This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies.
David
David Hampton wrote:
This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies.
David
Why did you create a yam_crond_t? Why not just transition to yam_t from crond?
Dan
# yam /etc/yam.conf -- system_u:object_r:yam_etc_t /usr/bin/yam system_u:object_r:yam_exec_t /var/yam(/.*)? system_u:object_r:yam_content_t /var/www/yam(/.*)? system_u:object_r:yam_content_t
# DESC yam - Yum/Apt Mirroring # # Author: David Hampton hampton@employees.org #
# # Yam downloads lots of files, indexes them, and makes them available # for upload. Define a type for these file. # type yam_content_t, file_type, sysadmfile, httpdcontent;
# # Common definitions used by both the command line and the cron # invocation of yam. # define(`yam_common',`
# Update the content being managed by yam. create_dir_file($1_t, yam_content_t)
# Content can also be on ISO image files. r_dir_file($1_t, iso9660_t)
# Need to go through /var to get to /var/yam # Go through /var/www to get to /var/www/yam allow $1_t var_t:dir { getattr search }; allow $1_t httpd_sys_content_t:dir { getattr search };
# Allow access to locale database, nsswitch, and mtab read_locale($1_t) allow $1_t etc_t:file { getattr read }; allow $1_t etc_runtime_t:file { getattr read };
# Python seems to need things from various places allow $1_t { bin_t sbin_t }:dir { search getattr }; allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; allow $1_t bin_t:lnk_file read;
# Python works fine without reading /proc/meminfo dontaudit $1_t proc_t:dir search; dontaudit $1_t proc_t:file { getattr read };
# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter # two here. Run rsync and lftp in the yam_t context so that we dont # have to give any other programs write access to the yam_t files. general_domain_access($1_t) can_exec($1_t, shell_exec_t) can_exec($1_t, rsync_exec_t) can_exec($1_t, bin_t) can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py ifdef(`mount.te', ` domain_auto_trans($1_t, mount_exec_t, mount_t) ')
# Rsync and lftp need to network. They also set files attributes to # match whats on the remote server. can_network_client($1_t) allow $1_t self:capability { chown fowner fsetid dac_override };
# access to sysctl_kernel_t ( proc/sys/kernel/* ) read_sysctl($1_t)
# Programs invoked to build package lists need various permissions. # genpkglist creates tmp files in /var/cache/apt/genpkglist allow $1_t var_t:file { getattr read write }; allow $1_t var_t:dir read; # mktemp allow $1_t urandom_device_t:chr_file read; # mv allow $1_t proc_t:lnk_file read; allow $1_t selinux_config_t:dir search; allow $1_t selinux_config_t:file { getattr read }; ')
########## ##########
# # Runnig yam from the command line # application_domain(yam, `, nscd_client_domain') role system_r types yam_t; yam_common(yam) etc_domain(yam) tmp_domain(yam)
# Terminal access allow yam_t devpts_t:dir search; allow yam_t devtty_t:chr_file { read write }; allow yam_t sshd_t:fd use; allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
# Reading dotfiles... dontaudit yam_t staff_home_dir_t:dir search; # /root allow yam_t home_root_t:dir search; # /home allow yam_t user_home_dir_t:dir { getattr search }; # /home/user
########## ##########
# # Running yam from cron # application_domain(yam_crond, `, nscd_client_domain') role system_r types yam_crond_t; ifdef(`crond.te', ` system_crond_entry(yam_exec_t, yam_crond_t) ')
yam_common(yam_crond) allow yam_crond_t yam_etc_t:file r_file_perms; file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
allow yam_crond_t devtty_t:chr_file { read write };
# Reading dotfiles... # LFTP uses a directory for its dotfiles allow yam_crond_t default_t:dir search;
# Don't know why init tries to read this. allow initrc_t yam_etc_t:file read;
########## ##########
# The whole point of this program is to make updates available on a # local web server. Allow apache access to these files. ifdef(`apache.te', ` allow httpd_t yam_content_t:dir { getattr search }; allow httpd_t yam_content_t:file { getattr read }; allow httpd_t yam_content_t:lnk_file { getattr read }; ')
# Mount needs access to the yam directories in order to mount the ISO # files on a loobpack file system. ifdef(`mount.te', ` allow mount_t yam_content_t:dir mounton; allow mount_t yam_content_t:file { read write }; ')
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote:
Why did you create a yam_crond_t? Why not just transition to yam_t from crond?
When I first started working on the policy I was trying to be as restrictive as possible and differentiate between what peripheral files could be opened when running yam from the command line vs. when running from cron. For example, the cron version requires less access to the terminal and no access to a ssh file descriptor. The two instances also try reading their dot files from different directories.
I wrote this policy just after writing an exim policy that distinguished between user, sysadm, and system invocations of the program. Perhaps I went overboard here.
David
P.S. I'm still tweaking the exim policy. I'll probably post it in a week or so.
David Hampton wrote:
On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote:
Why did you create a yam_crond_t? Why not just transition to yam_t from crond?
When I first started working on the policy I was trying to be as restrictive as possible and differentiate between what peripheral files could be opened when running yam from the command line vs. when running from cron. For example, the cron version requires less access to the terminal and no access to a ssh file descriptor. The two instances also try reading their dot files from different directories.
I wrote this policy just after writing an exim policy that distinguished between user, sysadm, and system invocations of the program. Perhaps I went overboard here.
David
P.S. I'm still tweaking the exim policy. I'll probably post it in a week or so.
I was just question almost doubling of rules and increase in complexity for little gain in security.
Dan
On Sunday 13 March 2005 10:50, David Hampton hampton-rh@rainbolthampton.net wrote:
This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies.
Any reference to user_t, user_home_t, user_home_dir_t etc in policy is a bug.
Running such a program from user_t (or some other unprivileged domain) will be better for overall security than having a domain that you can transition to from sysadm_t.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
David Hampton -
Russell Coker