* Patch: Policy for NX server
@ 2005-02-12 15:12 Thomas Bleher
2005-03-15 18:05 ` James Carter
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Bleher @ 2005-02-12 15:12 UTC (permalink / raw)
To: SELinux ML
[-- Attachment #1.1: Type: text/plain, Size: 597 bytes --]
This patch adds policy for the NX server.
The server works like this: a new user nx is added; the users connect to
the host via ssh with username nx; the nxserver is started by ssh and
connects to the real user via ssh on localhost.
To start nxserver in the correct context I had to add a new role.
Only the server is currently protected, not the client or the nxagent. I
also haven't tested the more advanced features like remote printing.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
[-- Attachment #1.2: nx.patch --]
[-- Type: text/plain, Size: 3253 bytes --]
diff -urN orig/domains/program/nx_server.te mod/domains/program/nx_server.te
--- orig/domains/program/nx_server.te 1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/nx_server.te 2005-02-12 15:40:54.000000000 +0100
@@ -0,0 +1,62 @@
+# DESC NX - NX Server
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Depends: sshd.te
+#
+
+# Type for the nxserver executable, called from ssh
+type nx_server_exec_t, file_type, sysadmfile, exec_type;
+
+# type of the nxserver; userdomain is needed so sshd can transition
+type nx_server_t, domain, userdomain;
+
+# we need an extra role because nxserver is called from sshd
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
+
+# not really sure if the additional attributes are needed, copied from userdomains
+can_create_pty(nx_server, `, userpty_type, user_tty_type')
+type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
+
+uses_shlib(nx_server_t)
+read_locale(nx_server_t)
+
+tmp_domain(nx_server)
+var_run_domain(nx_server)
+
+# nxserver is a shell script --> call other programs
+can_exec(nx_server_t, { bin_t shell_exec_t })
+allow nx_server_t self:process { fork sigchld };
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t bin_t:dir { getattr read search };
+allow nx_server_t bin_t:lnk_file read;
+
+r_dir_file(nx_server_t, proc_t)
+allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
+
+# we do not actually need this attribute or the types defined here,
+# but otherwise we cannot call the ssh_domain-macro
+attribute nx_server_file_type;
+type nx_server_home_dir_t alias nx_server_home_t;
+type nx_server_tty_device_t;
+ssh_domain(nx_server)
+
+can_network_client(nx_server_t)
+
+allow nx_server_t devtty_t:chr_file { read write };
+allow nx_server_t sysctl_kernel_t:dir search;
+allow nx_server_t sysctl_kernel_t:file read;
+allow nx_server_t urandom_device_t:chr_file read;
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+allow nx_server_t usr_t:file { getattr read };
+
+dontaudit nx_server_t selinux_config_t:dir search;
+
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+
diff -urN orig/file_contexts/program/nx_server.fc mod/file_contexts/program/nx_server.fc
--- orig/file_contexts/program/nx_server.fc 1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/nx_server.fc 2005-02-12 15:40:54.000000000 +0100
@@ -0,0 +1,5 @@
+# nx
+/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
+/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
+/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
+
diff -urN orig/serviceusers mod/serviceusers
--- orig/serviceusers 2004-09-11 14:31:46.000000000 +0200
+++ mod/serviceusers 2005-02-12 15:40:54.000000000 +0100
@@ -4,3 +4,6 @@
ifdef(`mailman.te', `
#user mailman roles mailman_r;
')
+ifdef(`nx_server.te', `
+user nx roles nx_server_r;
+')
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Patch: Policy for NX server
2005-02-12 15:12 Patch: Policy for NX server Thomas Bleher
@ 2005-03-15 18:05 ` James Carter
0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2005-03-15 18:05 UTC (permalink / raw)
To: rbg; +Cc: SELinux
Merged.
Serviceusers is no longer being used, but since nx_server is using an
actual Unix user, I added the ifdef for user nx to users.
On Sat, 2005-02-12 at 16:12 +0100, Thomas Bleher wrote:
> This patch adds policy for the NX server.
> The server works like this: a new user nx is added; the users connect to
> the host via ssh with username nx; the nxserver is started by ssh and
> connects to the real user via ssh on localhost.
> To start nxserver in the correct context I had to add a new role.
> Only the server is currently protected, not the client or the nxagent. I
> also haven't tested the more advanced features like remote printing.
>
> Thomas
>
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-15 18:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-02-12 15:12 Patch: Policy for NX server Thomas Bleher
2005-03-15 18:05 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.