Additional rule files

Additional rule files

[Erich Schubert]

[-- Attachment #1.1: Type: text/plain, Size: 1616 bytes --]

Attached is a set of additional rule files.
No diffs, because there are no rules yet in CVS for these.

First there are rule files for pptpd (poptop).

The next two rule sets are for the statistic tools "bindgraph" and
"mailgraph". The first parses bind query logs and does nice graphs out
of them, the second does the same for postfix+amavis logs.

Fourth rule set if for using the "fnord" web server with "tcpsvd"
(of the ipsvd package. very lightweight.)
I'd suggest only including this rule file in some "examples" section,
since you'll most probably need to adopt it to your wishes. For example
i havn't set up logging with this fnord installation, so no multilog
things are included (that would kind of require running it with
runit/minit/daemontools or such, which i am not)

But when writing this rule i encountered a small problem with current
policy WRT web files: it's very apache-centric.

For example the /var/www directory is only labeled when apache is
defined. Even the http_port_t is only used when apache is there.
IMHO these web-server-general things should be put into a web-server
domain. Maybe (except for the setuid/setgid/chroot part) i could even
use this generic web server domain for fnord, too.
But at least the general types for web files, cgi, ports should be
separated from the apache stuff.


Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
   Wie kann ich wissen, was ich denke, bevor ich höre, was ich sage.   V_/_

[-- Attachment #1.2: bindgraph.fc --]
[-- Type: text/plain, Size: 337 bytes --]

# bindgraph
/var/lib/bindgraph(/.*)?	system_u:object_r:bindgraph_lib_t
/usr/sbin/bindgraph.pl	--	system_u:object_r:bindgraph_exec_t
/usr/lib/cgi-bin/bindgraph.cgi	--	system_u:object_r:bindgraph_cgi_exec_t
/var/run/bindgraph\.pid		system_u:object_r:bindgraph_var_run_t
/var/cache/bindgraph(/.*)?	system_u:object_r:bindgraph_cache_t

[-- Attachment #1.3: bindgraph.te --]
[-- Type: text/plain, Size: 1529 bytes --]

#DESC BINDGRAPH - bind statistics graph tool
# Authors:  Erich Schubert <erich@debian.org>
# X-Debian-Packages: bindgraph
#

daemon_domain(bindgraph)
daemon_domain(bindgraph_cgi)
# lib is for the RRD files (data gathered)
type bindgraph_lib_t, file_type, sysadmfile;
# the cache is storing generated images
type bindgraph_cache_t, file_type, sysadmfile;

# started by initrc_t
domain_auto_trans(initrc_t, bindgraph_exec_t, bindgraph_t)
# maybe the same pid file removal rule is needed as for mailgraph?

# read log files
r_dir_file(bindgraph_t, var_log_t)

# write own lib files (RRD files)
allow bindgraph_t var_lib_t:dir search;
create_dir_file(bindgraph_t, bindgraph_lib_t)
# the cgi may only read the RRD files
r_dir_file(bindgraph_cgi_t, bindgraph_lib_t)

# cgi can write in cache
create_dir_file(bindgraph_cgi_t, bindgraph_cache_t)
allow bindgraph_cgi_t var_lib_t:dir search;

# perl behaviour
allow { bindgraph_t bindgraph_cgi_t } { bin_t sbin_t }:dir { search getattr };
r_dir_file({ bindgraph_t bindgraph_cgi_t }, usr_t)
allow { bindgraph_t bindgraph_cgi_t } { random_device_t urandom_device_t }:chr_file read;

# cgi can be executed by web servers
# this is the execution rule for fnord
ifdef(`fnord-tcpsvd.te', `
can_exec_any(http_request_t)
domain_auto_trans(http_request_t, bindgraph_cgi_exec_t, bindgraph_cgi_t)
allow bindgraph_cgi_t tcpsvd_fnord_t:fd use;
allow bindgraph_cgi_t http_request_t:fifo_file { read write };
r_dir_file(bindgraph_cgi_t, httpd_sys_content_t)
')

[-- Attachment #1.4: fnord-tcpsvd.fc --]
[-- Type: text/plain, Size: 385 bytes --]

# web files
# this is mostly a local thing, but i believe the same as apache.fc uses?
/var/www(/.*)?			system_u:object_r:httpd_sys_content_t

# again, the pid file is a local thing, dependant on the startup script
# but there is no default startup script, not even an example
# included in the debian package.
/var/run/fnord-tcpsvd.pid	system_u:object_r:tcpsvd_fnord_var_run_t

[-- Attachment #1.5: fnord-tcpsvd.te --]
[-- Type: text/plain, Size: 2540 bytes --]

#DESC tcpsvd and fnord - tiny and fast web server
#
# Authors:  Erich Schubert <erich@debian.org>
# X-Debian-Packages: ipsvd fnord
#

# the http port itself
# had to redefine it, because it is in the apache.te file
# which i do not use.
type http_port_t, port_type;

# the web files
type httpd_sys_content_t, file_type, homedirfile, sysadmfile;

# domain for the server
daemon_domain(tcpsvd_fnord)
domain_auto_trans(initrc_t, tcpsvd_fnord_exec_t, tcpsvd_fnord_t)

# domain for request
type http_request_t, domain, privlog;
role system_r types http_request_t;

# the server can network
can_network(tcpsvd_fnord_t)
allow tcpsvd_fnord_t etc_t:file { getattr read ioctl };
allow tcpsvd_fnord_t http_port_t:tcp_socket name_bind;
allow http_request_t tcpsvd_fnord_t:tcp_socket setopt;
# tcpsvd will try to reverse-lookup the host
allow tcpsvd_fnord_t port_t:udp_socket name_bind;

# installation location of fnord
can_exec(tcpsvd_fnord_t, sbin_t)
can_exec(tcpsvd_fnord_t, bin_t)

# Use capabilities (tcpsvd will setuid/setgid).
allow tcpsvd_fnord_t self:unix_stream_socket create_socket_perms;
allow tcpsvd_fnord_t self:capability { setuid setgid net_bind_service };

# initrc can write pid file
allow initrc_t tcpsvd_fnord_var_run_t:file create_file_perms;

# allow any domain to connect to the web server
can_tcp_connect(userdomain, http_port_t)

allow tcpsvd_fnord_t { bin_t sbin_t }:dir search;
allow tcpsvd_fnord_t { bin_t sbin_t }:lnk_file read;

# transition to request type upon execution of
# the fnord web server (add bin_t here if fnord is labeled bin_t for you)
# i see no reason for that, but in debian it is installed in sbin
domain_auto_trans(tcpsvd_fnord_t, sbin_t, http_request_t)
allow tcpsvd_fnord_t http_request_t:process sigkill;

# daemon can change to web dir
allow tcpsvd_fnord_t { var_t httpd_sys_content_t }:dir r_dir_perms;
# request can read web files
r_dir_file(http_request_t, httpd_sys_content_t)
allow http_request_t null_device_t:chr_file { r_file_perms write };

# request can talk to tcp server
allow http_request_t tcpsvd_fnord_t:tcp_socket { read write };

# server can chroot itself to the request dir
allow http_request_t root_t:dir search;
allow http_request_t self:capability { sys_chroot };

# server can launch cgi and/or htaccess helper
allow http_request_t self:process { fork signal sigchld };
allow http_request_t self:fifo_file { read write };

# ignore violations
dontaudit { tcpsvd_fnord_t http_request_t } initrc_t:fd use;

[-- Attachment #1.6: mailgraph.fc --]
[-- Type: text/plain, Size: 301 bytes --]

# mailgraph
/usr/sbin/mailgraph.pl  --      system_u:object_r:mailgraph_exec_t
/usr/lib/cgi-bin/mailgraph.cgi  --      system_u:object_r:mailgraph_cgi_exec_t
/var/run/mailgraph\.pid         system_u:object_r:mailgraph_var_run_t
/var/cache/mailgraph(/.*)?      system_u:object_r:mailgraph_cache_t

[-- Attachment #1.7: mailgraph.te --]
[-- Type: text/plain, Size: 1598 bytes --]

#DESC MAILGRAPH - postfix/amavis statistics graph tool
# Authors: Erich Schubert <erich@debian.org>
# X-Debian-Packages: mailgraph
#

daemon_domain(mailgraph)
daemon_domain(mailgraph_cgi)
# mailgraph uses the cache for both RRD and graphics
# a split would be nice, maybe i'll do this in a diff later on
# (RRD files have the .rrd extension)
type mailgraph_cache_t, file_type, sysadmfile;

# started by initrc_t
domain_auto_trans(initrc_t, mailgraph_exec_t, mailgraph_t)
# for pid file
allow initrc_t mailgraph_var_run_t:file { getattr read write unlink };

# read log files (needed: mail.log)
r_dir_file(mailgraph_t, var_log_t)

# write own cache files
create_dir_file(mailgraph_t, mailgraph_cache_t)
create_dir_file(mailgraph_cgi_t, mailgraph_cache_t)

# perl behaviour
allow { mailgraph_t mailgraph_cgi_t } { bin_t sbin_t }:dir { search getattr };
r_dir_file({ mailgraph_t mailgraph_cgi_t }, usr_t)
allow { mailgraph_t mailgraph_cgi_t } { random_device_t urandom_device_t }:chr_file read;

# unsure what this is needed for. perl?
# maybe dontaudit is possible, havn't investigated that yet
# (and i'm not sure i've understood what these capabilities are)
allow mailgraph_t self:capability { dac_override dac_read_search };

# can be executed by fnord web server
ifdef(`fnord-tcpsvd.te', `
can_exec_any(http_request_t)
domain_auto_trans(http_request_t, mailgraph_cgi_exec_t, mailgraph_cgi_t)
allow mailgraph_cgi_t tcpsvd_fnord_t:fd use;
allow mailgraph_cgi_t http_request_t:fifo_file { read write };
r_dir_file(mailgraph_cgi_t, httpd_sys_content_t)
')


[-- Attachment #1.8: pptp.fc --]
[-- Type: text/plain, Size: 276 bytes --]

# pptpd
/usr/sbin/pptpd		--	system_u:object_r:pptpd_exec_t
/usr/sbin/pptpctrl	--	system_u:object_r:pptpd_exec_t
/usr/sbin/bcrelay	--	system_u:object_r:pptpd_exec_t
/etc/pptpd.conf		--	system_u:object_r:pptpd_etc_t
/var/run/pptpd.pid	--	system_u:object_r:pptpd_var_run_t

[-- Attachment #1.9: pptp.te --]
[-- Type: text/plain, Size: 1321 bytes --]

#DESC poptop - PPTP daemon
#
# Author:  Erich Schubert
# X-Debian-Packages: pptp
#

#################################
#
# Rules for the pptpd_t domain, et al.
#
# pptpd_t is the domain for the pptpd program.
# pptpd_exec_t is the type of the pptpd executable.
#
daemon_domain(pptpd)
etc_domain(pptpd)

# can execute own apps (pptpctrl)
can_exec(pptpd_t, pptpd_exec_t)

# Use the network.
can_network(pptpd_t)
allow pptpd_t self:capability { net_raw };
allow pptpd_t pptpd_t:unix_dgram_socket create_socket_perms;
allow pptpd_t { node_t pptpd_t }:rawip_socket { create_socket_perms node_bind };
allow pptpd_t { pptpd_t port_t}:tcp_socket { create_socket_perms name_bind };

can_create_pty(pptpd)

# find and execute pppd
allow pptpd_t sbin_t:dir { search };
can_exec(pptpd_t, pppd_exec_t)
domain_auto_trans(pptpd_t, pppd_exec_t, pppd_t)
allow pptpd_t pppd_t:process signal;

# allow pppd to access the pptp ptys
allow pppd_t pptpd_devpts_t:chr_file rw_file_perms;

# allow to read pppd options file
allow pptpd_t { pppd_etc_rw_t pppd_etc_t }:file { read getattr };
allow pptpd_t pppd_etc_t:dir { search };

# search /var/lib
allow pptpd_t var_lib_t:dir { search };

# allow reading of nsswitch.conf etc.
allow pptpd_t etc_t:dir search;
allow pptpd_t etc_t:file r_file_perms;

[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Additional rule files

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

On Sat, 4 Sep 2004 11:12, Erich Schubert <erich@debian.org> wrote:
> First there are rule files for pptpd (poptop).

I made a few cosmetic changes to pptp.te and also removed a couple of network 
rules that didn't look right.  Please test the network stuff again and send 
me an update.  I've put the pptp policy in my tree.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: pptp.te --]
[-- Type: text/plain, Size: 1118 bytes --]

#DESC poptop - PPTP daemon
#
# Author:  Erich Schubert
# X-Debian-Packages: pptp
#

#################################
#
# Rules for the pptpd_t domain, et al.
#
# pptpd_t is the domain for the pptpd program.
# pptpd_exec_t is the type of the pptpd executable.
#
daemon_domain(pptpd)
etc_domain(pptpd)

# can execute own apps (pptpctrl)
can_exec(pptpd_t, pptpd_exec_t)

# Use the network.
can_network(pptpd_t)
allow pptpd_t self:capability net_raw;
allow pptpd_t self:unix_dgram_socket create_socket_perms;

# create pty for communication with pppd
can_create_pty(pptpd)

# find and execute pppd
allow pptpd_t sbin_t:dir { search };
domain_auto_trans(pptpd_t, pppd_exec_t, pppd_t)
allow pptpd_t pppd_t:process signal;

# allow pppd to access the pptp ptys
allow pppd_t pptpd_devpts_t:chr_file rw_file_perms;

# allow to read pppd options file
allow pptpd_t { pppd_etc_rw_t pppd_etc_t }:file { read getattr };
allow pptpd_t pppd_etc_t:dir { search };

# search /var/lib
allow pptpd_t var_lib_t:dir search;

# allow reading of nsswitch.conf etc.
allow pptpd_t etc_t:dir search;
allow pptpd_t etc_t:file { getattr read };

Re: Additional rule files

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1145 bytes --]

On Sat, 4 Sep 2004 11:12, Erich Schubert <erich@debian.org> wrote:
> The next two rule sets are for the statistic tools "bindgraph" and
> "mailgraph". The first parses bind query logs and does nice graphs out
> of them, the second does the same for postfix+amavis logs.

can_exec_any(http_request_t)

The above line in bindgraph.te is bad.  The policy for program A should not 
grant significant permissions to program B to access the rest of the system.  
Allowing program B to access program A files, to run programs in the domain 
for program A, and to kill such programs may be OK (depending on what your 
goals are).  But allowing some wide access to unrelated parts of the system 
risks breakage.

In this case it may do no harm, but if nothing else it sets a bad precedent.

I have attached a modified version of bindgraph.  I removed the entire fnord 
section (see my next message).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: bindgraph.te --]
[-- Type: text/plain, Size: 1040 bytes --]

#DESC BINDGRAPH - bind statistics graph tool
# Authors:  Erich Schubert <erich@debian.org>
# X-Debian-Packages: bindgraph
#

daemon_domain(bindgraph)
daemon_domain(bindgraph_cgi)
# lib is for the RRD files (data gathered)
type bindgraph_lib_t, file_type, sysadmfile;
# the cache is storing generated images
type bindgraph_cache_t, file_type, sysadmfile;

# maybe the same pid file removal rule is needed as for mailgraph?

# read log files
r_dir_file(bindgraph_t, var_log_t)

# write own lib files (RRD files)
allow bindgraph_t var_lib_t:dir search;
create_dir_file(bindgraph_t, bindgraph_lib_t)
# the cgi may only read the RRD files
r_dir_file(bindgraph_cgi_t, bindgraph_lib_t)

# cgi can write in cache
create_dir_file(bindgraph_cgi_t, bindgraph_cache_t)
allow bindgraph_cgi_t var_lib_t:dir search;

# perl behaviour
allow { bindgraph_t bindgraph_cgi_t } { bin_t sbin_t }:dir { search getattr };
r_dir_file({ bindgraph_t bindgraph_cgi_t }, usr_t)
allow { bindgraph_t bindgraph_cgi_t } { random_device_t urandom_device_t }:chr_file read;

Re: Additional rule files

[Russell Coker]

On Sat, 4 Sep 2004 11:12, Erich Schubert <erich@debian.org> wrote:
> Fourth rule set if for using the "fnord" web server with "tcpsvd"
> (of the ipsvd package. very lightweight.)

Why does fnord need a different policy?  Are the actions of different web 
servers that different?  (this is a serious question not a rhetorical 
question)

My initial thought was that perhaps a little change to apache.fc is all that's 
needed.  But if there are serious enough differences in the security 
requirements of Apache and fnord then we need to come up with a good design 
for this.  Having special case rules in every .te file that has policy for a 
cgi-bin script for each web server isn't going to work!

We can create some attributes to have multiple web servers work well with the 
rest of the policy as I have already done with mail servers.  But first we 
need a reason to do so.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: log file names (was Additional rule files)

[Russell Coker]

On Sat, 4 Sep 2004 11:12, Erich Schubert <erich@debian.org> wrote:
> The next two rule sets are for the statistic tools "bindgraph" and
> "mailgraph". The first parses bind query logs and does nice graphs out
> of them, the second does the same for postfix+amavis logs.

Do we need to have two different domains for programs that do the same thing?

Both bindgraph and mailgraph can read the same file types as input and their 
output can be accessed by cgi-bin scripts.  It seems that there is little (if 
any) benefit in isolating them.

If we were to assign different types to different log files (may require code 
changes in syslogd) then we could deny the mailgraph program the ability to 
read log files other than mail.log and deny the bindgraph program the ability 
to read mail.log.

Also note that in your policy both those programs can read /var/log/auth.log 
(Debian) and /var/log/secure (Fedora).  This is not desirable, we probably 
should make changes to the syslog setup.

One possible change is greater use of sub-directories in /var/log.  We could 
have /var/log/security/ for auth.log, secure, and any other security critical 
log files and /var/log/mail/ for mail server log files (including POP server, 
and maybe webmail), etc.  Doing this would allow different types for the log 
files with no code changes to syslogd, and this would make it more beneficial 
to have separate domains for mailgraph and bindgraph.

I've CC'd this to fedora-selinux and debian-devel because if we make such 
changes then we want to get some cross-distribution agreement on file names.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is anyone using Selinux for VOIP applications?

[Russell Coker]

On Sun, 5 Sep 2004 21:59, "Joop" <joop@fttp.ca> wrote:
> Is anyone using Selinux for VOIP applications at present? If so please
> contact me off the list. I am looking at Asterisk, Ser etc.

I've written SE Linux policy for Asterisk.  I haven't had the time to set it 
up fully though, so some aspects of Asterisk functionality probably don't 
work yet.

Try it out and let me know how it goes.  I'll fix any bugs you report in the 
Asterisk policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Erich Schubert]

Hi,

> Why does fnord need a different policy?  Are the actions of different web 
> servers that different?  (this is a serious question not a rhetorical 
> question)

Well, apache contains a lot of stuff. Fnord and tcpserver are much
smaller applications that would allow a fine-grained definition of
rules. (one of the reasons i don't like apache that much is that it
contains a huge amount of stuff you usually do not use)

On the other side, fnord can for example run chrooted.

Here's a short overview of the typical fnord setup:

system init (minit / daemontools etc.) runs the tcp daemon and the
multilog daemon, and sets up the logging pipe from tcp daemon to the
logging daemon.

tcpsvd listens on the specified port and handles concurrency and reaping
of timeout children. it can (should) setuid/setgid after binding the
socket.

sslio can be used as client, providing ssl encryption. sslio can again
setuid/setgid/chroot and will then run the next client

fnord is a single-shot webserver, designed for chroot operation.
(using sendfile and such)

http authentication is done using another process.

Using all these different applications allows for much better privilege
separation. For example, the web server doesn't need to read the ssl
certs. Neither does it need write access to the log files, just to the
logging socket. Neither does it need auth capabilities.

> We can create some attributes to have multiple web servers work well with the 
> rest of the policy as I have already done with mail servers.  But first we 
> need a reason to do so.

I havn't looked at the apache policy enough yet. I'll do so.
We probably won't need such extra rules in each file by having a
cgi_domain macro or such. Differences for web server can probably be
handled in that macro.

Greetings,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
           There are only 10 types of people in the world:           //\
           Those who understand binary and those who don't           V_/_
   Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Luke Kenneth Casson Leighton]

On Sun, Sep 05, 2004 at 03:54:58PM +0200, Erich Schubert wrote:
> Hi,
> 
> > Why does fnord need a different policy?  Are the actions of different web 
> > servers that different?  (this is a serious question not a rhetorical 
> > question)
> 
> Well, apache contains a lot of stuff. Fnord and tcpserver are much
> smaller applications that would allow a fine-grained definition of
> rules. (one of the reasons i don't like apache that much is that it
> contains a huge amount of stuff you usually do not use)
 
 apache is modular: i assume that at some point the apache policy
 would reflect this modularity [with tunables/apache_modules.te?]

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Erich Schubert]

Hi,
>  apache is modular: i assume that at some point the apache policy
>  would reflect this modularity [with tunables/apache_modules.te?]

With linkable modules, yes. Apart from apache2 modules having like one
security issue a month currently (ok, maybe a bit exxagerated) the
apache process still is one big process. Having one role/domain.
(Using fastcgi and such you can of course separate this a bit into
different roles, granted)

With SELinux it is advisable to split different parts into different
applications - such as the unix_verify application for pam.

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
  Man kann sich auch in Gesellschaft anderer einsam fühlen. Weizsäcker V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Luke Kenneth Casson Leighton]

On Sun, Sep 05, 2004 at 07:38:27PM +0200, Erich Schubert wrote:
> Hi,
> >  apache is modular: i assume that at some point the apache policy
> >  would reflect this modularity [with tunables/apache_modules.te?]
> 
> With linkable modules, yes. Apart from apache2 modules having like one
> security issue a month currently (ok, maybe a bit exxagerated) the
> apache process still is one big process. Having one role/domain.

 i was thinking more along the lines of having functionality
 in the single apache domain being optional.

 then, one of the simpler web server applications could consider
 using the apache policy - starting with all the options switched off.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Erich Schubert]

Hi,

> I made a few cosmetic changes to pptp.te and also removed a couple of network 
> rules that didn't look right.  Please test the network stuff again and send 
> me an update.  I've put the pptp policy in my tree.

-allow pptpd_t { node_t pptpd_t }:rawip_socket { create_socket_perms
node_bind };
-allow pptpd_t { pptpd_t port_t}:tcp_socket { create_socket_perms
name_bind };

The second should better be replaced by:

----
# pptp port 1723
type pptp_port_t, port_type;
allow pptpd_t pptp_port_t:tcp_socket { create_socket_perms name_bind };

and in net_contexts:
ifdef(`pptp.te', `
portcon tcp 1723  system_u:object_r:pptp_port_t
')
----

As for the first line: The pptp daemon does start then, but when
connecting i get the following error:

audit(1094490089.788:0): avc:  denied  { create } for  pid=3524
exe=/usr/sbin/pptpctrl scontext=system_u:system_r:pptpd_t
tcontext=system_u:system_r:pptpd_t tclass=rawip_socket

pptp is IIRC a kind of GRE tunnel. I guess this rawip_socket permission
is needed for that.

The "tightest" set of permissions i found working is by adding

allow pptpd_t self:rawip_socket { create read write bind connect };
allow pptpd_t node_t:rawip_socket node_bind;

So i think the following should be added:
----
allow pptpd_t self:rawip_socket create_socket_perms;
allow pptpd_t node_t:rawip_socket node_bind;
----

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       The best things in life are free: Friendship and Love.       //\
       Es gibt kein idiotensicheres Programm, weil Idioten so       V_/_
                     genial sind. -- E. Murphy


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Erich Schubert]

(this is a repost since i didn't yet get a reply, and the pptp rules
you currently have included will not work)

Hi,

> I made a few cosmetic changes to pptp.te and also removed a couple of network 
> rules that didn't look right.  Please test the network stuff again and send 
> me an update.  I've put the pptp policy in my tree.

-allow pptpd_t { node_t pptpd_t }:rawip_socket { create_socket_perms
node_bind };
-allow pptpd_t { pptpd_t port_t}:tcp_socket { create_socket_perms
name_bind };

The second should better be replaced by:

----
# pptp port 1723
type pptp_port_t, port_type;
allow pptpd_t pptp_port_t:tcp_socket { create_socket_perms name_bind };

and in net_contexts:
ifdef(`pptp.te', `
portcon tcp 1723  system_u:object_r:pptp_port_t
')
----

As for the first line: The pptp daemon does start then, but when
connecting i get the following error:

audit(1094490089.788:0): avc:  denied  { create } for  pid=3524
exe=/usr/sbin/pptpctrl scontext=system_u:system_r:pptpd_t
tcontext=system_u:system_r:pptpd_t tclass=rawip_socket

pptp is IIRC a kind of GRE tunnel. I guess this rawip_socket permission
is needed for that.

The "tightest" set of permissions i found working is by adding

allow pptpd_t self:rawip_socket { create read write bind connect };
allow pptpd_t node_t:rawip_socket node_bind;

So i think the following should be added:
----
allow pptpd_t self:rawip_socket create_socket_perms;
allow pptpd_t node_t:rawip_socket node_bind;
----

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       The best things in life are free: Friendship and Love.       //\
       Es gibt kein idiotensicheres Programm, weil Idioten so       V_/_
                     genial sind. -- E. Murphy

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Additional rule files

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

Please try out the attached pptp.te and let me know how it goes.  I've put the 
necessary change to net_contexts in my tree too.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: pptp.te --]
[-- Type: text/plain, Size: 1294 bytes --]

#DESC poptop - PPTP daemon
#
# Author:  Erich Schubert
# X-Debian-Packages: pptp
#

#################################
#
# Rules for the pptpd_t domain, et al.
#
# pptpd_t is the domain for the pptpd program.
# pptpd_exec_t is the type of the pptpd executable.
#
daemon_domain(pptpd)
etc_domain(pptpd)

type pptp_port_t, port_type;
allow pptpd_t pptp_port_t:tcp_socket name_bind;

# can execute own apps (pptpctrl)
can_exec(pptpd_t, pptpd_exec_t)

# Use the network.
can_network(pptpd_t)
allow pptpd_t self:capability net_raw;
allow pptpd_t self:rawip_socket create_socket_perms;
allow pptpd_t node_t:rawip_socket node_bind;
allow pptpd_t self:unix_dgram_socket create_socket_perms;

# create pty for communication with pppd
can_create_pty(pptpd)

# find and execute pppd
allow pptpd_t sbin_t:dir { search };
domain_auto_trans(pptpd_t, pppd_exec_t, pppd_t)
allow pptpd_t pppd_t:process signal;

# allow pppd to access the pptp ptys
allow pppd_t pptpd_devpts_t:chr_file rw_file_perms;

# allow to read pppd options file
allow pptpd_t { pppd_etc_rw_t pppd_etc_t }:file { read getattr };
allow pptpd_t pppd_etc_t:dir { search };

# search /var/lib
allow pptpd_t var_lib_t:dir search;

# allow reading of nsswitch.conf etc.
allow pptpd_t etc_t:dir search;
allow pptpd_t etc_t:file { getattr read };

Re: Additional rule files

[Erich Schubert]

Hi,

> Please try out the attached pptp.te and let me know how it goes.  I've put the 
> necessary change to net_contexts in my tree too.

Sorry it took me so long.
Yes, the new version of the rule file works for me.

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    Go away or i'll replace you with a very small shell script.     //\
      Computer rechnen vor allem damit, daß der Mensch denkt.       V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.