Re: Fixing up SELinux reference policy for Debian
> > I am attaching the local.te file below for comment; some of
> > this should probably go into the refpolicy package, and, eventually,
> > upstream.
>
> Would be nice to actually append the file.
I have attached a patch that I'm using in my work on getting a strict unstable
system to work.
Some comments on your patch:
I believe that cron should be allowed to set limits, although this could
possibly be done in a boolean.
fsadm_t asks for security_t because it's linked against libblkid.so.1 which is
linked against libdevmapper.so.1.02.1 which is linked against
libselinux.so.1. The load phase of libselinux.so.1 will access things
under /selinux. I posted to the SE Linux list about this issue last night
but haven't got any replies yet. I suggest no policy changes in this regard
until we get things sorted out correctly (don't want to hide problems).
I fixed the /lib/init/rw issue.
The mountnfs is one I think I haven't solved yet.
The mount_t security_t issue is the same as for fsadm_t.
I think it's appropriate for semanage_t to access security_t even though it
might not need it at the moment (it's an area that's evolving and semanage_t
can break things anyway).
/*
* Determine the current user's name.
* On a SELinux enabled system, policy will prevent third
* parties from using unix_chkpwd as a password guesser.
* Leaving the existing check prevents su from working, since
* the current uid is the user's and the password is for root.
*/
if (SELINUX_ENABLED) {
user = argv[1];
} else {
user = getuidname(getuid());
if (strcmp(user, argv[1])) {
return PAM_AUTH_ERR;
}
}
Above is the code from unix_chkpwd.c that uses libselinux and therefore wants
to access security_t. I think it would be a bad idea to prevent such access.
I don't know why unix_chkpwd is looking under /var/run, does it fail to work
when that access is prevented?
--
russell@coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
diff -ru refpolicy-0.0.20070507.old/debian/changelog refpolicy-0.0.20070507/debian/changelog
--- refpolicy-0.0.20070507.old/debian/changelog 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/debian/changelog 2007-05-15 18:56:41.000000000 +1000
@@ -1,3 +1,9 @@
+refpolicy (0.0.20070507-3.1) unstable; urgency=low
+
+ * Minor update
+
+ -- Russell Coker <russell@coker.com.au> Tue, 15 May 2007 18:56:00 +1000
+
refpolicy (0.0.20070507-3) unstable; urgency=low
* Add hostfs as a recognized remote file-system. This should allow a
diff -ru refpolicy-0.0.20070507.old/policy/modules/admin/dmidecode.te refpolicy-0.0.20070507/policy/modules/admin/dmidecode.te
--- refpolicy-0.0.20070507.old/policy/modules/admin/dmidecode.te 2006-10-19 05:25:27.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/admin/dmidecode.te 2007-05-15 18:54:26.000000000 +1000
@@ -38,3 +38,4 @@
term_use_generic_ptys(dmidecode_t)
term_use_unallocated_ttys(dmidecode_t)
')
+dev_search_sysfs(dmidecode_t)
diff -ru refpolicy-0.0.20070507.old/policy/modules/kernel/devices.fc refpolicy-0.0.20070507/policy/modules/kernel/devices.fc
--- refpolicy-0.0.20070507.old/policy/modules/kernel/devices.fc 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.fc 2007-05-15 18:54:59.000000000 +1000
@@ -6,6 +6,7 @@
/dev/\.static -d gen_context(system_u:object_r:device_t,s0)
/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/\.static/dev/(.*)? <<none>>
+/lib/init/rw -d gen_context(system_u:object_r:device_t,s0)
')
/dev/.* gen_context(system_u:object_r:device_t,s0)
diff -ru refpolicy-0.0.20070507.old/policy/modules/kernel/devices.if refpolicy-0.0.20070507/policy/modules/kernel/devices.if
--- refpolicy-0.0.20070507.old/policy/modules/kernel/devices.if 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.if 2007-05-15 19:17:29.000000000 +1000
@@ -60,7 +60,7 @@
interface(`dev_relabel_all_dev_nodes',`
gen_require(`
attribute device_node;
- type device_t;
+ type device_t, tmpfs_t;
')
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -70,6 +70,7 @@
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
relabel_chr_files_pattern($1,device_t,{ device_t device_node })
+ allow $1 tmpfs_t:chr_file { read write };
')
########################################
diff -ru refpolicy-0.0.20070507.old/policy/modules/kernel/filesystem.if refpolicy-0.0.20070507/policy/modules/kernel/filesystem.if
--- refpolicy-0.0.20070507.old/policy/modules/kernel/filesystem.if 2007-03-27 06:47:29.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/kernel/filesystem.if 2007-05-16 09:08:26.000000000 +1000
@@ -2777,6 +2777,24 @@
########################################
## <summary>
+## Allow reading tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to read files
+## </summary>
+## </param>
+#
+interface(`fs_allow_tmpfs_file_read',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file read;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff -ru refpolicy-0.0.20070507.old/policy/modules/services/mysql.fc refpolicy-0.0.20070507/policy/modules/services/mysql.fc
--- refpolicy-0.0.20070507.old/policy/modules/services/mysql.fc 2005-10-07 05:33:06.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/services/mysql.fc 2007-05-16 19:06:37.000000000 +1000
@@ -12,6 +12,8 @@
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
#
# /var
diff -ru refpolicy-0.0.20070507.old/policy/modules/system/init.te refpolicy-0.0.20070507/policy/modules/system/init.te
--- refpolicy-0.0.20070507.old/policy/modules/system/init.te 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/system/init.te 2007-05-16 09:11:31.000000000 +1000
@@ -170,10 +170,9 @@
allow init_t self:process { getcap setcap };
')
-ifdef(`distro_redhat',`
- fs_rw_tmpfs_chr_files(init_t)
- fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
-')
+fs_rw_tmpfs_chr_files(init_t)
+
+fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
ifdef(`targeted_policy',`
unconfined_domain(init_t)
@@ -386,9 +385,10 @@
# started from init should be placed in their own domain.
userdom_use_sysadm_terms(initrc_t)
+# seed udev /dev
+dev_create_generic_dirs(initrc_t)
+
ifdef(`distro_debian',`
- # seed udev /dev
- dev_create_generic_dirs(initrc_t)
# to be able to create /dev/xconsole
dev_create_generic_pipes(initrc_t)
@@ -402,6 +402,14 @@
storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
+
+ selinux_get_fs_mount(init_t)
+
+# for /lib/init/rw/.ramfs
+ fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
+# for progress_state which is created by the initramfs
+ fs_allow_tmpfs_file_read(initrc_t)
')
ifdef(`distro_gentoo',`
@@ -411,13 +419,11 @@
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
- dev_create_generic_dirs(initrc_t)
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
# with /dev/.rcboot to decide if we are in
# early init
- dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
# needed until baselayout is fixed to have the
@@ -441,6 +447,9 @@
')
')
+selinux_set_enforce_mode(initrc_t)
+fs_rw_tmpfs_chr_files(initrc_t)
+
ifdef(`distro_redhat',`
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
@@ -452,11 +461,9 @@
kernel_dontaudit_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
- selinux_set_enforce_mode(initrc_t)
# These seem to be from the initrd
# during device initialization:
- dev_create_generic_dirs(initrc_t)
dev_rwx_zero(initrc_t)
dev_rx_raw_memory(initrc_t)
dev_wx_raw_memory(initrc_t)
@@ -471,8 +478,6 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
- fs_rw_tmpfs_chr_files(initrc_t)
-
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
diff -ru refpolicy-0.0.20070507.old/policy/modules/system/selinuxutil.te refpolicy-0.0.20070507/policy/modules/system/selinuxutil.te
--- refpolicy-0.0.20070507.old/policy/modules/system/selinuxutil.te 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/system/selinuxutil.te 2007-05-15 18:55:32.000000000 +1000
@@ -590,6 +590,7 @@
mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
+selinux_get_fs_mount(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
# for setsebool:
diff -ru refpolicy-0.0.20070507.old/policy/modules/system/sysnetwork.fc refpolicy-0.0.20070507/policy/modules/system/sysnetwork.fc
--- refpolicy-0.0.20070507.old/policy/modules/system/sysnetwork.fc 2007-05-15 08:38:55.000000000 +1000
+++ refpolicy-0.0.20070507/policy/modules/system/sysnetwork.fc 2007-05-16 19:05:39.000000000 +1000
@@ -23,7 +23,6 @@
')
ifdef(`distro_debian', `
-/etc/network/run(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
#
Reply to: