On Tuesday 22 March 2005 12:23, David Hampton <hampton-rh@xxxxxxxxxxxxxxxxxxx> wrote: > This is a new strict policy for the DCC spam filter. It is based on the > selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires > the definition of dcc reserved ports that were in the net_contexts diff > I sent last Wednesday. Please let me know if there are any problems > with or changes needed to this policy. Firstly daemons should not be started with su. For correct handling of terminal file handles you should use /sbin/runuser to change the UID, it also requires less policy which makes things easier. Why do you use init_service_domain() and domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t)? Surely the daemon is to be started either from inittab or from an /etc/init.d script but not both. Putting a unix domain socket in /etc is wrong. Among other things it will probably break things for anyone who wants to run with a read-only root file system. Types used under the /var/run directory generally should have the pidfile attribute so that they can be cleaned up by boot scripts if necessary. There is a type dccm_sock_t defined which is not in the .fc file. Allowing access to sshd_t:fd is not what you want, you want to use privfd:fd to allow the administrator to use a console login. Also you want to use admin_tty_type:chr_file instead of sysadm_devpts_t:chr_file for the same reason. I have attached some patches, but I think that more will need to be done. For starters I don't think that there is a good cause for seven domains. Postfix has the current record with 13 domains and I believe that Postfix has too many, one of the reasons why I asked Tresys to add a feature to apol to compare the access granted to domains was to determine which domains of Postfix are not needed. Without even knowing what DCC does I feel confident in guessing that it's not nearly half as complex as Postfix and doesn't need so many domains. Excessive domains makes the policy difficult to analyse. For starters dccifd_t and dccm_t can be merged. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
--- dcc.fc.old 2005-04-22 00:21:50.000000000 +1000 +++ dcc.fc 2005-04-22 00:26:01.000000000 +1000 @@ -2,16 +2,16 @@ /etc/dcc(/.*)? system_u:object_r:dcc_var_t /etc/dcc/map -- system_u:object_r:dcc_client_map_t /etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t -/usr/bin/cdcc system_u:object_r:cdcc_exec_t -/usr/bin/dccproc system_u:object_r:dcc_client_exec_t -/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t -/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t -/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t -/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t -/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t -/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t +/usr/bin/cdcc -- system_u:object_r:cdcc_exec_t +/usr/bin/dccproc -- system_u:object_r:dcc_client_exec_t +/usr/libexec/dcc/dbclean -- system_u:object_r:dcc_dbclean_exec_t +/usr/libexec/dcc/dccd -- system_u:object_r:dccd_exec_t +/usr/libexec/dcc/dccifd -- system_u:object_r:dccifd_exec_t +/usr/libexec/dcc/dccm -- system_u:object_r:dccm_exec_t +/usr/libexec/dcc/start-.* -- system_u:object_r:dcc_script_exec_t +/usr/libexec/dcc/stop-.* -- system_u:object_r:dcc_script_exec_t /var/dcc(/.*)? system_u:object_r:dcc_var_t /var/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc system_u:object_r:dcc_var_run_t +/var/run/dcc -d system_u:object_r:dcc_var_run_t /var/run/dcc/map -- system_u:object_r:dcc_client_map_t /var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
--- dcc.te.old 2005-04-22 00:21:46.000000000 +1000 +++ dcc.te 2005-04-22 00:51:36.000000000 +1000 @@ -13,7 +13,7 @@ # Files common to all dcc programs type dcc_client_map_t, file_type, sysadmfile; type dcc_var_t, file_type, sysadmfile; -type dcc_var_run_t, file_type, sysadmfile; +type dcc_var_run_t, file_type, sysadmfile, pidfile; ########## @@ -23,8 +23,6 @@ # common to all dcc variants # define(`dcc_common',` -# Access files in /var/dcc. The map file can be updated -r_dir_file($1_t, dcc_var_t) allow $1_t dcc_client_map_t:file rw_file_perms; # Read mtab, nsswitch and locale @@ -46,11 +44,7 @@ # Triggered by a call to gethostid(2) in dcc client libs allow $1_t self:unix_stream_socket { connect create }; -allow $1_t sysadm_su_t:process { sigchld }; allow $1_t dcc_script_t:fd use; - -dontaudit $1_t kernel_t:fd use; -dontaudit $1_t root_t:file read; ') @@ -87,13 +81,14 @@ application_domain(cdcc, `, nscd_client_domain') role system_r types cdcc_t; dcc_common(cdcc) +r_dir_file(cdcc_t, dcc_var_t) # suid program allow cdcc_t self:capability setuid; # Running from the command line -allow cdcc_t sshd_t:fd use; -allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; +allow cdcc_t privfd:fd use; +allow cdcc_t admin_tty_type:chr_file rw_file_perms; @@ -117,9 +112,6 @@ # Updating dcc_db, flod, ... create_dir_notdevfile(dccifd_t, dcc_var_t); -# Updating map, ... -allow dccifd_t dcc_client_map_t:file rw_file_perms; - # dccifd communications socket type dccifd_sock_t, file_type, sysadmfile; file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) @@ -137,7 +129,6 @@ # Updating map, ... create_dir_notdevfile(dccm_t, dcc_var_t); -allow dccm_t dcc_client_map_t:file rw_file_perms; # dccm communications socket type dccm_sock_t, file_type, sysadmfile; @@ -150,13 +141,14 @@ application_domain(dcc_client, `, privlog, nscd_client_domain') role system_r types dcc_client_t; dcc_common(dcc_client) +r_dir_file(dcc_client_t, dcc_var_t) # suid program allow dcc_client_t self:capability setuid; # Running from the command line -allow dcc_client_t sshd_t:fd use; -allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; +allow dcc_client_t privfd:fd use; +allow dcc_client_t admin_tty_type:chr_file rw_file_perms; ########## @@ -180,8 +172,8 @@ allow dcc_dbclean_t proc_t:file { getattr read }; # Running from the command line -allow dcc_dbclean_t sshd_t:fd use; -allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; +allow dcc_dbclean_t privfd:fd use; +allow dcc_dbclean_t admin_tty_type:chr_file rw_file_perms; ########## ########## @@ -197,19 +189,16 @@ general_proc_read_access(dcc_script_t) can_exec_any(dcc_script_t) dcc_common(dcc_script) +r_dir_file(dcc_script_t, dcc_var_t) # Allow calling the script from an init script (initrt_t) or from -# rc.local (staff_t) -domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t) +# rc.local +domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t) -# Start up the daemon process. These scripts run 'su' to change to -# the dcc user (even though the default dcc user is root). allow dcc_script_t self:capability setuid; -su_restricted_domain(dcc_script, system) -role system_r types dcc_script_su_t; -domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) -domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) -domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) +domain_auto_trans(dcc_script_t, dccd_exec_t, dccd_t) +domain_auto_trans(dcc_script_t, dccm_exec_t, dccm_t) +domain_auto_trans(dcc_script_t, dccifd_exec_t, dccifd_t) # Stop the daemon process allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; @@ -218,19 +207,11 @@ allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; -allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; -allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; -allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; +allow dcc_script_t devpts_t:dir search; +allow dcc_script_t initrc_devpts_t:chr_file rw_file_perms; allow dcc_script_t devtty_t:chr_file { read write }; -allow dcc_script_su_t sysadm_home_dir_t:dir search; -allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; - -dontaudit dcc_script_su_t kernel_t:fd use; -dontaudit dcc_script_su_t root_t:file read; -dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; -allow sysadm_t dcc_script_t:fd use; +dontaudit dcc_script_t home_root_t:dir { getattr search }; ########## ##########
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list