[PATCH 0/3] Some quick policy patches based on the problems from earlier today

[PATCH 0/3] Some quick policy patches based on the problems from earlier today

[Paul Moore]

This patch set addresses some issues seen when trying to configure/start both
the IPsec and NetLabel management tools at boot from the init scripts.  These
patches have only been lightly tested, but they are pretty trivial.

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/3] Refpolicy: allow the IPsec management tools to start at boot

[Paul Moore]

Currently the IPsec tools are rather noisy at startup, in terms of AVC denials,
if they start at all.  This patch attempts to cleanup some of the AVC denials
caused by "fd use" as well as allowing the setkey_t domain to read the required
configuration files.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 policy/modules/system/ipsec.te |    8 ++++++++
 1 file changed, 8 insertions(+)

Index: refpolicy/policy/modules/system/ipsec.te
===================================================================
--- refpolicy.orig/policy/modules/system/ipsec.te
+++ refpolicy/policy/modules/system/ipsec.te
@@ -325,6 +325,8 @@ selinux_compute_access_vector(racoon_t)
 libs_use_ld_so(racoon_t)
 libs_use_shared_libs(racoon_t)
 
+init_dontaudit_use_fds(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)
@@ -348,6 +350,10 @@ allow setkey_t ipsec_spd_t:association s
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)
 
+allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
+
 files_read_etc_files(setkey_t)
 
 locallogin_use_fds(setkey_t)
@@ -355,6 +361,8 @@ locallogin_use_fds(setkey_t)
 libs_use_ld_so(setkey_t)
 libs_use_shared_libs(setkey_t)
 
+init_dontaudit_use_fds(setkey_t)
+
 miscfiles_read_localization(setkey_t)
 
 seutil_read_config(setkey_t)

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/3] Refpolicy: remove a duplicate rule in the ipsec.te file

[Paul Moore]

The "seutil_read_config(setkey_t)" rule is duplicated in the IPsec policy file,
it is possibile that the first occurrence is intended to be for the racoon_t
domain but we'll just remove for now.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 policy/modules/system/ipsec.te |    2 --
 1 file changed, 2 deletions(-)

Index: refpolicy/policy/modules/system/ipsec.te
===================================================================
--- refpolicy.orig/policy/modules/system/ipsec.te
+++ refpolicy/policy/modules/system/ipsec.te
@@ -333,8 +333,6 @@ logging_send_syslog_msg(racoon_t)
 
 miscfiles_read_localization(racoon_t)
 
-seutil_read_config(setkey_t)
-
 ########################################
 #
 # Setkey local policy

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Paul Moore]

Allow the NetLabel management tools to be run at boot from the init scripts.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 policy/modules/system/netlabel.te |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Index: refpolicy/policy/modules/system/netlabel.te
===================================================================
--- refpolicy.orig/policy/modules/system/netlabel.te
+++ refpolicy/policy/modules/system/netlabel.te
@@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0)
 
 type netlabel_mgmt_t;
 type netlabel_mgmt_exec_t;
-domain_type(netlabel_mgmt_t)
-domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)
 
 ########################################
 #

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Christopher J. PeBenito]

On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
> Allow the NetLabel management tools to be run at boot from the init
> scripts.

Is this actually a daemon or just a regular application?  If its not a
daemon it should be using init_system_domain() instead.

> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  policy/modules/system/netlabel.te |    3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> Index: refpolicy/policy/modules/system/netlabel.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/netlabel.te
> +++ refpolicy/policy/modules/system/netlabel.te
> @@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0)
> 
>  type netlabel_mgmt_t;
>  type netlabel_mgmt_exec_t;
> -domain_type(netlabel_mgmt_t)
> -domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
> +init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)
> 
>  ########################################
>  #
> 
> --
> paul moore
> linux security @ hp
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Paul Moore]

On Monday, March 26 2007 11:18:23 am Christopher J. PeBenito wrote:
> On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
> > Allow the NetLabel management tools to be run at boot from the init
> > scripts.
>
> Is this actually a daemon or just a regular application?  If its not a
> daemon it should be using init_system_domain() instead.

Check our email from last Friday (3/23).  It's okay, it's Monday morning ;)

I agree, knowing what I know now it should be init_system_domain(), there is 
probably another change needed as this patch seemed to introduce a bug (or 
flush out an old one) which Dan fixed in selinux-policy-2.4.6-47 for RHEL5.  
Unfortunately, I can't get at the RPM right now (got a pointer Dan?) so I 
can't do a diff and see what changed ...

It is probably best to hold on this for now, sorry for the confusion, but I 
was hoping to have the fix for this by now.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Daniel J Walsh]

Paul Moore wrote:
> On Monday, March 26 2007 11:18:23 am Christopher J. PeBenito wrote:
>   
>> On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
>>     
>>> Allow the NetLabel management tools to be run at boot from the init
>>> scripts.
>>>       
>> Is this actually a daemon or just a regular application?  If its not a
>> daemon it should be using init_system_domain() instead.
>>     
>
> Check our email from last Friday (3/23).  It's okay, it's Monday morning ;)
>
> I agree, knowing what I know now it should be init_system_domain(), there is 
> probably another change needed as this patch seemed to introduce a bug (or 
> flush out an old one) which Dan fixed in selinux-policy-2.4.6-47 for RHEL5.  
> Unfortunately, I can't get at the RPM right now (got a pointer Dan?) so I 
> can't do a diff and see what changed ...
>
> It is probably best to hold on this for now, sorry for the confusion, but I 
> was hoping to have the fix for this by now.
>
>   
RHEL5 and Rawhide policy are identical.  I have no problem changing to 
init_system_domain.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Stephen Smalley]

On Mon, 2007-03-26 at 11:41 -0400, Daniel J Walsh wrote:
> Paul Moore wrote:
> > On Monday, March 26 2007 11:18:23 am Christopher J. PeBenito wrote:
> >   
> >> On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
> >>     
> >>> Allow the NetLabel management tools to be run at boot from the init
> >>> scripts.
> >>>       
> >> Is this actually a daemon or just a regular application?  If its not a
> >> daemon it should be using init_system_domain() instead.
> >>     
> >
> > Check our email from last Friday (3/23).  It's okay, it's Monday morning ;)
> >
> > I agree, knowing what I know now it should be init_system_domain(), there is 
> > probably another change needed as this patch seemed to introduce a bug (or 
> > flush out an old one) which Dan fixed in selinux-policy-2.4.6-47 for RHEL5.  
> > Unfortunately, I can't get at the RPM right now (got a pointer Dan?) so I 
> > can't do a diff and see what changed ...
> >
> > It is probably best to hold on this for now, sorry for the confusion, but I 
> > was hoping to have the fix for this by now.
> >
> >   
> RHEL5 and Rawhide policy are identical.  I have no problem changing to 
> init_system_domain.

IIRC, using init_daemon_domain() was causing problems (over on
redhat-lspp list) because it was causing netlabelctl to trigger a role
transition to system_r when run by the admin, and the admin wasn't
necessarily authorized for system_r directly.  Not sure whether that is
just a misconfiguration of users there (i.e. you must authorize admins
for system_r if you are going to use automatic role transitions to
system_r rather than run_init, but I don't think run_init really works
for Fedora or RHEL today since it won't be invoked when rpm %post
scriptlets restart services).

But in any event, netlabelctl is not a daemon, so init_system_domain is
more appropriate anyway (along with whatever is needed to also
transition when run by an admin).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Refpolicy: allow netlabelctl to be run at boot

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2007-03-26 at 11:41 -0400, Daniel J Walsh wrote:
>   
>> Paul Moore wrote:
>>     
>>> On Monday, March 26 2007 11:18:23 am Christopher J. PeBenito wrote:
>>>   
>>>       
>>>> On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
>>>>     
>>>>         
>>>>> Allow the NetLabel management tools to be run at boot from the init
>>>>> scripts.
>>>>>       
>>>>>           
>>>> Is this actually a daemon or just a regular application?  If its not a
>>>> daemon it should be using init_system_domain() instead.
>>>>     
>>>>         
>>> Check our email from last Friday (3/23).  It's okay, it's Monday morning ;)
>>>
>>> I agree, knowing what I know now it should be init_system_domain(), there is 
>>> probably another change needed as this patch seemed to introduce a bug (or 
>>> flush out an old one) which Dan fixed in selinux-policy-2.4.6-47 for RHEL5.  
>>> Unfortunately, I can't get at the RPM right now (got a pointer Dan?) so I 
>>> can't do a diff and see what changed ...
>>>
>>> It is probably best to hold on this for now, sorry for the confusion, but I 
>>> was hoping to have the fix for this by now.
>>>
>>>   
>>>       
>> RHEL5 and Rawhide policy are identical.  I have no problem changing to 
>> init_system_domain.
>>     
>
> IIRC, using init_daemon_domain() was causing problems (over on
> redhat-lspp list) because it was causing netlabelctl to trigger a role
> transition to system_r when run by the admin, and the admin wasn't
> necessarily authorized for system_r directly.  Not sure whether that is
> just a misconfiguration of users there (i.e. you must authorize admins
> for system_r if you are going to use automatic role transitions to
> system_r rather than run_init, but I don't think run_init really works
> for Fedora or RHEL today since it won't be invoked when rpm %post
> scriptlets restart services).
>
> But in any event, netlabelctl is not a daemon, so init_system_domain is
> more appropriate anyway (along with whatever is needed to also
> transition when run by an admin).
>
>   

The problem in LSPP was that sysadm_r was not allowed to transition to 
netlabel_t  Which is fixed in the latest policy.

IE netlabelctl_run(sysadm_t, sysadm_r, admin_terminals)



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/3] Refpolicy: allow the IPsec management tools to start at boot

[Christopher J. PeBenito]

On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
> Currently the IPsec tools are rather noisy at startup, in terms of AVC
> denials,
> if they start at all.  This patch attempts to cleanup some of the AVC
> denials
> caused by "fd use" as well as allowing the setkey_t domain to read the
> required
> configuration files.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Merged except for the first change, as that rule was added to
init_daemon_domain() in the mean time, so racoon_t has it already.  Also
moved the other hunks higher up in the file.

> ---
>  policy/modules/system/ipsec.te |    8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> Index: refpolicy/policy/modules/system/ipsec.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/ipsec.te
> +++ refpolicy/policy/modules/system/ipsec.te
> @@ -325,6 +325,8 @@ selinux_compute_access_vector(racoon_t)
>  libs_use_ld_so(racoon_t)
>  libs_use_shared_libs(racoon_t)
> 
> +init_dontaudit_use_fds(racoon_t)
> +
>  locallogin_use_fds(racoon_t)
> 
>  logging_send_syslog_msg(racoon_t)
> @@ -348,6 +350,10 @@ allow setkey_t ipsec_spd_t:association s
>  # allow setkey utility to set contexts on SA's and policy
>  domain_ipsec_setcontext_all_domains(setkey_t)
> 
> +allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
> +read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
> +read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
> +
>  files_read_etc_files(setkey_t)
> 
>  locallogin_use_fds(setkey_t)
> @@ -355,6 +361,8 @@ locallogin_use_fds(setkey_t)
>  libs_use_ld_so(setkey_t)
>  libs_use_shared_libs(setkey_t)
> 
> +init_dontaudit_use_fds(setkey_t)
> +
>  miscfiles_read_localization(setkey_t)
> 
>  seutil_read_config(setkey_t)
> 
> --
> paul moore
> linux security @ hp
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/3] Refpolicy: remove a duplicate rule in the ipsec.te file

[Christopher J. PeBenito]

On Fri, 2007-03-09 at 16:33 -0400, Paul Moore wrote:
> The "seutil_read_config(setkey_t)" rule is duplicated in the IPsec
> policy file,
> it is possibile that the first occurrence is intended to be for the
> racoon_t
> domain but we'll just remove for now.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Merged.

> ---
>  policy/modules/system/ipsec.te |    2 --
>  1 file changed, 2 deletions(-)
> 
> Index: refpolicy/policy/modules/system/ipsec.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/ipsec.te
> +++ refpolicy/policy/modules/system/ipsec.te
> @@ -333,8 +333,6 @@ logging_send_syslog_msg(racoon_t)
> 
>  miscfiles_read_localization(racoon_t)
> 
> -seutil_read_config(setkey_t)
> -
>  ########################################
>  #
>  # Setkey local policy
> 
> --
> paul moore
> linux security @ hp
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.