Peter Pun wrote:
Hi Everyone,
I created this firefox policy; it is probably allowing too many
unecessary things. If anyone could comment on it, I'd appreciate it.
The matter is, someone was able to break out to unconfined and disable
a 000 ACL on /bin/su. This is a surf machine, with no listening
daemons, postfix is blocked by firewall and unconfigured, not even
cups is running. So I think the hole must be through firefox.
Did you look at mozilla.te, mozilla.if, and mozilla.fc?
These policies already do most of what you want here.
------------------------------------------------------------
policy_module(foxpol,1.0.5)
########################################
#
# Declarations
#
require {
type fonts_t;
type inotifyfs_t;
type proc_net_t;
type proc_t;
type urandom_device_t;
type user_home_dir_t;
type user_home_t;
type xdm_t;
type sysctl_kernel_t;
type sysctl_net_t;
type sysctl_t;
type home_root_t;
type fs_t;
type autofs_t;
type unconfined_execmem_t;
};
If you use module interfaces you will not need this section.
/usr/share/selinux/devel/include
type foxpol_t;
type foxpol_exec_t;
domain_type(foxpol_t)
init_daemon_domain(foxpol_t, foxpol_exec_t)
# log files
type foxpol_var_log_t;
logging_log_file(foxpol_var_log_t)
# download dir, which firefox has write access to
type foxpol_down_t;
files_type(foxpol_down_t)
# private_t dir - a labled dir which fox cannot read, made because
# - fox has read access to home dir
type private_t;
########################################
#
# foxpol local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of
allow rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(foxpol_t)
libs_use_ld_so(foxpol_t)
libs_use_shared_libs(foxpol_t)
miscfiles_read_localization(foxpol_t)
## internal communication is often done using fifo and unix sockets.
allow foxpol_t self:fifo_file { read write };
allow foxpol_t self:unix_stream_socket create_stream_socket_perms;
# log files
allow foxpol_t foxpol_var_log_t:file create_file_perms;
allow foxpol_t foxpol_var_log_t:sock_file create_file_perms;
allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir })
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(foxpol_t)
corenet_tcp_sendrecv_all_if(foxpol_t)
corenet_tcp_sendrecv_all_nodes(foxpol_t)
corenet_tcp_sendrecv_all_ports(foxpol_t)
corenet_non_ipsec_sendrecv(foxpol_t)
corenet_tcp_connect_http_port(foxpol_t)
#corenet_tcp_connect_all_ports(foxpol_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(foxpol_t)
#corenet_tcp_bind_all_nodes(foxpol_t)
allow foxpol_t self:tcp_socket { listen accept };
# Init script handling
init_use_fds(foxpol_t)
init_use_script_ptys(foxpol_t)
domain_use_interactive_fds(foxpol_t)
# ok copy files to download dir
allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read
relabelto remove_name search write rmdir };
allow unconfined_t foxpol_down_t:file { execute create getattr setattr
read write append rename link unlink ioctl lock };
You should not need these rules unconfined_domains can do anything they
want to the system, although you probably want a transition from
unconfined_*t to foxpol_t
# ok unconfined processes to open files in download dir
allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr
read write link unlink rename search add_name remove_name reparent
rmdir lock ioctl } ;
allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr
read write append rename link unlink ioctl lock };
# ok fox to write to download dir
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search
write remove_name };
allow foxpol_t foxpol_down_t:file { create setattr getattr read write
rename unlink append };
Please use define statements like rw_dir_perms and create_file_perms.
Makes the policy easier to read.
# ok unconfined process to open files in private dir
allow unconfined_execmem_t private_t:dir { create getattr setattr read
write link unlink rename search add_name remove_name reparent rmdir
lock ioctl };
allow unconfined_execmem_t private_t:file { create getattr setattr
read write append rename link unlink ioctl lock };
allow unconfined_t private_t:dir { create getattr setattr read write
link unlink rename search add_name remove_name reparent relabelfrom
relabelto rmdir lock ioctl };
allow unconfined_t private_t:file { relabelto create getattr setattr
read write append rename link unlink ioctl lock };
allow private_t fs_t:filesystem associate;
# ok fox to create new stuff in .mozilla
allow foxpol_t foxpol_var_log_t:dir create;
#
# audit2allow says it wants all the stuff below, it also wanted exec
rights to bin_t which I removed
#
You might want to try audit2allow -R for these and try to use reference
policy.
allow foxpol_down_t fs_t:filesystem associate;
allow foxpol_t autofs_t:dir getattr;
allow foxpol_t fonts_t:dir { getattr read search };
allow foxpol_t fonts_t:file { getattr read };
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search
write };
allow foxpol_t foxpol_down_t:file { create getattr write };
allow foxpol_t self:fifo_file getattr;
allow foxpol_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
allow foxpol_t self:process { getsched setsched signal };
allow foxpol_t self:shm { create destroy read unix_read unix_write
write };
allow foxpol_t self:unix_dgram_socket create;
allow foxpol_t foxpol_var_log_t:lnk_file { create unlink };
allow foxpol_t home_root_t:dir { getattr read search };
allow foxpol_t inotifyfs_t:dir { getattr read };
allow foxpol_t proc_net_t:dir { read search };
allow foxpol_t proc_net_t:file { getattr read };
allow foxpol_t proc_t:file { getattr read };
allow foxpol_t sysctl_kernel_t:dir search;
allow foxpol_t sysctl_kernel_t:file read;
allow foxpol_t sysctl_net_t:dir search;
allow foxpol_t sysctl_t:dir search;
allow foxpol_t tmp_t:dir { add_name getattr read remove_name search
setattr write };
allow foxpol_t tmp_t:file { create getattr lock read unlink write };
allow foxpol_t tmp_t:sock_file { create unlink write };
allow foxpol_t tmpfs_t:file { read write };
# allow foxpol_t unconfined_t:unix_stream_socket connectto;
allow foxpol_t urandom_device_t:chr_file { getattr ioctl read };
allow foxpol_t user_home_dir_t:dir { getattr read search };
allow foxpol_t user_home_t:dir { getattr read search };
allow foxpol_t user_home_t:file { getattr read };
allow foxpol_t usr_t:file { getattr read };
allow foxpol_t usr_t:lnk_file read;
allow foxpol_t xdm_t:unix_stream_socket connectto;
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list