Re: please review my firefox policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Pun wrote:
Hi Everyone,

I created this firefox policy; it is probably allowing too many unecessary things. If anyone could comment on it, I'd appreciate it. The matter is, someone was able to break out to unconfined and disable a 000 ACL on /bin/su. This is a surf machine, with no listening daemons, postfix is blocked by firewall and unconfigured, not even cups is running. So I think the hole must be through firefox.


Did you look at mozilla.te, mozilla.if, and mozilla.fc?

These policies already do most of what you want here.
------------------------------------------------------------

policy_module(foxpol,1.0.5)

########################################
#
# Declarations
#
require {
          type fonts_t;
      type inotifyfs_t;
          type proc_net_t;
      type proc_t;
      type urandom_device_t;
      type user_home_dir_t;
      type user_home_t;
      type xdm_t;
      type sysctl_kernel_t;
      type sysctl_net_t;
      type sysctl_t;
      type home_root_t;
      type fs_t;
      type autofs_t;
         type unconfined_execmem_t;
        };

If you use module interfaces you will not need this section.

/usr/share/selinux/devel/include
type foxpol_t;
type foxpol_exec_t;
domain_type(foxpol_t)
init_daemon_domain(foxpol_t, foxpol_exec_t)

# log files
type foxpol_var_log_t;
logging_log_file(foxpol_var_log_t)

# download dir, which firefox has write access to
type foxpol_down_t;

files_type(foxpol_down_t)
# private_t dir - a labled dir which fox cannot read, made because
#             - fox has read access to home dir
type private_t;

########################################
#
# foxpol local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.

# Some common macros (you might be able to remove some)
files_read_etc_files(foxpol_t)
libs_use_ld_so(foxpol_t)
libs_use_shared_libs(foxpol_t)
miscfiles_read_localization(foxpol_t)
## internal communication is often done using fifo and unix sockets.
allow foxpol_t self:fifo_file { read write };
allow foxpol_t self:unix_stream_socket create_stream_socket_perms;

# log files
allow foxpol_t foxpol_var_log_t:file create_file_perms;
allow foxpol_t foxpol_var_log_t:sock_file create_file_perms;
allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(foxpol_t)
corenet_tcp_sendrecv_all_if(foxpol_t)
corenet_tcp_sendrecv_all_nodes(foxpol_t)
corenet_tcp_sendrecv_all_ports(foxpol_t)
corenet_non_ipsec_sendrecv(foxpol_t)
corenet_tcp_connect_http_port(foxpol_t)
#corenet_tcp_connect_all_ports(foxpol_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(foxpol_t)
#corenet_tcp_bind_all_nodes(foxpol_t)
allow foxpol_t self:tcp_socket { listen accept };

# Init script handling
init_use_fds(foxpol_t)
init_use_script_ptys(foxpol_t)
domain_use_interactive_fds(foxpol_t)

# ok copy files to download dir
allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read relabelto remove_name search write rmdir }; allow unconfined_t foxpol_down_t:file { execute create getattr setattr read write append rename link unlink ioctl lock };

You should not need these rules unconfined_domains can do anything they want to the system, although you probably want a transition from unconfined_*t to foxpol_t
# ok unconfined processes to open files in download dir
allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } ; allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr read write append rename link unlink ioctl lock };

# ok fox to write to download dir
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write remove_name }; allow foxpol_t foxpol_down_t:file { create setattr getattr read write rename unlink append };

Please use define statements like rw_dir_perms and create_file_perms. Makes the policy easier to read.
# ok unconfined process to open files in private dir
allow unconfined_execmem_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; allow unconfined_execmem_t private_t:file { create getattr setattr read write append rename link unlink ioctl lock }; allow unconfined_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent relabelfrom relabelto rmdir lock ioctl }; allow unconfined_t private_t:file { relabelto create getattr setattr read write append rename link unlink ioctl lock };
allow private_t fs_t:filesystem associate;

# ok fox to create new stuff in .mozilla
allow foxpol_t foxpol_var_log_t:dir create;



#
# audit2allow says it wants all the stuff below, it also wanted exec rights to bin_t which I removed
#
You might want to try audit2allow -R for these and try to use reference policy.
allow foxpol_down_t fs_t:filesystem associate;
allow foxpol_t autofs_t:dir getattr;
allow foxpol_t fonts_t:dir { getattr read search };
allow foxpol_t fonts_t:file { getattr read };
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write };
allow foxpol_t foxpol_down_t:file { create getattr write };
allow foxpol_t self:fifo_file getattr;
allow foxpol_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow foxpol_t self:process { getsched setsched signal };
allow foxpol_t self:shm { create destroy read unix_read unix_write write };
allow foxpol_t self:unix_dgram_socket create;
allow foxpol_t foxpol_var_log_t:lnk_file { create unlink };
allow foxpol_t home_root_t:dir { getattr read search };
allow foxpol_t inotifyfs_t:dir { getattr read };
allow foxpol_t proc_net_t:dir { read search };
allow foxpol_t proc_net_t:file { getattr read };
allow foxpol_t proc_t:file { getattr read };
allow foxpol_t sysctl_kernel_t:dir search;
allow foxpol_t sysctl_kernel_t:file read;
allow foxpol_t sysctl_net_t:dir search;
allow foxpol_t sysctl_t:dir search;
allow foxpol_t tmp_t:dir { add_name getattr read remove_name search setattr write };
allow foxpol_t tmp_t:file { create getattr lock read unlink write };
allow foxpol_t tmp_t:sock_file { create unlink write };
allow foxpol_t tmpfs_t:file { read write };
# allow foxpol_t unconfined_t:unix_stream_socket connectto;
allow foxpol_t urandom_device_t:chr_file { getattr ioctl read };
allow foxpol_t user_home_dir_t:dir { getattr read search };
allow foxpol_t user_home_t:dir { getattr read search };
allow foxpol_t user_home_t:file { getattr read };
allow foxpol_t usr_t:file { getattr read };
allow foxpol_t usr_t:lnk_file read;
allow foxpol_t xdm_t:unix_stream_socket connectto;

------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux