:49.000000000 -0400
>+++ policy/macros/program/games_domain.te 2005-04-15 03:13:42.000000000 -0400
>@@ -43,10 +43,11 @@
> can_udp_send($1_games_t, $1_games_t)
> can_tcp_connect($1_games_t, $1_games_t)
>
>-# Access /home/user/.gnome2
>-create_dir_file($1_games_t, $1_home_t)
>+# Access /home/user/.gnome2, /home/user/.themes
>+allow $1_games_t $1_gnome_settings_t:dir { getattr search };
>+allow $1_games_t $1_gnome_settings_t:file create_file_perms;
> allow $1_games_t $1_home_dir_t:dir { read getattr search };
>-allow $1_games_t $1_home_t:dir { read getattr };
>+r_dir_file($1_games_t, $1_gnome_data_t)
>
> create_dir_file($1_games_t, $1_tmp_t)
> allow $1_games_t $1_tmp_t:sock_file create_file_perms;
>diff -aru policy.old/macros/program/gnome_macros.te policy/macros/program/gnome_macros.te
>--- policy.old/macros/program/gnome_macros.te 2005-04-13 21:51:55.000000000 -0400
>+++ policy/macros/program/gnome_macros.te 2005-04-13 20:47:47.000000000 -0400
>@@ -0,0 +1,16 @@
>+#
>+# GNOME related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+# gnome_domain(role_prefix)
>+
>+define(`gnome_domain', `
>+
>+type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
>+type $1_gnome_data_t, file_type, $1_file_type, sysadmfile;
>+
>+create_dir_file($1_t, $1_gnome_settings_t)
>+create_dir_file($1_t, $1_gnome_data_t)
>+
>+') dnl gnome_domain
>diff -aru policy.old/macros/program/gpg_agent_macros.te policy/macros/program/gpg_agent_macros.te
>--- policy.old/macros/program/gpg_agent_macros.te 2005-04-14 20:57:52.000000000 -0400
>+++ policy/macros/program/gpg_agent_macros.te 2005-04-14 20:58:18.000000000 -0400
>@@ -89,7 +89,7 @@
> allow $1_gpg_pinentry_t xdm_t:fd use;
> ')dnl end ig xdm.te
>
>-r_dir_file($1_gpg_pinentry_t, fonts_t)
>+read_fonts($1_gpg_pinentry_t, $1)
> # read kde font cache
> allow $1_gpg_pinentry_t usr_t:file { getattr read };
>
>diff -aru policy.old/macros/program/java_macros.te policy/macros/program/java_macros.te
>--- policy.old/macros/program/java_macros.te 2005-04-14 20:56:47.000000000 -0400
>+++ policy/macros/program/java_macros.te 2005-04-14 21:11:05.000000000 -0400
>@@ -4,7 +4,7 @@
> # Macros for javaplugin (java plugin) domains.
> #
> #
>-# javaplugin_domain(domain_prefix, user)
>+# javaplugin_domain(domain_prefix, role)
> #
> # Define a derived domain for the javaplugin program when executed by
> # a web browser.
>@@ -44,7 +44,8 @@
> allow $1_javaplugin_t sysctl_vm_t:dir search;
>
> tmp_domain($1_javaplugin)
>-r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
>+read_fonts($1_javaplugin_t, $2)
>+r_dir_file($1_javaplugin_t,{ usr_t etc_t })
>
> # Search bin directory under javaplugin for javaplugin executable
> allow $1_javaplugin_t bin_t:dir search;
>diff -aru policy.old/macros/program/mailcap_macros.te policy/macros/program/mailcap_macros.te
>--- policy.old/macros/program/mailcap_macros.te 2005-04-14 20:17:26.000000000 -0400
>+++ policy/macros/program/mailcap_macros.te 2005-04-14 20:17:06.000000000 -0400
>@@ -0,0 +1,14 @@
>+#
>+# Mailcap related types
>+#
>+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
>+#
>+# mailcap_domain(role_prefix)
>+
>+define(`mailcap_domain', `
>+
>+type $1_mime_types_t, file_type, $1_file_type, sysadmfile;
>+
>+create_dir_file($1_t, $1_mime_types_t)
>+
>+') dnl gnome_domain
>diff -aru policy.old/macros/program/mozilla_macros.te policy/macros/program/mozilla_macros.te
>--- policy.old/macros/program/mozilla_macros.te 2005-04-12 12:26:11.000000000 -0400
>+++ policy/macros/program/mozilla_macros.te 2005-04-15 03:06:58.000000000 -0400
>@@ -16,7 +16,9 @@
> # provided separately in domains/program/mozilla.te.
> #
> define(`mozilla_domain',`
>-type $1_mozilla_t, domain, web_client_domain, privlog;
>+
>+type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
>+type $1_mozilla_tmp_t, file_type, sysadmfile, tmpfile;
>
> # Type transition
> if (! disable_mozilla_trans) {
>@@ -28,8 +30,9 @@
> home_domain($1, mozilla)
> x_client_domain($1_mozilla, $1)
>
>-# Browse files
>+# Look for plugins
> file_browse_domain($1_mozilla_t)
>+allow $1_mozilla_t bin_t:dir { getattr read search };
>
> can_network_client($1_mozilla_t)
> allow $1_mozilla_t { ftp_port_t http_port_t }:tcp_socket name_connect;
>@@ -53,7 +56,18 @@
> # Fork, set resource limits and scheduling info.
> allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
>
>+# Fonts, icons
> allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
>+allow $1_mozilla_t $1_gnome_settings_t:dir { search getattr };
>+r_dir_file($1_mozilla_t, $1_gnome_data_t)
>+read_mime_types($1_mozilla_t, $1)
>+dontaudit $1_mozilla_t $1_fonts_cache_t:file unlink;
>+
>+# Access /proc
>+allow $1_mozilla_t proc_t:dir search;
>+allow $1_mozilla_t proc_t:file { getattr read };
>+allow $1_mozilla_t proc_t:lnk_file read;
>+
> allow $1_mozilla_t var_lib_t:file { getattr read };
> allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
> allow $1_mozilla_t self:socket create_socket_perms;
>@@ -66,8 +80,6 @@
> can_exec($1_mozilla_t, bin_t)
> allow $1_mozilla_t bin_t:lnk_file read;
> allow $1_mozilla_t device_t:dir r_dir_perms;
>-allow $1_mozilla_t proc_t:file { getattr read };
>-allow $1_mozilla_t proc_t:lnk_file read;
> allow $1_mozilla_t self:dir search;
> allow $1_mozilla_t self:lnk_file read;
> r_dir_file($1_mozilla_t, proc_net_t)
>@@ -81,47 +93,20 @@
> # interacting with gstreamer
> r_dir_file($1_mozilla_t, var_t)
>
>-# Write files to tmp
>-tmp_domain($1_mozilla)
>-
>-# Execute downloaded programs.
>-can_exec($1_mozilla_t, $1_mozilla_tmp_t)
>-
>-# Use printer
>-ifdef(`lpr.te', `
>-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
>-
>-# Print document
>-allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
>-
>-# Suppress history.fop denial
>-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
>-
>-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
>-dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
>-')
>-
> # ORBit sockets
> file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
> can_unix_connect($1_t, $1_mozilla_t)
> allow $1_t $1_mozilla_tmp_t:sock_file write;
>-allow $1_mozilla_t $1_tmp_t:file { read write lock };
>+allow $1_mozilla_t $1_tmp_t:file { getattr read write lock };
> allow $1_mozilla_t $1_tmp_t:sock_file { read write };
> dontaudit $1_mozilla_t $1_tmp_t:dir setattr;
>
>-# Allow mozilla to read user home content
>-if (mozilla_readhome || mozilla_writehome) {
>-r_dir_file($1_mozilla_t, $1_home_t)
>-} else {
>-dontaudit $1_mozilla_t $1_home_t:dir setattr;
>-dontaudit $1_mozilla_t $1_home_t:file setattr;
>-}
>+# Allow mozilla to create untrusted content
>+create_dir_file($1_mozilla_t, $1_untrusted_content_t)
>+file_type_auto_trans($1_mozilla_t, tmp_t, $1_untrusted_content_t)
>
>-if (mozilla_writehome) {
>-file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_home_t)
>-allow $1_mozilla_t $1_home_t:dir setattr;
>-allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
>-} dnl end if writehome
>+# Execute downloaded programs.
>+can_exec($1_mozilla_t, $1_untrusted_content_t)
>
> allow $1_mozilla_t $1_t:unix_stream_socket connectto;
> allow $1_mozilla_t sysctl_net_t:dir search;
>@@ -135,8 +120,7 @@
> allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
> dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
> dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
>-# Mozilla tries to delete .fonts.cache-1
>-dontaudit $1_mozilla_t $1_home_t:file unlink;
>+
> allow $1_mozilla_t self:sem create_sem_perms;
>
> # Java plugin
>@@ -144,16 +128,32 @@
> javaplugin_domain($1_mozilla, $1)
> ')
>
>+
>+# Use printer
>+ifdef(`lpr.te', `
>+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
>+
>+# Print document
>+allow $1_lpr_t $1_untrusted_content_t:file rw_file_perms;
>+
>+# Suppress history.fop denial
>+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
>+
>+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
>+dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
>+')
>+
> # Mplayer plugin
> ifdef(`mplayer.te', `
> domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
>
> # Read mozilla content in /tmp
>-r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
>+r_dir_file($1_mplayer_t, $1_untrusted_content_t);
>
>-# FIXME: why does it need this?
>+# Suppress history.fop denial
> dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
>-allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
>+
>+dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
> ')dnl end if mplayer.te
>
> if (allow_execmem) {
>@@ -162,6 +162,7 @@
> if (allow_execmod) {
> allow $1_mozilla_t texrel_shlib_t:file execmod;
> }
>+
> dbusd_client(system, $1_mozilla)
> ifdef(`apache.te', `
> ifelse($1, sysadm, `', `
>diff -aru policy.old/macros/program/x_client_macros.te policy/macros/program/x_client_macros.te
>--- policy.old/macros/program/x_client_macros.te 2005-04-14 20:55:18.000000000 -0400
>+++ policy/macros/program/x_client_macros.te 2005-04-14 20:55:51.000000000 -0400
>@@ -74,7 +74,7 @@
> allow $1_t self:shm create_shm_perms;
>
> # allow X client to read all font files
>-r_dir_file($1_t, fonts_t)
>+read_fonts($1_t, $2)
>
> # Allow connections to X server.
> ifdef(`xserver.te', `
>diff -aru policy.old/macros/program/xserver_macros.te policy/macros/program/xserver_macros.te
>--- policy.old/macros/program/xserver_macros.te 2005-04-14 21:15:36.000000000 -0400
>+++ policy/macros/program/xserver_macros.te 2005-04-14 21:18:01.000000000 -0400
>@@ -77,6 +77,9 @@
> allow xdm_xserver_t init_t:fd use;
>
> dontaudit xdm_xserver_t home_dir_type:dir { read search };
>+
>+# for fonts
>+r_dir_file($1_xserver_t, fonts_t)
> ', `
> # The user role is authorized for this domain.
> role $1_r types $1_xserver_t;
>@@ -93,9 +96,7 @@
> # Access the home directory.
> allow $1_xserver_t home_root_t:dir search;
> allow $1_xserver_t $1_home_dir_t:dir { getattr search };
>-if (allow_xserver_home_fonts) {
>-r_dir_file($1_xserver_t, $1_home_t)
>-}
>+read_fonts($1_xserver_t, $1)
> ifdef(`xauth.te', `
> domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
> allow $1_xserver_t $1_xauth_home_t:file { getattr read };
>@@ -261,8 +262,6 @@
> allow $1_xserver_t var_lib_t:dir search;
> rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
>
>-# for fonts
>-r_dir_file($1_xserver_t, fonts_t)
> ')dnl end macro definition
>
> ', `
>diff -aru policy.old/macros/user_macros.te policy/macros/user_macros.te
>--- policy.old/macros/user_macros.te 2005-04-12 12:23:06.000000000 -0400
>+++ policy/macros/user_macros.te 2005-04-15 03:16:24.000000000 -0400
>@@ -21,6 +21,11 @@
> type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
> type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
>
>+# Type for network content.
>+type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable;
>+create_dir_file($1_t, $1_untrusted_content_t)
>+allow $1_t $1_untrusted_content_t:{ dir file } { relabelto relabelfrom };
>+
> tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
>
> base_user_domain($1)
>
>
Before I apply this patch, Have you tried this on a newly added user?
Attempt to add a user,
log in as that user and try your different apps? Does it work? Do the
directories get created
with the correct context. The more customization of the users home
directory, the more things
can go wrong.
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
- This message: [ Message body ]
- Next message: Luke Kenneth Casson Leighton: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Previous message: Christopher J. PeBenito: "Re: [POLICY/PATCH] IA-64 Boot Partition"
- In reply to: Ivan Gyurdiev: "[ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Next in thread: Luke Kenneth Casson Leighton: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
-
Reply: Luke Kenneth Casson Leighton: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Reply: Ivan Gyurdiev: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
On Thursday 14 April 2005 12:31, Ivan Gyurdiev <ivg2@cornell.edu> wrote:
> Parts of this patch are rather controversial and might break things.
> Please comment if anything needs to be changed.
>
> Changelog:
> ==========
>
> 1) Introduces new type - ROLE_untrusted_content_t.
> This will be the "downloads" folder type that I proposed earlier.
> I started a discussion on the Gnome Usability list about further
> separation, but so far it doesn't seem to be making progress.
This is a difficult area that requires a lot of thought and work if we are to
have a chance to get it right. Let's leave this until after we get some of
the base stuff done.
> 2) Introduce new types for gnome - ROLE_gnome_settings_t, and
> ROLE_gnome_data_t. This looks to me like too low level of granularity
> for labeling, but I didn't know what would be appropriate - at
> least it seems better than the existing types (ROLE_home_t, and
> ROLE_mozilla_home_t (why mozilla for .gconf?))
Mozilla wants read/write access to .gconf as well as processes in ROLE_t,
using a mozilla type grants such access. It's an ugly hack and doesn't
really work well (think ROLE_games_t and GNOME games).
> Those types are used
> for .gnome, .gnome2, .gnome_private, .gnome2_private, .gconf,
> .local, .thumbnails, .themes, .icons,
>
> and are fully accessible from ROLE_t. However, now applications
> can be granted access to this particular type, rather than
> ROLE_home_t, or ROLE_mozilla_home_t.
I think that first we should get a separate domain for gconf. If gconf is to
become a trusted object manager as I recall Colin has suggested then it will
address some of the issues related to this. You have:
create_dir_file(ROLE_t, ROLE_gnome_settings_t)
allow ROLE_mozilla_t ROLE_gnome_settings_t:dir { search getattr };
Mozilla will desire read/write access to the .gconf directory and it's files
so the only solution is something like:
domain_auto_trans({ ROLE_t ROLE_mozilla_t }, gconfd_exec_t, ROLE_gconfd_t)
This assumes that gconf will do the right things.
> 3) Introduce new type for .fonts.cache-1 - ROLE_font_cache_t.
> Change dontaudit for gift and mozilla to allow reading this file.
It's my observation that the common practice for font cache files is to often
create new files and unlink the old one - thus losing a specific type
assigned to it. Maybe we could put SE Linux code into the programs that use
this file, but it's ugly.
> 4) Miscellaneous fix: Allow load_policy to read /proc/filesystems,
> or else it just refuses to load in enforcing mode.
Best to put it in can_loadpol().
> 6) Grant the user the ability to relabel to/from directories of type
> ROLE_home_t. Why not?
It's already in macros/base_user_macros.te .
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
- This message: [ Message body ]
- Next message: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Previous message: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- In reply to: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
- Next in thread: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
-
Reply: Russell Coker: "Re: [ PATCH ] Cumulative patch - various fixes, untrusted_content_t, mozilla, gnome types"
On Sun, Apr 17, 2005 at 11:46:34PM +1000, Russell Coker wrote:
> Mozilla will desire read/write access to the .gconf directory and it's files
not under circumstances where it's built with kde support, it won't.
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Monday 18 April 2005 09:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net>
wrote:
> On Sun, Apr 17, 2005 at 11:46:34PM +1000, Russell Coker wrote:
> > Mozilla will desire read/write access to the .gconf directory and it's
> > files
>
> not under circumstances where it's built with kde support, it won't.
If we were somehow able to get everyone to build Mozilla with KDE support then
it would merely defer the issue until we find the next gconf application.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
I've been busy with school, and no time to work on this -
filed bugs to keep track of things:
Here's new patch version, with policy attempt for GConf:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800
Here are related problems. I am very interested in the solution
for the first one, at least.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155799
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155798
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155796
>> 1) Introduces new type - ROLE_untrusted_content_t.
>> This will be the "downloads" folder type that I proposed earlier.
>> I started a discussion on the Gnome Usability list about further
>> separation, but so far it doesn't seem to be making progress.
> This is a difficult area that requires a lot of thought and work if we are to
> have a chance to get it right. Let's leave this until after we get some of
> the base stuff done.
Can you list some of the things that need to be done?
I thought it would be sufficient to create a default downloads folder
for the user that is sufficiently visible (integrated w/ desktop
environments)
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.