A few policy changes I had to make

Rodrigo Damazio <rodrigo.damazio@xxxxxxxxxxx> · Sat, 13 Nov 2004 01:35:38 -0200

Hello. I started playing with SELinux on FC2, and recently moved 
to FC3, and I must say it's much better now, with the targeted policy. 
Congrats on this.

      I still had to change a few things in my policies, though. 
Following is a collection of the avc errors justifying my changes. I'm 
not experienced with SElinux yet, so I may be doing something 
wrong...please let me know if these changes are correct or not. Also, 
the unlink allow for httpd_t is because, for some reason, when I try to 
remove a file from within PHP, it uses httpd_t instead of 
httpd_sys_script_t . I would also like a rule(which I'm not sure how to 
write) to allow PHP programs to execute external programs, since I have 
a script which receives an uploaded file, does a lot of processing with 
it through external programs, and stores it in the database - when I run 
that, it gives me avc execute errors trying to run bash and the other 
utilities.



Apache:

Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc:  denied  
{ connectto } for  pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t 
tclass=unix_stream_socket



NTPd:

Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc:  denied  
{ create } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  denied  
{ bind } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc:  denied  
{ getattr } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc:  denied  
{ write } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc:  denied  
{ net_admin } for  pid=2293 exe=/usr/sbin/ntpd capability=12 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=capability

Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc:  denied  
{ nlmsg_read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket

Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc:  denied  
{ read } for  pid=2293 exe=/usr/sbin/ntpd 
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t 
tclass=netlink_route_socket



DHCPd:

Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc:  denied  
{ create } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc:  denied  
{ bind } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc:  denied  
{ getattr } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc:  denied  
{ write } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc:  denied  
{ net_admin } for  pid=10002 exe=/usr/sbin/dhcpd capability=12 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=capability

Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc:  denied  
{ nlmsg_read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc:  denied  
{ read } for  pid=10002 exe=/usr/sbin/dhcpd 
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t 
tclass=netlink_route_socket

Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc:  denied  
{ unlink } for  pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~ 
dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:file_t tclass=file



named:

Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc:  denied  
{ create } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc:  denied  
{ bind } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc:  denied  
{ getattr } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc:  denied  
{ write } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc:  denied  
{ nlmsg_read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket

Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc:  denied  
{ read } for  pid=10183 exe=/usr/sbin/named 
scontext=root:system_r:named_t tcontext=root:system_r:named_t 
tclass=netlink_route_socket



Thanks,
Rodrigo


diff -ru src.orig/policy/domains/program/apache.te src/policy/domains/program/apache.te

--- src.orig/policy/domains/program/apache.te	2004-11-01 19:36:22.000000000 -0200
+++ src/policy/domains/program/apache.te	2004-11-12 23:54:36.127952796 -0200
@@ -285,6 +285,8 @@
 # Allow httpd to work with postgresql
 #
 allow httpd_t tmp_t:sock_file rw_file_perms;
+allow httpd_t tmp_t:unix_stream_socket rw_file_perms;
+allow httpd_t unconfined_t:unix_stream_socket rw_file_perms;
 ') dnl targeted policy
 
 #
diff -ru src.orig/policy/domains/program/dhcpd.te src/policy/domains/program/dhcpd.te
--- src.orig/policy/domains/program/dhcpd.te	2004-11-01 19:36:22.000000000 -0200
+++ src/policy/domains/program/dhcpd.te	2004-11-12 23:38:18.000000000 -0200
@@ -33,13 +33,14 @@
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow dhcpd_t var_lib_t:dir search;
 
 allow dhcpd_t devtty_t:chr_file { read write };
 
 # Use capabilities
-allow dhcpd_t dhcpd_t:capability { net_raw net_bind_service };
+allow dhcpd_t dhcpd_t:capability { net_raw net_admin net_bind_service };
 
 # Allow access to the dhcpd file types
 type dhcp_state_t, file_type, sysadmfile;
diff -ru src.orig/policy/domains/program/named.te src/policy/domains/program/named.te
--- src.orig/policy/domains/program/named.te	2004-11-01 19:36:22.000000000 -0200
+++ src/policy/domains/program/named.te	2004-11-12 23:42:38.000000000 -0200
@@ -60,6 +60,7 @@
 # Bind to the named port.
 allow named_t dns_port_t:udp_socket name_bind;
 allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
 
 bool named_write_master_zones false;
 
diff -ru src.orig/policy/domains/program/ntpd.te src/policy/domains/program/ntpd.te
--- src.orig/policy/domains/program/ntpd.te	2004-11-01 19:36:22.000000000 -0200
+++ src/policy/domains/program/ntpd.te	2004-11-12 23:33:18.000000000 -0200
@@ -22,7 +22,7 @@
 # for SSP
 allow ntpd_t urandom_device_t:chr_file read;
 
-allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock sys_chroot net_admin };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { fsetid sys_nice };
@@ -39,6 +39,7 @@
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # so the start script can change firewall entries
 allow initrc_t net_conf_t:file { getattr read ioctl };
diff -ru src.orig/policy/macros/program/apache_macros.te src/policy/macros/program/apache_macros.te
--- src.orig/policy/macros/program/apache_macros.te	2004-11-01 19:36:22.000000000 -0200
+++ src/policy/macros/program/apache_macros.te	2004-11-12 23:01:49.000000000 -0200
@@ -106,6 +106,7 @@
 ############################################################################
 r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+allow httpd_t { httpd_$1_script_rw_t }:{ file dir lnk_file } { unlink };
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
 if (httpd_enable_cgi) && (httpd_unified) {




