On Tuesday 13 September 2005 01:00, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > NB Setting secure_mode_policyload to default to 1 at boot time will
> > work, but that means policy can only be loaded once at boot (should be
> > able to install new policy and reboot the machine though). Setting
> > secure_mode_insmod at boot will probably make the boot process fail for
> > all non-trivial machines, the initial values of booleans are set before
> > modules for devices such as Ethernet cards. Setting secure_mode_insmod
> > after the boot process is completed might be a good idea if you have no
> > plans to use USB or Cardbus/PCMCIA, there have been exploits which relied
> > on the ability to trick the system into loading modules (EG the ptrace
> > exploit).
>
> Did you attach the wrong patch? The one you sent doesn't define new
> booleans; it just wraps additional rules with the existing secure_mode
> boolean.
I attached the patch, re-worked it, and then forgot to attach the new patch.
The correct patch is attached to this message.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- macros/global_macros.te.orig 2005-09-12 16:22:12.000000000 +1000
+++ macros/global_macros.te 2005-09-12 16:23:37.000000000 +1000
@@ -699,8 +699,10 @@
allow $1 domain:msg { send receive };
# Access the security API.
+if (!secure_mode_policyload) {
allow $1 security_t:security *;
auditallow $1 security_t:security { load_policy setenforce setbool };
+}dnl end if !secure_mode_policyload
# Perform certain system operations that lacked individual capabilities.
allow $1 kernel_t:system *;
--- macros/core_macros.te.orig 2005-09-12 16:14:59.000000000 +1000
+++ macros/core_macros.te 2005-09-12 16:33:15.000000000 +1000
@@ -306,8 +306,10 @@
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security setenforce;
auditallow $1 security_t:security setenforce;
+}dnl end if !secure_mode_policyload
')
##################################
@@ -326,8 +328,10 @@
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security setbool;
auditallow $1 security_t:security setbool;
+}dnl end if !secure_mode_policyload
')
##################################
@@ -367,8 +371,10 @@
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security load_policy;
auditallow $1 security_t:security load_policy;
+}dnl end if !secure_mode_policyload
')
#################################
--- domains/program/load_policy.te.orig 2005-09-12 16:38:10.000000000 +1000
+++ domains/program/load_policy.te 2005-09-12 16:39:59.000000000 +1000
@@ -8,6 +8,10 @@
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
+# boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values. Set this to true and you
+# have to reboot to set it back
+bool secure_mode_policyload false;
type load_policy_t, domain;
role sysadm_r types load_policy_t;
--- domains/program/modutil.te.orig 2005-09-12 16:41:56.000000000 +1000
+++ domains/program/modutil.te 2005-09-12 16:46:07.000000000 +1000
@@ -77,6 +77,11 @@
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+
+bool secure_mode_insmod false;
+
+if (!secure_mode_insmod) {
ifdef(`unlimitedUtils', `
unconfined_domain(insmod_t)
@@ -161,7 +166,6 @@
allow insmod_t device_t:dir read;
allow insmod_t devpts_t:dir { getattr search };
-type insmod_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
allow insmod_t devtty_t:chr_file rw_file_perms;
@@ -177,6 +181,7 @@
# for nscd
dontaudit insmod_t var_run_t:dir search;
+}dnl end if !secure_mode_insmod
ifdef(`crond.te', `
rw_dir_create_file(system_crond_t, var_log_ksyms_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
