Re: LSM-based systems and debian packages

To: Peter Palfrader <weasel@debian.org>, debian-security@lists.debian.org
Subject: Re: LSM-based systems and debian packages
From: Russell Coker <russell@coker.com.au>
Date: Tue, 2 Dec 2003 22:47:02 +1100
Message-id: <[🔎] 200312022247.02095.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031202073214.GB32358@marvin.sbg.palfrader.org>
References: <20031130172735.GA13839@mails.so.argh.org> <[🔎] 200312021414.17295.russell@coker.com.au> <[🔎] 20031202073214.GB32358@marvin.sbg.palfrader.org>

On Tue, 2 Dec 2003 18:32, Peter Palfrader <weasel@debian.org> wrote:
> > There is currently no uucp policy (it seems that no SE Linux users are
> > using it).
>
> I have one, but it does only allow what I need for uucp, which is
> certainly just a small subset of possible uucp uses.

I've attached a modified version, please check it out.  I've changed some of 
the things to do it in the recommended manner (eg the system_crond_entry() 
macro), and removed some things.

The part for running ssh looked suspect, I think it's probably best to just 
have can_exec(uucp_t, ssh_exec_t).

Let me know what you think, in a few days we should have something ready to be 
sent upstream.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

# postfix
/etc/uucp(/.*)?		system_u:object_r:etc_uucp_t
/usr/bin/uux			system_u:object_r:uucp_exec_t
/usr/bin/uucp			system_u:object_r:uucp_exec_t
/usr/bin/uustat			system_u:object_r:uucp_exec_t
/usr/bin/uuname			system_u:object_r:uucp_exec_t
/usr/bin/uulog			system_u:object_r:uucp_exec_t
/usr/bin/uuto			system_u:object_r:uucp_exec_t
/usr/bin/uupick			system_u:object_r:uucp_exec_t
/usr/bin/cu			system_u:object_r:uucp_exec_t
/usr/sbin/uuxqt			system_u:object_r:uucp_exec_t
/usr/sbin/uupoll		system_u:object_r:uucp_exec_t
/usr/sbin/uusched		system_u:object_r:uucp_exec_t
/usr/sbin/uurate		system_u:object_r:uucp_exec_t
/usr/sbin/in.uucpd		system_u:object_r:uucp_exec_t
/usr/lib/uucp/uuchk		system_u:object_r:uucp_exec_t
/usr/lib/uucp/uucico		system_u:object_r:uucp_exec_t
/usr/lib/uucp/uuconv		system_u:object_r:uucp_exec_t
/usr/lib/uucp/uudemon.day	system_u:object_r:uucp_exec_t
/usr/lib/uucp/uudemon.hr	system_u:object_r:uucp_exec_t
/usr/lib/uucp/uutraf.pl		system_u:object_r:uucp_exec_t
/var/spool/uucp(/.*)?		system_u:object_r:uucp_spool_t
/var/log/uucp(/.*)?		system_u:object_r:uucp_log_t

#DESC UUCP - Unix to Unix Copy Program
#
# Author:  Peter Palfrader <peter@palfrader.org>
#

# TODO: the different uucp subsystems should really be in different domains
#  uucico, cu, uuxqt, rmail, rnews etc
#
# This policy file only allows my most basic mail usage
#  the configuration uses an ssh port and postfix's rmail

# Type for files created during execution of postfix.
daemon_domain(uucp, `, privmail')
general_domain_access(uucp_t)
log_domain(uucp)
type etc_uucp_t, file_type, sysadmfile;
type uucp_spool_t, file_type, sysadmfile;


# The sysadm may want to call uucico directly, not from cron
role sysadm_r types uucp_t;
role sysadm_r types system_mail_t;  # esp this is very evil
domain_auto_trans(sysadm_t, uucp_exec_t, uucp_t)

# Access terminals.
allow uucp_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow uucp_t sysadm_gph_t:fd use;')

# Call external programs (like ports..)
can_exec(uucp_t, { bin_t sbin_t shell_exec_t })
allow uucp_t { bin_t sbin_t }:dir r_dir_perms;
allow uucp_t { bin_t sbin_t }:lnk_file r_file_perms;
allow uucp_t var_lib_t:dir r_dir_perms;
allow uucp_t proc_t:file r_file_perms;

# postfix calls uux
ifdef(`postfix.te', `
domain_auto_trans(postfix_pipe_t, uucp_exec_t, uucp_t)
')
allow mta_user_agent uucp_spool_t:file rw_file_perms;

# Use capabilities.
allow uucp_t self:capability { setgid setuid };

# Allow operations in our spool
allow uucp_t var_spool_t:dir r_dir_perms;
allow uucp_t uucp_spool_t:dir create_dir_perms;
allow uucp_t uucp_spool_t:file create_file_perms;

# Allow logging
allow uucp_t uucp_log_t:file { append getattr };
allow uucp_t uucp_log_t:dir r_dir_perms;

# We need to execute other uucp programs
can_exec(uucp_t, uucp_exec_t);

# reading our conf
allow uucp_t etc_t:dir r_dir_perms;
allow uucp_t etc_t:file r_file_perms;
allow uucp_t etc_uucp_t:dir r_dir_perms;
allow uucp_t etc_uucp_t:file r_file_perms;

# Allow creating the lockfile
allow uucp_t var_lock_t:dir rw_dir_perms;
allow uucp_t var_lock_t:file create_file_perms;

tmp_domain(uucp)

# rmail
allow system_mail_t uucp_spool_t:file rw_file_perms;

# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
system_crond_entry(uucp_exec_t, uucp_t)
allow crond_t uucp_spool_t:dir r_dir_perms;
');

dontaudit uucp_t etc_runtime_t:file r_file_perms;
dontaudit uucp_t sysadm_home_dir_t:dir r_dir_perms;
dontaudit uucp_t file_t:dir { search };
dontaudit uucp_t proc_t:file r_file_perms;
dontaudit uucp_t { boot_t modules_object_t src_t }:dir { getattr search };

# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc.  Do not audit these denials.
dontaudit uucp_t domain:dir r_dir_perms;

Reply to:

Follow-Ups:
- Re: LSM-based systems and debian packages
  - From: Peter Palfrader <weasel@debian.org>

References:
- Re: LSM-based systems and debian packages
  - From: Russell Coker <russell@coker.com.au>
- Re: LSM-based systems and debian packages
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
Next by Date: Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
Previous by thread: Re: LSM-based systems and debian packages
Next by thread: Re: LSM-based systems and debian packages
Index(es):
- Date
- Thread