SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Patch to make can_network stronger and remove nscd tunable. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Wed, 03 Nov 2004 11:23:38 -0500 Russell Coker wrote: >On Wednesday 03 November 2004 02:56, Daniel J Walsh <dwalsh@redhat.com> wrote: > > >>Updated with Russell's "daemon" change and other fixes. >> >>How does this look? >> >> > >+can_network($1_login_t) >+allow $1_login_t self:{ tcp_socket udp_socket } connect; > >local_login_t does not need network access unless you use NIS or similar. >can_ypbind() may be appropriate, but no other rules for network access for >$1_login_t. > >Your patch is allowing many domains access to { tcp_socket udp_socket } >connect which have no need for network connections other than ypbind. It's >probably best to just add this to can_ypbind and not add it to ANY daemon >policy except for daemons which obviously need it. Otherwise this change >will make the policy weaker overall by explicitely adding permissions where >they are not needed. If we don't have the time to do this properly right now >then we should leave can_network as it is until we have more time to work on >it. > > > Not true. pam_kerberos, pam_ldap require network access. login already has can_ypbind, which used to be turned on by default. Now there is a boolean to turn it off. and it is off by default, because it gives too many privs. The problem is that these other protocols are also allowed/required. So this policy is actually tighter since the allow_ypbind is now off. >Probably the best thing to do is to merge a patch that doesn't allow such >access to any daemon apart from the most obvious cases (EG allowing a mail >server to make TCP connections). Things will work for the binary policy in >Fedora as NIS support is enabled. Then we can spend the next couple of >months testing out all the daemons and submitting patches for exactly the >connection access that is required. > > >+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain') > >What does mount do that requires nscd access? > > > NFS Mounts probably. >Why does user_ssh_t require kill capability? > >Does dhcpc_t require TCP connection access when there is no NIS? > > > Not sure. >Does innd_t require UDP connection access when there is no NIS? > > > > Probably not. >sys_tty_config capability is another thing that should go into >daemon_base_domain(), but as a dontaudit. > > > Ok. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 3 Nov 2004 - 11:23:59 EST This message: [ Message body ] Next message: Steven Harp: "Re: What policy is the system running?" Previous message: Daniel J Walsh: "Re: Patch to make can_network stronger and remove nscd tunable." In reply to: Russell Coker: "Re: Patch to make can_network stronger and remove nscd tunable." Next in thread: Colin Walters: "Re: Patch to make can_network stronger and remove nscd tunable." Reply: Colin Walters: "Re: Patch to make can_network stronger and remove nscd tunable." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom