On Tue, 02 Dec 2003, Russell Coker wrote:
> On Tue, 2 Dec 2003 08:48, Andreas Barth <aba@not.so.argh.org> wrote:
> > * Russell Coker (russell@coker.com.au) [031201 05:10]:
> > > On Mon, 1 Dec 2003 07:43, Andreas Barth <aba@not.so.argh.org> wrote:
> > > > What about the gettys? I'm asking this because I wrote the initial
> > > > mail because of mgetty, a package where I expect some non-standard
> > > > setup (though of course, I could be wrong, as I don't know much about
> > > > this topic).
>
> > Well, mgetty (and vgetty for voice) does also in addition to normal login
> > - receive faxes (and can start a whole bunch of things with receiving
> > faxes, like printing, forwarding per mail, ...)
> > - receive voice messages (to these apply the same option as to faxes)
> > - fire up pppd
> > - fire up uucico
> > - fire up [any custom programm, if configured by the system
> > administrator]
>
> This will require some new policy.
>
> There is currently no uucp policy (it seems that no SE Linux users are using
> it).
I have one, but it does only allow what I need for uucp, which is
certainly just a small subset of possible uucp uses.
It also has still some problems like the daily uucp job that does not
really work, but I never bothered to fix that.
Peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `- http://www.debian.org/
#DESC UUCP - Unix to Unix Copy Program
#
# Author: Peter Palfrader <peter@palfrader.org>
#
# TODO: the different uucp subsystems should really be in different domains
# uucico, cu, uuxqt, rmail, rnews etc
#
# This policy file only allows my most basic mail usage
# the configuration uses an ssh port and postfix's rmail
# Type for files created during execution of postfix.
daemon_domain(uucp, `, privmail')
general_domain_access(uucp_t)
log_domain(uucp)
type etc_uucp_t, file_type, sysadmfile;
type uucp_spool_t, file_type, sysadmfile;
# The sysadm may want to call uucico directly, not from cron
role sysadm_r types uucp_t;
role sysadm_r types system_mail_t; # esp this is very evil
domain_auto_trans(sysadm_t, uucp_exec_t, uucp_t)
#allow sysadm_su_t uucp_spool_t:dir rw_dir_perms;
#allow sysadm_ssh_t uucp_spool_t:dir search;
# Access terminals.
allow uucp_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow uucp_t sysadm_gph_t:fd use;')
# Call external programs (like ports..)
can_exec(uucp_t, bin_t)
can_exec(uucp_t, sbin_t)
can_exec(uucp_t, shell_exec_t)
allow uucp_t { bin_t sbin_t }:dir r_dir_perms;
allow uucp_t { bin_t sbin_t }:lnk_file r_file_perms;
allow uucp_t var_lib_t:dir r_dir_perms;
allow uucp_t proc_t:file r_file_perms;
#allow uucp_t { etc_t resolv_conf_t }:file { getattr read };
#allow uucp_t { etc_t resolv_conf_t }:lnk_file { getattr read };
#allow uucp_t random_device_t:chr_file r_file_perms;
#allow uucp_t {etc_runtime_t proc_t}:file { getattr read };
# postfix calls uux
can_exec(postfix_pipe_t, uucp_exec_t)
domain_auto_trans(postfix_pipe_t, uucp_exec_t, uucp_t)
# cron wants that for uucp?
allow crond_t crond_t:capability { sys_admin };
# Use capabilities.
allow uucp_t uucp_t:capability { setgid setuid };
# Allow operations in our spool
allow uucp_t var_spool_t:dir r_dir_perms;
allow uucp_t uucp_spool_t:dir create_dir_perms;
allow uucp_t uucp_spool_t:file { create_file_perms getattr setattr rename };
# Allow logging
allow uucp_t uucp_log_t:file { append getattr };
allow uucp_t uucp_log_t:dir r_dir_perms;
# We need to execute other uucp programs
can_exec(uucp_t, uucp_exec_t);
# reading our conf
allow uucp_t etc_t:dir r_dir_perms;
allow uucp_t etc_t:file r_file_perms;
allow uucp_t etc_uucp_t:dir r_dir_perms;
allow uucp_t etc_uucp_t:file r_file_perms;
# Allow creating the lockfile
allow uucp_t var_lock_t:dir rw_dir_perms;
allow uucp_t var_lock_t:file create_file_perms;
# our ssh port needs those
type uucp_home_dir_t, file_type, sysadmfile;
type uucp_home_t, file_type, sysadmfile;
type uucp_tty_device_t, file_type, sysadmfile;
type uucp_devpts_t, file_type, sysadmfile;
tmp_domain(uucp)
ssh_domain(uucp)
can_exec(uucp_t, ssh_exec_t);
domain_auto_trans(uucp_t, ssh_exec_t, uucp_ssh_t);
role sysadm_r types uucp_ssh_t;
role system_r types uucp_ssh_t;
allow uucp_ssh_t var_spool_t:dir r_dir_perms;
allow uucp_ssh_t uucp_spool_t:dir r_dir_perms;
allow uucp_t uucp_ssh_t:process { sigkill };
# rmail
allow system_mail_t uucp_spool_t:file rw_file_perms;
can_exec(uucp_t, sendmail_exec_t);
allow postfix_postdrop_t uucp_spool_t:file rw_file_perms;
# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, uucp_exec_t, uucp_t)
allow crond_t uucp_spool_t:dir r_dir_perms;
allow uucp_t crond_t:fd use;
allow uucp_t crond_t:fifo_file rw_file_perms;
allow uucp_t crond_t:process sigchld;
');
# cron hourly
# allow uucp_t sysctl_kernel_t:dir { search };
# allow uucp_t sysctl_t:dir { search };
# cron
allow system_crond_t syslogd_t:lnk_file { read };
dontaudit uucp_t etc_runtime_t:file r_file_perms;
dontaudit uucp_t sysadm_home_dir_t:dir r_dir_perms;
dontaudit uucp_t file_t:dir { search };
dontaudit uucp_t proc_t:file r_file_perms;
dontaudit uucp_t { boot_t modules_object_t src_t }:dir { getattr search };
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
dontaudit uucp_t domain:dir r_dir_perms;
#dontaudit $1_t domain:notdevfile_class_set r_file_perms;
# postfix /etc/uucp(/.*)? system_u:object_r:etc_uucp_t /usr/bin/uux system_u:object_r:uucp_exec_t /usr/bin/uucp system_u:object_r:uucp_exec_t /usr/bin/uustat system_u:object_r:uucp_exec_t /usr/bin/uuname system_u:object_r:uucp_exec_t /usr/bin/uulog system_u:object_r:uucp_exec_t /usr/bin/uuto system_u:object_r:uucp_exec_t /usr/bin/uupick system_u:object_r:uucp_exec_t /usr/bin/cu system_u:object_r:uucp_exec_t /usr/sbin/uuxqt system_u:object_r:uucp_exec_t /usr/sbin/uupoll system_u:object_r:uucp_exec_t /usr/sbin/uusched system_u:object_r:uucp_exec_t /usr/sbin/uurate system_u:object_r:uucp_exec_t /usr/sbin/in.uucpd system_u:object_r:uucp_exec_t /usr/lib/uucp/uuchk system_u:object_r:uucp_exec_t /usr/lib/uucp/uucico system_u:object_r:uucp_exec_t /usr/lib/uucp/uuconv system_u:object_r:uucp_exec_t /usr/lib/uucp/uudemon.day system_u:object_r:uucp_exec_t /usr/lib/uucp/uudemon.hr system_u:object_r:uucp_exec_t /usr/lib/uucp/uutraf.pl system_u:object_r:uucp_exec_t /var/spool/uucp(/.*)? system_u:object_r:uucp_spool_t /var/spool/uucp/\.ssh(/.*)? system_u:object_r:uucp_home_ssh_t /var/log/uucp(/.*)? system_u:object_r:uucp_log_t /usr/local/bin/uucico system_u:object_r:uucp_exec_t
Attachment:
signature.asc
Description: Digital signature