Research Menu

Research

Skip Search Box

SELinux Mailing List

Latest diffs

From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Mon, 20 Feb 2006 17:19:34 -0500

Fixing problems for strict policy

$1_su_t needs to transition to $1_xauth_t

Stop locate audits on mls machines

pam_console needs to setattr/getattr dri_device_t

cron.if has a cut and paste error

crond wants to read postfix_etc_t

initrc wants to write to cups_log_t

spapmd needs to search user_home_dir_t

ssh_agent wants to connect to its own unix_stream_socket

Want to allow mount_t to mount on users home dirs

Fixed up semodule policy; although matchpathcon does not seem to be returning the correct labels

strict policy fixes for userdomain.
must get netstat, ifconfig, rpm -q working

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.17/policy/modules/admin/su.if

--- nsaserefpolicy/policy/modules/admin/su.if	2006-02-14 07:20:23.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/admin/su.if	2006-02-20 16:22:06.000000000 -0500
@@ -220,6 +220,14 @@
 		nscd_socket_use($1_su_t)
 	')
 


+	# Modify .Xauthority file (via xauth program).

+	optional_policy(`xserver',`

+#		file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)


+		xserver_domtrans_user_xauth($1, $1_su_t)

+	')

+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -235,17 +243,6 @@
 	dontaudit $1_su_t home_dir_type:dir { search write };
 	')
 
-	# Modify .Xauthority file (via xauth program).
-	ifdef(`xauth.te', `
-	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-	')
-
-	ifdef(`cyrus.te', `
-	allow $1_su_t cyrus_var_lib_t:dir search;
-	')
 	ifdef(`ssh.te', `
 	# Access sshd cookie files.
 	allow $1_su_t sshd_tmp_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.17/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te	2006-01-25 15:58:58.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/apps/slocate.te	2006-02-20 16:22:06.000000000 -0500

@@ -36,6 +36,8 @@

files_list_all(locate_t)
files_getattr_all_files(locate_t)
+# mls Higher level directories will be refused, so dontaudit

+files_dontaudit_getattr_all_dirs(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.17/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-02-20 14:07:36.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/kernel/devices.if	2006-02-20 16:22:06.000000000 -0500

@@ -1115,6 +1115,45 @@

 ########################################
 ## <summary>
+##	Setattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`


+	gen_require(`

+		type device_t, dri_device_t;

+	')

+


+	allow $1 device_t:dir r_dir_perms;

+	allow $1 dri_device_t:chr_file setattr;

+')
+
+########################################
+## <summary>
+##	getattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`


+	gen_require(`

+		type device_t, dri_device_t;

+	')

+


+	allow $1 device_t:dir r_dir_perms;

+	allow $1 dri_device_t:chr_file getattr;

+')
+
+
+########################################
+## <summary>
 ##	Read input event devices (/dev/input).

## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.2.17/policy/modules/services/cron.if

--- nsaserefpolicy/policy/modules/services/cron.if	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cron.if	2006-02-20 16:22:06.000000000 -0500
@@ -544,7 +544,7 @@
 		type system_crond_t;
 	')
 
-	allow $1 system_crond_t:file rw_file_perms;


+	allow $1 system_crond_t:fifo_file rw_file_perms;

 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.17/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cron.te	2006-02-20 16:22:06.000000000 -0500
@@ -398,6 +398,10 @@
 		prelink_delete_cache(system_crond_t)
 	')
 


+	optional_policy(`postfix',`

+		postfix_read_config(system_crond_t)

+	')	

+
 	optional_policy(`samba',`
 		samba_read_config(system_crond_t)
 		samba_read_log(system_crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.17/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if	2006-02-10 21:34:13.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cups.if	2006-02-20 16:22:06.000000000 -0500

@@ -169,6 +169,25 @@

 ########################################
 ## <summary>
+##	write cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_write_log',`


+	gen_require(`

+		type cupsd_log_t;

+	')

+


+	logging_search_logs($1)

+	allow $1 cupsd_log_t:file write;

+')
+
+########################################
+## <summary>
 ##	Connect to ptal over an unix domain stream socket.

## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.17/policy/modules/services/spamassassin.te

--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/spamassassin.te	2006-02-20 16:22:06.000000000 -0500
@@ -124,6 +124,7 @@
 	term_dontaudit_use_generic_ptys(spamd_t)
 	files_dontaudit_read_root_files(spamd_t)
 	tunable_policy(`spamd_enable_home_dirs',`


+		userdom_search_unpriv_user_home_dirs(spamd_t)

 		userdom_manage_generic_user_home_dirs(spamd_t)
 		userdom_manage_generic_user_home_files(spamd_t)
 		userdom_manage_generic_user_home_symlinks(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.2.17/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if	2006-02-16 09:05:14.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/ssh.if	2006-02-20 16:22:06.000000000 -0500

@@ -279,6 +279,8 @@

allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;

+ allow $1_ssh_agent_t $1_ssh_agent_t:unix_stream_socket { connectto rw_socket_perms };
+

allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;

# for ssh-add
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.17/policy/modules/system/authlogin.te

--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/authlogin.te	2006-02-20 16:22:06.000000000 -0500

@@ -153,6 +153,8 @@

 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios_dev(pam_console_t)
 dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
 dev_getattr_framebuffer_dev(pam_console_t)
 dev_setattr_framebuffer_dev(pam_console_t)
 dev_getattr_misc_dev(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.17/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-02-14 07:20:31.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/mount.te	2006-02-20 16:22:06.000000000 -0500
@@ -137,6 +137,8 @@
 	samba_domtrans_smbmount(mount_t)

+userdom_mounton_generic_user_home_dir(mount_t) +
ifdef(`TODO',`
# TODO: Need to examine this further. Not sure how to handle this #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc

--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc	2006-02-20 17:04:24.000000000 -0500

@@ -39,3 +39,10 @@
ifdef(`distro_debian', `
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) ')

+
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semodule_exec_t,s0)
+
+/etc/selinux([^/]*/)?modules    -d	gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)?     --	gen_context(system_u:object_r:semodule_store_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.read.LOCK    --	gen_context(system_u:object_r:semodule_read_lock_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.trans.LOCK   --	gen_context(system_u:object_r:semodule_trans_lock_t,s0)

\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.17/policy/modules/system/selinuxutil.if

--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.if	2006-02-20 17:01:53.000000000 -0500
@@ -705,3 +705,90 @@
 	allow $1 policy_src_t:dir create_dir_perms;
 	allow $1 policy_src_t:file create_file_perms;

+
+########################################
+## <summary>
+##	Execute a domain transition to run semodule.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`semodule_domtrans',`


+	gen_require(`

+		type semodule_t, semodule_exec_t;

+	')

+	files_search_usr($1)

+	corecmd_search_bin($1)

+


+	domain_auto_trans($1,semodule_exec_t,semodule_t)

+


+	allow $1 semodule_t:fd use;

+	allow semodule_t $1:fd use;

+	allow semodule_t $1:fifo_file rw_file_perms;

+	allow semodule_t $1:process sigchld;

+')
+
+
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc/selinux/*/modules/*
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_module_store_files',`


+	gen_require(`

+		type semodule_store_t;

+	')

+


+	allow $1 semodule_store_t:dir rw_dir_perms;

+	allow $1 semodule_store_t:file create_file_perms;

+	type_transition $1 selinux_config_t:dir semodule_store_t;

+')
+
+
+#######################################
+## <summary>
+##	Get read lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_module_get_read_lock',`


+	gen_require(`

+		type semodule_read_lock_t;

+	')

+


+	allow $1 semodule_read_lock_t:file rw_file_perms;

+')
+
+#######################################
+## <summary>
+##	Get trans lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_module_get_trans_lock',`


+	gen_require(`

+		type semodule_trans_lock_t;

+	')

+


+	allow $1 semodule_trans_lock_t:file rw_file_perms;

+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.17/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.te	2006-02-20 17:08:53.000000000 -0500
@@ -526,12 +526,74 @@
 
 miscfiles_read_localization(setfiles_t)
 
+seutil_module_get_trans_lock(setfiles_t)
+seutil_module_get_read_lock(setfiles_t)
+
 userdom_use_all_users_fd(setfiles_t)
 # for config files in a home directory
 userdom_read_all_user_files(setfiles_t)
 
-ifdef(`TODO',`
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-') dnl endif TODO
+########################################
+#
+# Declarations
+#
+
+type semodule_t;
+domain_type(semodule_t)
+
+type semodule_exec_t;
+domain_entry_file(semodule_t, semodule_exec_t)
+role system_r types semodule_t;
+
+type semodule_store_t;
+files_type(semodule_store_t)
+
+type semodule_read_lock_t;
+files_type(semodule_read_lock_t)
+
+type semodule_trans_lock_t; 
+files_type(semodule_trans_lock_t)
+
+term_use_all_terms(semodule_t)
+allow semodule_t policy_config_t:file { read write };
+
+########################################
+#
+# semodule local policy
+#
+corecmd_exec_bin(semodule_t)
+corecmd_exec_sbin(semodule_t)
+
+files_read_etc_files(semodule_t)
+files_search_etc(semodule_t)
+files_list_usr(semodule_t)
+files_list_pids(semodule_t)
+files_read_usr_files(semodule_t)
+
+kernel_read_system_state(semodule_t)
+kernel_read_kernel_sysctls(semodule_t)
+
+libs_use_ld_so(semodule_t)
+libs_use_shared_libs(semodule_t)
+libs_use_lib_files(semodule_t)
+
+mls_file_write_down(semodule_t)
+mls_rangetrans_target(semodule_t)
+
+optional_policy(`selinux', `


+	selinux_get_enforce_mode(semodule_t)

+')
+
+seutil_search_default_contexts(semodule_t)
+seutil_rw_file_contexts(semodule_t)
+seutil_domtrans_setfiles(semodule_t)
+seutil_domtrans_loadpolicy(semodule_t)
+seutil_read_config(semodule_t)
+seutil_manage_bin_policy(semodule_t)
+seutil_use_newrole_fd(semodule_t)
+
+allow semodule_t self:unix_stream_socket create_stream_socket_perms;
+
+seutil_manage_module_store_files(semodule_t)

+seutil_module_get_trans_lock(semodule_t) +seutil_module_get_read_lock(semodule_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.17/policy/modules/system/userdomain.if

--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-02-20 14:07:38.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/userdomain.if	2006-02-20 16:22:06.000000000 -0500
@@ -145,6 +145,7 @@
 	allow $1_t unpriv_userdomain:fd use;
 
 	kernel_read_kernel_sysctls($1_t)


+	kernel_read_net_sysctls($1_t)

 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -414,6 +415,8 @@
 	optional_policy(`rpm',`
 		files_getattr_var_lib_dirs($1_t)
 		files_search_var_lib($1_t)


+		rpm_read_db($1_t)

+		rpm_dontaudit_manage_db($1_t)

 	')
 
 	optional_policy(`samba',`
@@ -4423,3 +4426,24 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_filetrans_home($1,user_home_dir_t)

+
+
+########################################
+## <summary>
+##	mounton generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mounton_generic_user_home_dir',`


+	gen_require(`

+		attribute user_home_dir_type, user_home_type;

+	')

+


+	allow $1 user_home_dir_type:dir mounton;

+	allow $1 user_home_type:dir mounton;

+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.17/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/userdomain.te	2006-02-20 16:22:06.000000000 -0500
@@ -358,6 +358,8 @@
 			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)


+			semodule_domtrans(secadm_t)

+			role secadm_r types semodule_t;

 			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
 		', `
 			selinux_set_enforce_mode(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.17/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel	2006-02-16 16:42:39.000000000 -0500
+++ serefpolicy-2.2.17/support/Makefile.devel	2006-02-20 16:22:06.000000000 -0500

@@ -1,3 +1,6 @@

+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
+HEADERDIR := $(SHAREDIR)/refpolicy/include

include $(HEADERDIR)/build.conf

@@ -19,8 +22,13 @@
PYTHON ?= python

# set default build options if missing

-TYPE ?= strict
-NAME ?= $(TYPE)
+NAME ?= $(shell . /etc/selinux/config; echo $$SELINUXTYPE)
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),1)
+MCSFLAG=-mcs
+endif

+
+TYPE ?= $(NAME)${MCSFLAG}
DIRECT_INITRC ?= n
POLY ?= n
QUIET ?= y

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Mon 20 Feb 2006 - 17:19:40 EST

This message: [ Message body ]
Next message: Thomas Bleher: "How to build external policy modules outside of the main tree"
Previous message: Daniel J Walsh: "Re: Audit log denials for strict policy"
Next in thread: Christopher J. PeBenito: "Re: Latest diffs"
Reply: Christopher J. PeBenito: "Re: Latest diffs"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009

Top NSA Banner

Top Navigation Menus

Research Menu

SELinux Mailing List

Latest diffs