Updated policy

Updated policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 234 bytes --]

Added booleans to turn on httpd connecting to mysql/postgres as well as 
relay.

nis_signal_ypbind requires you to be able to read pidfile.

mount command wants access to tty. needs to be able to search rpc_pipefs 
in Fedora.


-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 4019 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.2/Makefile
--- nsaserefpolicy/Makefile	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.2/Makefile	2005-12-10 00:10:25.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.1.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2005-12-02 17:53:25.000000000 -0500
+++ serefpolicy-2.1.2/policy/global_tunables	2005-12-10 00:14:31.000000000 -0500
@@ -68,6 +68,12 @@
 ## Allow http daemon to tcp connect 
 gen_tunable(httpd_can_network_connect,false)
 
+## allow httpd to connect to mysql/posgresql 
+gen_tunable(httpd_can_network_connect_db, false)
+
+## allow httpd to connect to mysql/posgresql 
+gen_tunable(httpd_can_network_relay, false)
+
 ## Allow httpd cgi support
 gen_tunable(httpd_enable_cgi,false)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.2/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.2/policy/modules/services/apache.te	2005-12-10 00:10:25.000000000 -0500
@@ -226,14 +226,6 @@
 corenet_udp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-# allow httpd to connect to mysql/posgresql 
-corenet_tcp_connect_postgresql_port(httpd_t)
-corenet_tcp_connect_mysqld_port(httpd_t)
-# allow httpd to work as a relay
-corenet_tcp_connect_gopher_port(httpd_t)
-corenet_tcp_connect_ftp_port(httpd_t)
-corenet_tcp_connect_http_port(httpd_t)
-corenet_tcp_connect_http_cache_port(httpd_t)
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
@@ -304,6 +296,21 @@
 	miscfiles_manage_public_files(httpd_t)
 ') 
 
+# allow httpd to connect to mysql/posgresql 
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_postgresql_port(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_t)
+')
+
+# allow httpd to connect to mysql/posgresql 
+tunable_policy(`httpd_can_network_relay',`
+	# allow httpd to work as a relay
+	corenet_tcp_connect_gopher_port(httpd_t)
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_http_port(httpd_t)
+	corenet_tcp_connect_http_cache_port(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_t self:tcp_socket create_socket_perms;
 	allow httpd_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.2/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.2/policy/modules/services/nis.if	2005-12-10 00:10:25.000000000 -0500
@@ -150,8 +150,10 @@
 interface(`nis_signal_ypbind',`
 	gen_require(`
 		type ypbind_t;
+		type ypbind_var_run_t;
 	')
 
+	allow $1 ypbind_var_run_t:file read;
 	allow $1 ypbind_t:process signal;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.2/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2005-12-09 23:35:08.000000000 -0500
+++ serefpolicy-2.1.2/policy/modules/system/mount.te	2005-12-10 00:10:25.000000000 -0500
@@ -47,6 +47,7 @@
 fs_use_tmpfs_chr_dev(mount_t)
 
 term_use_console(mount_t)
+term_use_generic_pty(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_sbin(mount_t)
@@ -94,9 +95,7 @@
 
 optional_policy(`portmap',`
 	# for nfs
-	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
-	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-	#allow mount_t rpc_pipefs_t:dir search;
+	allow mount_t rpc_pipefs_t:dir search;
 	corenet_tcp_sendrecv_all_if(mount_t)
 	corenet_raw_sendrecv_all_if(mount_t)
 	corenet_udp_sendrecv_all_if(mount_t)

Re: Updated policy

[Christopher J. PeBenito]

On Sat, 2005-12-10 at 00:26 -0500, Daniel J Walsh wrote:
> Added booleans to turn on httpd connecting to mysql/postgres as well as 
> relay.

merged.

> nis_signal_ypbind requires you to be able to read pidfile.

Not going to merge this, for a couple reasons.  First, it would still be
good to have an interface that allows just the signal, for the case that
the signaler already knows the PID.  Second, it introduces a large info
flow backchannel, since ypbid can write it's pid file.  This is a
candidate for a more abstract interface whose implementation would be to
call the signal interface and the read pid interface.

> mount command wants access to tty

This sounds specific to targeted since its devpts_t, shouldn't it be in
a ifdef(`targeted_policy' ?

>  needs to be able to search rpc_pipefs 
> in Fedora.

Added an interface to handle this, rather than the raw rule.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

postfix mysql

[Antoine Martin]

Based on a similar policy update, I guess that what I have been adding
to the postfix policy to enable it to use the mysql backend could be
achieved with a boolean and merged upsteam?


ifdef(`mysqld.te', `
tunable_policy(`postfix_can_network_connect_db',`
can_unix_connect(postfix_smtpd_t, mysqld_t)
allow postfix_smtpd_t mysqld_var_run_t:dir { search };
allow postfix_smtpd_t mysqld_var_run_t:sock_file { write };

can_unix_connect(postfix_pipe_t, mysqld_t)
allow postfix_pipe_t mysqld_var_run_t:dir { search };
allow postfix_pipe_t mysqld_var_run_t:sock_file { write };

can_unix_connect(postfix_master_t, mysqld_t)
allow postfix_master_t mysqld_var_run_t:dir { search };
allow postfix_master_t mysqld_var_run_t:sock_file { write };

can_unix_connect(postfix_cleanup_t, mysqld_t)
allow postfix_cleanup_t mysqld_var_run_t:dir { search };
allow postfix_cleanup_t mysqld_var_run_t:sock_file { write };

can_unix_connect(postfix_postdrop_t, mysqld_t)
allow postfix_postdrop_t mysqld_var_run_t:dir { search };
allow postfix_postdrop_t mysqld_var_run_t:sock_file { write };
')
# Why postfix_cleanup/postdrop needs access to this charset file?
(/usr/share/mysql/charsets/Index)
# beats me:
allow postfix_cleanup_t usr_t:file { getattr read };
allow postfix_postdrop_t usr_t:file { getattr read };
 ')
')


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Ivan Gyurdiev]

> >>allow mount_t binfmt_misc_fs_t:dir mounton;
> >>Required to run wine.
> >>    
> >>
> I got this one from Ivan Gyurdiev, I have never run wine.

Yes, it's a duplicate mount.

I put it in fstab, so it's mounted with all the rest of the filesystems.

Then rc.sysinit decides to do that again. Why, I don't know.
I don't like this. All my other filesystems are in fstab, so 
why does this one have to be special?

# Set up binfmt_misc
/bin/mount -t binfmt_misc none /proc/sys/fs/binfmt_misc > /dev/null 2>&1

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
>  
>
>>Fixes for targeted crond to run as unconfined and still have transitions 
>>work.
>>    
>>
>
>I'm a little unclear on the current direction of the targeted policy.  I
>see that you are putting more programs like login and crond into
>domains, but then adding unconfined_domain() to them and allowing them
>to transition to unconfined_t.  What is the purpose of such domains?
>
>As a side note, do you truly want crond to run directly in
>system_crond_t (normally only used for system cron jobs in the strict
>policy, vs. crond_t for the daemon itself).
>
>  
>
The direction of targeted policy is to attempt to lock down all of the 
network daemons.  The remote login ones
are prooving difficult  since they have to eventually transition to 
unconfined_t.  So the problem we were having without
telnetd, rshd, rlogind policy these daemons were running as 
inetd_child_t and not working properly so we started to add
policy.

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
>  
>
>>Many changes to allow policy to support telnetd, rlogind and rshd.
>>    
>>
>
>I merged these bits into sourceforge CVS.
>
>  
>
>>allow mount_t binfmt_misc_fs_t:dir mounton;
>>Required to run wine.
>>    
>>
I got this one from Ivan Gyurdiev, I have never run wine.

>
>Waiting on clarification of whether and why this is needed, given that
>the mount point should be sysctl_t and only the mounted directory should
>have this type.  Multiple mounts?
>
>  
>
>>Changes to allow setfiles/restorecon to read default_context_t 
>>(customizable files)
>>    
>>
>
>I merged these bits into sourceforge CVS.
>
>  
>
>>Fixes for postgresql.te
>>    
>>
>
>Ditto.
>
>  
>
>>Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.
>>    
>>
>
>Ditto.
>
>  
>
>>Fixes for targeted crond to run as unconfined and still have transitions 
>>work.
>>    
>>
>
>Waiting on clarification of whether we truly want separate domains at
>all for such programs in the targeted policy, and whether it should be
>in system_crond_t or crond_t.
>
>Also merged most of the miscellaneous bits of the patch, excepting
>execmem permission for mozilla and the usual tunables and distros
>customizations.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
>  
>
>>Fixes for targeted crond to run as unconfined and still have transitions 
>>work.
>>    
>>
>
>I'm a little unclear on the current direction of the targeted policy.  I
>see that you are putting more programs like login and crond into
>domains, but then adding unconfined_domain() to them and allowing them
>to transition to unconfined_t.  What is the purpose of such domains?
>
>  
>
Two separate problems.

crond aliases as unconfined_t was causing transitions to not  work 
correctly.  IE in targeted
policy we do not want applications to transition unless they are started 
via init scripts.  So certain
apps had a rule domain_auto_trans(crond_t, XYZ_exec_t, XYZ_t) which was 
causing unconfined_t running XYZ_exec_t to transition.
So we needed a small crond to stop this.  system_crond_t and crond_t 
probably should be aliased so
confined apps that are started by either system_crond_t or crond_t will 
transition.

The login program was brought in because we were trying to get rlogind, 
telnetd, rshd policy to work. 
After working on it a couple of days we found that we ended up with 
little (none) added security in targeted policy, so
they should be pulled from targeted.  They all should work better in 
strict now.

>As a side note, do you truly want crond to run directly in
>system_crond_t (normally only used for system cron jobs in the strict
>policy, vs. crond_t for the daemon itself).
>
>  
>
I think they should be aliased, to make sure crond_t and system_crond_t 
transitions happen.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Stephen Smalley]

On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
> Many changes to allow policy to support telnetd, rlogind and rshd.

I merged these bits into sourceforge CVS.

> allow mount_t binfmt_misc_fs_t:dir mounton;
> Required to run wine.

Waiting on clarification of whether and why this is needed, given that
the mount point should be sysctl_t and only the mounted directory should
have this type.  Multiple mounts?

> Changes to allow setfiles/restorecon to read default_context_t 
> (customizable files)

I merged these bits into sourceforge CVS.

> Fixes for postgresql.te

Ditto.

> Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.

Ditto.

> Fixes for targeted crond to run as unconfined and still have transitions 
> work.

Waiting on clarification of whether we truly want separate domains at
all for such programs in the targeted policy, and whether it should be
in system_crond_t or crond_t.

Also merged most of the miscellaneous bits of the patch, excepting
execmem permission for mozilla and the usual tunables and distros
customizations.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Stephen Smalley]

On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
> Fixes for targeted crond to run as unconfined and still have transitions 
> work.

I'm a little unclear on the current direction of the targeted policy.  I
see that you are putting more programs like login and crond into
domains, but then adding unconfined_domain() to them and allowing them
to transition to unconfined_t.  What is the purpose of such domains?

As a side note, do you truly want crond to run directly in
system_crond_t (normally only used for system cron jobs in the strict
policy, vs. crond_t for the daemon itself).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Stephen Smalley]

On Wed, 2005-01-26 at 03:22, Ivan Gyurdiev wrote:
> On Tue, 2005-01-25 at 14:56 -0500, Daniel J Walsh wrote:
> > Many changes to allow policy to support telnetd, rlogind and rshd.
> > 
> > allow mount_t binfmt_misc_fs_t:dir mounton;
> > Required to run wine.
> 
> Now there is:
> 
> allow mount_t binfmt_misc_fs_t:dir mounton;
> ...
> # mount binfmt_misc on /proc/sys/fs/binfmt_misc
> allow mount_t sysctl_t:dir { mounton search };
> 
> Are both of those necessary?

Shouldn't be.  mounton permission is required to the mount point
directory, which should be sysctl_t.  binfmt_misc_fs_t should only be on
the mounted directory.  Duplicate mount?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Stephen Smalley]

On Wed, 2005-01-26 at 05:57, Ivan Gyurdiev wrote:
> On Tue, 2005-01-25 at 14:56 -0700, Ivan Gyurdiev wrote:
> > > Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.
> > 
> > Please add execmod to mozilla and X (Bug #145067).
> > Mozilla needs it for flash, and X for the Nvidia driver.
> 
> Also, look at this:
> 
> audit(1106729781.687:0): avc:  denied  { execmod } for  pid=18304
> comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t
> tclass=file
> 
> /usr/lib/jvm/jre-1.5.0_01-sun/bin/java
> 
> That's the Sun 1.5 JRE.

Yes, it needs to be put into a separate domain.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Stephen Smalley]

On Tue, 2005-01-25 at 16:56, Ivan Gyurdiev wrote:
> > Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.
> 
> Please add execmod to mozilla and X (Bug #145067).
> Mozilla needs it for flash, and X for the Nvidia driver.
> 
> Here's all the libs on my system where I see TEXTREL with readelf -d.
> 
> /usr/lib/libstdc++.so.2.7.2.8
> /usr/lib/libpostproc.so.0.0.1
> /usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629
> /usr/lib/nvidia/libnvidia-tls.so.1.0.6629
> /usr/lib/libmp3lame.so.0.0.0
> /usr/lib/libmlib_jai.so
> /usr/lib/libgsm.so.1.0.10
> /usr/lib/libglide3.so.3.10.0
> /usr/lib/libg++.so.2.7.2.8
> /usr/lib/libdv.so.4.0.1
> /usr/lib/libavformat-0.4.9-pre1.so
> /usr/lib/libavcodec-0.4.9-pre1.so
> /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629
> /usr/lib/libSDL-1.2.so.0.7.0
> /usr/X11R6/lib/libOSMesa.so.4.0
> /usr/lib/libImlib2.so.1.2.0
> /usr/lib/libHermes.so.1.0.0
> /usr/lib/nvidia/libGLcore.so.1.0.6629
> /usr/lib/nvidia/libGL.so.1.0.6629
> sed: -e expression #1, char 13: unknown option to `s'
> /usr/lib/firefox-0.10.0/plugins/libflashplayer.so
> /usr/lib/firefox-0.9.3/plugins/libflashplayer.so

The preferred approach would be to assign a different type to all such
shared objects, e.g. textrel_shlib_t, and only allow execmod permission
to that type.  Any existing occurrences of execmod should also be
rewritten to use the specific type at that point.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Ivan Gyurdiev]

On Tue, 2005-01-25 at 14:56 -0700, Ivan Gyurdiev wrote:
> > Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.
> 
> Please add execmod to mozilla and X (Bug #145067).
> Mozilla needs it for flash, and X for the Nvidia driver.

Also, look at this:

audit(1106729781.687:0): avc:  denied  { execmod } for  pid=18304
comm=java path=/lib/ld-2.3.4.so dev=dm-0 ino=113630
scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t
tclass=file

/usr/lib/jvm/jre-1.5.0_01-sun/bin/java

That's the Sun 1.5 JRE.


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Ivan Gyurdiev]

On Tue, 2005-01-25 at 14:56 -0500, Daniel J Walsh wrote:
> Many changes to allow policy to support telnetd, rlogind and rshd.
> 
> allow mount_t binfmt_misc_fs_t:dir mounton;
> Required to run wine.

Now there is:

allow mount_t binfmt_misc_fs_t:dir mounton;
...
# mount binfmt_misc on /proc/sys/fs/binfmt_misc
allow mount_t sysctl_t:dir { mounton search };

Are both of those necessary?

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Ivan Gyurdiev]

On Tue, 2005-01-25 at 14:56 -0500, Daniel J Walsh wrote:
> Many changes to allow policy to support telnetd, rlogind and rshd.
> 
> allow mount_t binfmt_misc_fs_t:dir mounton;
> Required to run wine.

What about samba - how to get samba to work? (Bug: 145025)

Something along those lines, or does it need a separate
context from mount_t ?

--- mount.te    2005-01-25 22:40:04.000000000 -0700
+++ mount.new   2005-01-25 23:38:22.000000000 -0700
@@ -77,7 +77,16 @@
 #
 # required for mount.smbfs
 #
+ifdef(`samba.te', `
+can_network(mount_t)
+allow mount_t self:capability { setuid setgid };
+allow mount_t samba_log_t:file create_file_perms;
+allow mount_t samba_var_t:dir getattr;
+allow mount_t samba_var_t:file rw_file_perms;
+allow mount_t samba_etc_t:file { getattr read };
 allow mount_t sbin_t:lnk_file { getattr read };
+allow mount_t cifs_t:dir { getattr read ioctl };
+')

 rhgb_domain(mount_t)
--- mount_macros.te     2005-01-25 23:23:03.000000000 -0700
+++ mount_macros.new    2005-01-25 23:32:49.000000000 -0700
@@ -62,8 +62,10 @@
 allow $2_t sbin_t:dir search;

 # Access the terminal.
+allow $2_t devtty_t:chr_file rw_file_perms;
 allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
-allow $2_t $1_devpts_t:chr_file { getattr read write };
+allow $2_t devpts_t:dir { search };
+allow $2_t $1_devpts_t:chr_file { getattr read write ioctl };
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 allow $2_t var_t:dir search;
 allow $2_t var_run_t:dir search;


=======

Also, this still hangs when doing ls, or trying to remount it. 
I don't know why. Possibly related:

(1)

Slab corruption: (Tainted: P     ) start=c8748e70, len=268
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<e0be357d>](smb_add_request+0x1da/0x25b [smbfs])
000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
100: 6b 6b 6b 6b 6b 6b 6b 6b 00 fe ff ff
Prev obj: start=c8748d58, len=268
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<00000000>](0x0)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

(2)

audit(1106721540.741:0): avc:  denied  { read } for  pid=16907
comm=smbiod laddr=192.168.2.96 lport=56841 faddr=192.168.2.96 fport=445
scontext=system_u:system_r:kernel_t tcontext=root:sysadm_r:mount_t
tclass=tcp_socket






-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated policy

[Ivan Gyurdiev]

> Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.

Please add execmod to mozilla and X (Bug #145067).
Mozilla needs it for flash, and X for the Nvidia driver.

Here's all the libs on my system where I see TEXTREL with readelf -d.

/usr/lib/libstdc++.so.2.7.2.8
/usr/lib/libpostproc.so.0.0.1
/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629
/usr/lib/nvidia/libnvidia-tls.so.1.0.6629
/usr/lib/libmp3lame.so.0.0.0
/usr/lib/libmlib_jai.so
/usr/lib/libgsm.so.1.0.10
/usr/lib/libglide3.so.3.10.0
/usr/lib/libg++.so.2.7.2.8
/usr/lib/libdv.so.4.0.1
/usr/lib/libavformat-0.4.9-pre1.so
/usr/lib/libavcodec-0.4.9-pre1.so
/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629
/usr/lib/libSDL-1.2.so.0.7.0
/usr/X11R6/lib/libOSMesa.so.4.0
/usr/lib/libImlib2.so.1.2.0
/usr/lib/libHermes.so.1.0.0
/usr/lib/nvidia/libGLcore.so.1.0.6629
/usr/lib/nvidia/libGL.so.1.0.6629
sed: -e expression #1, char 13: unknown option to `s'
/usr/lib/firefox-0.10.0/plugins/libflashplayer.so
/usr/lib/firefox-0.9.3/plugins/libflashplayer.so


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

Many changes to allow policy to support telnetd, rlogind and rshd.

allow mount_t binfmt_misc_fs_t:dir mounton;
Required to run wine.

Changes to allow setfiles/restorecon to read default_context_t 
(customizable files)

Fixes for postgresql.te

Elimination of gpg execmod change.  The gpg rpm was fixed in rawhide.

Fixes for targeted crond to run as unconfined and still have transitions 
work.



[-- Attachment #2: policy-20050124.patch --]
[-- Type: text/x-patch, Size: 11905 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.21.3/domains/admin.te
--- nsapolicy/domains/admin.te	2005-01-20 15:55:00.000000000 -0500
+++ policy-1.21.3/domains/admin.te	2005-01-25 08:53:09.000000000 -0500
@@ -7,7 +7,7 @@
 ifdef(`direct_sysadm_daemon', `, priv_system_role')
 ; dnl end of sysadm_t type declaration
 
-allow privhome home_root_t:dir search;
+allow privhome home_root_t:dir { getattr search };
 
 # system_r is authorized for sysadm_t for single-user mode.
 role system_r types sysadm_t; 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.3/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.3/domains/program/login.te	2005-01-25 08:53:09.000000000 -0500
@@ -130,6 +130,11 @@
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 
+ifdef(`targeted_policy',`
+unconfined_domain($1_login_t)
+domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
+')
+
 ')dnl end login_domain macro
 #################################
 #
@@ -212,5 +217,18 @@
 # Relabel ptys created by rlogind.
 allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
 ')
+
+# Use the pty created by telnetd.
+ifdef(`telnetd.te', `
+allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
+
+# Relabel ptys created by telnetd.
+allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+')
+
 allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
 allow remote_login_t fs_t:filesystem { getattr };
+
+# Allow remote login to resolve host names (passed in via the -h switch)
+can_resolve(remote_login_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.3/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-01-24 16:57:04.000000000 -0500
+++ policy-1.21.3/domains/program/mount.te	2005-01-25 08:53:09.000000000 -0500
@@ -49,6 +49,7 @@
 allow mount_t devpts_t:dir mounton;
 allow mount_t usbdevfs_t:dir mounton;
 allow mount_t sysfs_t:dir mounton;
+allow mount_t binfmt_misc_fs_t:dir mounton;
 allow mount_t nfs_t:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.21.3/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te	2005-01-20 15:55:01.000000000 -0500
+++ policy-1.21.3/domains/program/restorecon.te	2005-01-25 08:53:09.000000000 -0500
@@ -59,6 +59,5 @@
 allow restorecon_t kernel_t:fd use;
 allow restorecon_t kernel_t:fifo_file { read write };
 allow restorecon_t kernel_t:unix_dgram_socket { read write };
-r_dir_file(restorecon_t, selinux_config_t)
-r_dir_file(restorecon_t, file_context_t)
+r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.21.3/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2005-01-20 15:55:02.000000000 -0500
+++ policy-1.21.3/domains/program/setfiles.te	2005-01-25 08:53:09.000000000 -0500
@@ -36,7 +36,7 @@
 # Get security policy decisions.
 can_getsecurity(setfiles_t)
 
-r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t })
+r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
 
 allow setfiles_t file_type:dir r_dir_perms;
 allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.3/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.3/domains/program/unused/postgresql.te	2005-01-25 08:53:09.000000000 -0500
@@ -105,8 +105,8 @@
 allow postgresql_t devpts_t:dir search;
 
 allow postgresql_t { bin_t sbin_t }:dir search;
-allow postgresql_t { bin_t sbin_t }:lnk_file read;
-allow postgresql_t postgresql_exec_t:lnk_file read;
+allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
 
 allow postgresql_t self:sem create_sem_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.3/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.3/domains/program/unused/samba.te	2005-01-25 08:53:09.000000000 -0500
@@ -120,10 +120,3 @@
 # Support Samba sharing of home directories
 bool samba_enable_home_dirs false;
 
-if ( samba_enable_home_dirs ) {
-allow smbd_t home_root_t:dir { getattr search };
-allow smbd_t home_dir_type:dir { getattr search };
-allow smbd_t home_type:dir create_dir_perms;
-dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms;
-}
-
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.21.3/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-01-20 15:55:14.000000000 -0500
+++ policy-1.21.3/file_contexts/distros.fc	2005-01-25 08:53:09.000000000 -0500
@@ -10,6 +10,7 @@
 /usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
 /usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
 /usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
 /usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
 /usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
 /usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.3/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2005-01-20 15:55:20.000000000 -0500
+++ policy-1.21.3/file_contexts/program/udev.fc	2005-01-25 08:53:09.000000000 -0500
@@ -8,5 +8,5 @@
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb	--	system_u:object_r:udev_tdb_t
+/dev/\.udev\.tdb(/.*)?	--	system_u:object_r:udev_tdb_t
 /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.3/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.3/macros/program/gpg_macros.te	2005-01-25 08:54:05.000000000 -0500
@@ -23,10 +23,7 @@
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
-#
-# Is this Ok?
-# 
-allow $1_gpg_t gpg_exec_t:file execmod;
+
 can_network($1_gpg_t)
 can_ypbind($1_gpg_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.3/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.3/macros/program/mozilla_macros.te	2005-01-25 08:53:09.000000000 -0500
@@ -25,7 +25,7 @@
 allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.3/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-01-20 15:55:26.000000000 -0500
+++ policy-1.21.3/macros/program/x_client_macros.te	2005-01-25 08:53:09.000000000 -0500
@@ -144,6 +144,7 @@
 ')
 
 # Access the terminal.
+allow $1_$2_t devpts_t:dir search;
 allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.3/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-01-24 16:57:06.000000000 -0500
+++ policy-1.21.3/targeted/domains/program/crond.te	2005-01-25 13:54:41.000000000 -0500
@@ -19,5 +19,10 @@
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
 type crond_var_run_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, crond_exec_t, crond_t)
-domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+domain_auto_trans(initrc_t, crond_exec_t, system_crond_t)
+domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
+unconfined_domain(system_crond_t)
+# Access log files
+file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
+file_type_auto_trans(system_crond_t, user_home_dir_t, user_home_t)
+file_type_auto_trans(system_crond_t, tmp_t, system_crond_tmp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.3/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-01-24 16:57:06.000000000 -0500
+++ policy-1.21.3/targeted/domains/unconfined.te	2005-01-25 08:53:09.000000000 -0500
@@ -4,7 +4,7 @@
 # is not explicitly confined.  It has no restrictions.
 # It needs to be carefully protected from the confined domains.
 
-type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
+type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
 role system_r types unconfined_t;
 role user_r types unconfined_t;
 role sysadm_r types unconfined_t;
@@ -23,7 +23,8 @@
 type user_home_t, file_type, sysadmfile, home_type;
 type user_home_dir_t, file_type, sysadmfile, home_dir_type;
 file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
+allow privhome home_root_t:dir { getattr search };
+file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
 
 define(`user_typealias', `
 ifelse($1,`user',`',`
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.3/tunables/distro.tun	2005-01-25 08:53:09.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-01-20 15:55:28.000000000 -0500
+++ policy-1.21.3/tunables/tunable.tun	2005-01-25 08:53:09.000000000 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.