Adding alternate root patch to restorecon (setfiles?)

Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 19 bytes --]

Forgot patch.

Dan

[-- Attachment #2: policycoreutils-altroot.patch --]
[-- Type: text/plain, Size: 2149 bytes --]

--- policycoreutils-1.17.6/restorecon/restorecon.c.altroot	2004-10-06 09:47:47.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-18 15:35:41.124661316 -0400
@@ -8,11 +8,13 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-Rnv] [ -o outputfile ] [ -p alt_root ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -p	alternate root: strip off alt_root from pathname when doing matchfilecon
  *
  * pathname...	The file(s) to label 
  *
@@ -40,6 +42,8 @@
 static int verbose=0;
 static FILE *outfile=NULL;
 static char *progname;
+static char *alt_root=NULL;
+static int alt_len=0;
 static int errors=0;
 static int recurse;
 
@@ -52,6 +56,7 @@
 int restore(char *filename) {
   int retcontext=0;
   int retval=0;
+  char *target=NULL;
   security_context_t scontext;
   security_context_t prev_context;
   int len=strlen(filename);
@@ -99,9 +104,14 @@
     }
     filename = p;
   }
-  retval = matchpathcon(filename, st.st_mode, &scontext);
+
+  target=filename;
+  if (alt_len != 0 && strncmp(alt_root, filename, alt_len) == 0)
+	  target=&filename[alt_len];
+
+  retval = matchpathcon(target, st.st_mode, &scontext);
   if (retval < 0) {
-    fprintf(stderr,"matchpathcon(%s) failed %s\n", filename,strerror(errno));
+    fprintf(stderr,"matchpathcon(%s) failed %s\n", target,strerror(errno));
     return 1;
   } 
   if (strcmp(scontext,"<<none>>")==0) {
@@ -179,7 +189,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "Rnvf:o:p:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +197,12 @@
     case 'R':
       recurse = 1;
       break;
+    case 'p':
+      alt_root=strdup(optarg);
+      alt_len=strlen(optarg);
+      if (alt_root[alt_len-1]=='/') 
+	      alt_len--;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

* James Carter <jwcart2@epoch.ncsc.mil> [2004-11-05 22:37]:
> I haven't forgotten about this patch.  I will probably be working on
> merging it Monday, without the restorecon stuff at first.

Yes, that's OK. The restorecon stuff was more a "let's toss this idea
around to see what people say about it". I'm not sure myself if it
should be merged.
 
> The $1_domain_file_type attribute is an interesting idea, although the
> name is rather long.

I guess I'm just bad at naming. Feel free to take a shorter name. :)

Thanks,
Thomas


> This patch came just before I merged Dan's patch that added a
> httpdcontent attribute, so some changes will be needed to this patch.
>    
> On Tue, 2004-10-26 at 10:36, Russell Coker wrote:
> > On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> > wrote:
> > > OK, what do you guys think about the following patch:
> > > It adds an attribute $1_domain_file_type, so all file types from derived
> > > user domains can be grouped together. It also adds a restorecon_domain()
> > > macro, so users can call restorecon to reset the labels on their files.
> > 
> > I've attached a patch named "tom.diff" which applies after your patch to tweak 
> > a few things.  The new attribute allows a better way of dealing with the 
> > locate policy so I changed it appropriately.  I added some use of 
> > sysadm_domain_file_type.  Some of the types you had given the attribute 
> > $1_domain_file_type seemed inappropriate, this includes the print spool type, 
> > some temporary files, and files under /var/run.
> > 
> > Whether we have the user_restorecon_t domain etc is something that needs more 
> > consideration.  The attached patch named "diff" has the user_domain_file_type 
> > stuff from your patch with my amendments but none of the restorecon changes.  
> > I think that "diff" is worthy of being included in CVS regardless of what we 
> > do with restorecon.
> -- 
> James Carter <jwcart2@epoch.ncsc.mil>
> National Security Agency

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[James Carter]

I haven't forgotten about this patch.  I will probably be working on
merging it Monday, without the restorecon stuff at first.

The $1_domain_file_type attribute is an interesting idea, although the
name is rather long.

This patch came just before I merged Dan's patch that added a
httpdcontent attribute, so some changes will be needed to this patch.
   
On Tue, 2004-10-26 at 10:36, Russell Coker wrote:
> On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > OK, what do you guys think about the following patch:
> > It adds an attribute $1_domain_file_type, so all file types from derived
> > user domains can be grouped together. It also adds a restorecon_domain()
> > macro, so users can call restorecon to reset the labels on their files.
> 
> I've attached a patch named "tom.diff" which applies after your patch to tweak 
> a few things.  The new attribute allows a better way of dealing with the 
> locate policy so I changed it appropriately.  I added some use of 
> sysadm_domain_file_type.  Some of the types you had given the attribute 
> $1_domain_file_type seemed inappropriate, this includes the print spool type, 
> some temporary files, and files under /var/run.
> 
> Whether we have the user_restorecon_t domain etc is something that needs more 
> consideration.  The attached patch named "diff" has the user_domain_file_type 
> stuff from your patch with my amendments but none of the restorecon changes.  
> I think that "diff" is worthy of being included in CVS regardless of what we 
> do with restorecon.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> OK, what do you guys think about the following patch:
> It adds an attribute $1_domain_file_type, so all file types from derived
> user domains can be grouped together. It also adds a restorecon_domain()
> macro, so users can call restorecon to reset the labels on their files.

I've attached a patch named "tom.diff" which applies after your patch to tweak 
a few things.  The new attribute allows a better way of dealing with the 
locate policy so I changed it appropriately.  I added some use of 
sysadm_domain_file_type.  Some of the types you had given the attribute 
$1_domain_file_type seemed inappropriate, this includes the print spool type, 
some temporary files, and files under /var/run.

Whether we have the user_restorecon_t domain etc is something that needs more 
consideration.  The attached patch named "diff" has the user_domain_file_type 
stuff from your patch with my amendments but none of the restorecon changes.  
I think that "diff" is worthy of being included in CVS regardless of what we 
do with restorecon.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: tom.diff --]
[-- Type: text/x-diff, Size: 8609 bytes --]

diff -ru policy.tom/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te
--- policy.tom/macros/program/apache_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/apache_macros.te	2004-10-26 23:19:27.000000000 +1000
@@ -21,7 +21,7 @@
 ifelse($1, sys, `
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type;
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 
 # This type is used for .htaccess files
@@ -79,9 +79,9 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
-type httpd_$1_script_ra_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type;
 ', `
 type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
 type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
@@ -89,13 +89,6 @@
 ')
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
 #########################################################
 # Permissions for running child processes and scripts
 ##########################################################
diff -ru policy.tom/macros/program/crond_macros.te policy.new/macros/program/crond_macros.te
--- policy.tom/macros/program/crond_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/crond_macros.te	2004-10-27 00:18:59.000000000 +1000
@@ -36,7 +36,7 @@
 r_dir_file($1_crond_t, selinux_config_t)
 
 # Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type');
+type $1_cron_spool_t, file_type, sysadmfile;
 
 ifdef(`fcron.te', `
 allow crond_t $1_cron_spool_t:file create_file_perms;
diff -ru policy.tom/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te
--- policy.tom/macros/program/irc_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/irc_macros.te	2004-10-26 23:46:34.000000000 +1000
@@ -27,11 +27,6 @@
 type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read };
-')
-
 allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms };
 
 # Transition from the user domain to this domain.
diff -ru policy.tom/macros/program/lpr_macros.te policy.new/macros/program/lpr_macros.te
--- policy.tom/macros/program/lpr_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/lpr_macros.te	2004-10-26 23:21:33.000000000 +1000
@@ -54,11 +54,11 @@
 r_dir_file($1_lpr_t, printconf_t)
 ')
 
-tmp_domain($1_lpr, `, $1_domain_file_type')
+tmp_domain($1_lpr)
 r_dir_file($1_lpr_t, $1_tmp_t)
 
 # Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_print_spool_t, file_type, sysadmfile;
 # Use this type when creating files in /var/spool/lpd and /var/spool/cups.
 file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
 allow $1_lpr_t var_spool_t:dir { search };
diff -ru policy.tom/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te
--- policy.tom/macros/program/screen_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/screen_macros.te	2004-10-26 23:22:33.000000000 +1000
@@ -31,7 +31,7 @@
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
 
-tmp_domain($1_screen, `, $1_domain_file_type')
+tmp_domain($1_screen)
 base_file_read_access($1_screen_t)
 # The user role is authorized for this domain.
 role $1_r types $1_screen_t;
@@ -72,7 +72,7 @@
 # Create fifo
 allow $1_screen_t var_t:dir search;
 file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type;
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
 file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
 
 allow $1_screen_t self:process { fork signal_perms };
diff -ru policy.tom/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te
--- policy.tom/macros/program/slocate_macros.te	2004-09-03 14:10:35.000000000 +1000
+++ policy.new/macros/program/slocate_macros.te	2004-10-26 23:33:57.000000000 +1000
@@ -52,8 +52,8 @@
 allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
 
-allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search };
-allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read };
+allow $1_locate_t $1_domain_file_type:dir { getattr search };
+allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read };
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
diff -ru policy.tom/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te
--- policy.tom/macros/program/ssh_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/ssh_macros.te	2004-10-26 23:46:14.000000000 +1000
@@ -115,11 +115,6 @@
 r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
 rw_dir_create_file($1_t, $1_home_ssh_t)
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_ssh_t:dir { getattr search };
-allow $1_locate_t $1_home_ssh_t:file { getattr read };
-')
-
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
diff -ru policy.tom/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te
--- policy.tom/macros/program/uml_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/uml_macros.te	2004-10-26 23:46:42.000000000 +1000
@@ -29,11 +29,6 @@
 type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
 type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read };
-')
-
 can_ptrace($1_t, $1_uml_t)
 
 # for X
diff -ru policy.tom/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te
--- policy.tom/macros/program/x_client_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/x_client_macros.te	2004-10-26 23:46:20.000000000 +1000
@@ -81,11 +81,6 @@
 allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read };
-')
-
 # Allow the user domain to send any signal to the $2 process.
 allow $1_t $1_$2_t:process signal_perms;
 
diff -ru policy.tom/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te
--- policy.tom/macros/program/xauth_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/xauth_macros.te	2004-10-26 23:46:26.000000000 +1000
@@ -26,10 +26,6 @@
 type $1_xauth_t, domain;
 type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_xauth_t:file { getattr read };
-')
-
 allow $1_xauth_t self:process signal;
 
 allow $1_t $1_home_xauth_t:file { relabelfrom relabelto create_file_perms };
@@ -84,7 +80,7 @@
 allow $1_xauth_t home_root_t:dir search;
 file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file)
 
-tmp_domain($1_xauth, `, $1_domain_file_type')
+tmp_domain($1_xauth)
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 ifdef(`nfs_home_dirs', `

[-- Attachment #3: diff --]
[-- Type: text/x-diff, Size: 15166 bytes --]

diff -ru policy/macros/admin_macros.te policy.new/macros/admin_macros.te
--- policy/macros/admin_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/admin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -14,9 +14,12 @@
 #
 undefine(`admin_domain')
 define(`admin_domain',`
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type;
 
 # Type and access for pty devices.
 can_create_pty($1)
diff -ru policy/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te
--- policy/macros/program/apache_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/apache_macros.te	2004-10-26 23:19:27.000000000 +1000
@@ -18,18 +18,23 @@
 file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
 ', `
 
+ifelse($1, sys, `
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
-ifelse($1, sys, `
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type;
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
 
 # This type is used for .htaccess files
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
 type httpd_$1_script_exec_t, file_type, sysadmfile;
+', `
+# same as above, add $1_domain_file_type attribute
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type;
+')
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail;
@@ -69,20 +74,20 @@
 uncond_can_ypbind(httpd_$1_script_t)
 }
 ')
+
+ifelse($1, `sys', `
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type;
+', `
+type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type;
+')
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-type httpd_$1_script_ra_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
 
 #########################################################
 # Permissions for running child processes and scripts
diff -ru policy/macros/program/fingerd_macros.te policy.new/macros/program/fingerd_macros.te
--- policy/macros/program/fingerd_macros.te	2003-08-14 22:37:36.000000000 +1000
+++ policy.new/macros/program/fingerd_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -10,6 +10,6 @@
 # allow fingerd to create a fingerlog file in the user home dir
 #
 define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile;
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type;
 file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
 ')
diff -ru policy/macros/program/gpg_agent_macros.te policy.new/macros/program/gpg_agent_macros.te
--- policy/macros/program/gpg_agent_macros.te	2004-09-21 14:39:17.000000000 +1000
+++ policy.new/macros/program/gpg_agent_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -58,7 +58,7 @@
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
 
 # create /tmp files
-tmp_domain($1_gpg_agent)
+tmp_domain($1_gpg_agent, `, $1_domain_file_type')
 
 # gpg connect
 allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search };
diff -ru policy/macros/program/gpg_macros.te policy.new/macros/program/gpg_macros.te
--- policy/macros/program/gpg_macros.te	2004-08-28 12:05:12.000000000 +1000
+++ policy.new/macros/program/gpg_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -25,7 +25,7 @@
 allow $1_t self:capability { setuid };
 ', `
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
diff -ru policy/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te
--- policy/macros/program/irc_macros.te	2004-03-27 00:46:45.000000000 +1100
+++ policy.new/macros/program/irc_macros.te	2004-10-26 23:46:34.000000000 +1000
@@ -24,13 +24,8 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
-type $1_irc_exec_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read };
-')
+type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
 allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms };
 
diff -ru policy/macros/program/rssh_macros.te policy.new/macros/program/rssh_macros.te
--- policy/macros/program/rssh_macros.te	2004-09-23 22:31:25.000000000 +1000
+++ policy.new/macros/program/rssh_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,8 +19,8 @@
 role rssh_$1_r types rssh_$1_t;
 allow system_r rssh_$1_r;
 
-type rssh_$1_rw_t, file_type, sysadmfile;
-type rssh_$1_ro_t, file_type, sysadmfile;
+type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type;
 
 general_domain_access(rssh_$1_t);
 uses_shlib(rssh_$1_t);
diff -ru policy/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te
--- policy/macros/program/screen_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/program/screen_macros.te	2004-10-26 23:22:33.000000000 +1000
@@ -26,7 +26,7 @@
 typealias $1_home_t alias $1_home_screen_t;
 ', `
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff -ru policy/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te
--- policy/macros/program/slocate_macros.te	2004-09-03 14:10:35.000000000 +1000
+++ policy.new/macros/program/slocate_macros.te	2004-10-26 23:33:57.000000000 +1000
@@ -52,8 +52,8 @@
 allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
 
-allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search };
-allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read };
+allow $1_locate_t $1_domain_file_type:dir { getattr search };
+allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read };
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
diff -ru policy/macros/program/spamassassin_macros.te policy.new/macros/program/spamassassin_macros.te
--- policy/macros/program/spamassassin_macros.te	2004-10-14 10:10:03.000000000 +1000
+++ policy.new/macros/program/spamassassin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff -ru policy/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te
--- policy/macros/program/ssh_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/ssh_macros.te	2004-10-26 23:46:14.000000000 +1000
@@ -26,7 +26,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
@@ -115,11 +115,6 @@
 r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
 rw_dir_create_file($1_t, $1_home_ssh_t)
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_ssh_t:dir { getattr search };
-allow $1_locate_t $1_home_ssh_t:file { getattr read };
-')
-
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
diff -ru policy/macros/program/tvtime_macros.te policy.new/macros/program/tvtime_macros.te
--- policy/macros/program/tvtime_macros.te	2004-10-06 04:52:36.000000000 +1000
+++ policy.new/macros/program/tvtime_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 x_client_domain($1, tvtime)
 
diff -ru policy/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te
--- policy/macros/program/uml_macros.te	2004-07-13 09:08:07.000000000 +1000
+++ policy.new/macros/program/uml_macros.te	2004-10-26 23:46:42.000000000 +1000
@@ -25,14 +25,9 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile;
-type $1_uml_ro_t, file_type, sysadmfile;
-type $1_uml_rw_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read };
-')
+type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
 can_ptrace($1_t, $1_uml_t)
 
diff -ru policy/macros/program/vmware_macros.te policy.new/macros/program/vmware_macros.te
--- policy/macros/program/vmware_macros.te	2004-09-25 01:42:14.000000000 +1000
+++ policy.new/macros/program/vmware_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff -ru policy/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te
--- policy/macros/program/x_client_macros.te	2004-09-11 16:21:48.000000000 +1000
+++ policy.new/macros/program/x_client_macros.te	2004-10-26 23:46:20.000000000 +1000
@@ -30,9 +30,9 @@
 ', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')
 
 # Transition from the user domain to the derived domain.
@@ -81,11 +81,6 @@
 allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read };
-')
-
 # Allow the user domain to send any signal to the $2 process.
 allow $1_t $1_$2_t:process signal_perms;
 
diff -ru policy/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te
--- policy/macros/program/xauth_macros.te	2004-06-17 15:10:45.000000000 +1000
+++ policy.new/macros/program/xauth_macros.te	2004-10-26 23:46:26.000000000 +1000
@@ -24,11 +24,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_xauth_t:file { getattr read };
-')
+type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 allow $1_xauth_t self:process signal;
 
diff -ru policy/macros/user_macros.te policy.new/macros/user_macros.te
--- policy/macros/user_macros.te	2004-10-20 09:31:18.000000000 +1000
+++ policy.new/macros/user_macros.te	2004-10-27 00:20:47.000000000 +1000
@@ -23,16 +23,16 @@
 ')dnl end single_userdomain
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type;
 
-tmp_domain($1, `, user_tmpfile')
+tmp_domain($1, `, user_tmpfile, $1_domain_file_type')
 
 # Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type;
  
 base_user_domain($1)
 
@@ -135,6 +135,9 @@
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 1801 bytes --]

* Russell Coker <russell@coker.com.au> [2004-10-25 19:09]:
> On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > One thing to note here is that restorecon becomes more dangerous with
> > your changes. Right now restorecon is relatively safe in that you can
> > only change file labels to their system default. It would probably be
> > acceptable in most environments to give users access to restorecon so
> > they could properly set labels for files in their home dir.
> >
> > With your changes and this scenario, users could do something like
> >         restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
> 
> If the user is to run restorecon then they must run it in their own domain.  
> There is no harm in allowing a user to run restorecon as user_t.  They can 
> only relabel files that have their own identity and a certain set of types.
> 
> Maybe we should even have a script to run restorecon -R on the user's home 
> directory that they can run at any time if SE Linux stops them doing what 
> they want?

OK, what do you guys think about the following patch:
It adds an attribute $1_domain_file_type, so all file types from derived
user domains can be grouped together. It also adds a restorecon_domain()
macro, so users can call restorecon to reset the labels on their files.

It is very lightly tested and probably missing a few permissions but
should give a good overview of the general idea.

Is such a thing safe?

Thomas

PS: It may be good to add a password check before restorecon (like
newrole does) so we are sure that it's the user who wants to relabel
his files.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: restorecon.patch --]
[-- Type: text/plain, Size: 16345 bytes --]

diff -urN orig/macros/admin_macros.te mod/macros/admin_macros.te
--- orig/macros/admin_macros.te	2004-10-11 10:03:26.000000000 +0200
+++ mod/macros/admin_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -14,9 +14,12 @@
 #
 undefine(`admin_domain')
 define(`admin_domain',`
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type;
 
 # Type and access for pty devices.
 can_create_pty($1)
diff -urN orig/macros/program/apache_macros.te mod/macros/program/apache_macros.te
--- orig/macros/program/apache_macros.te	2004-10-17 13:07:14.000000000 +0200
+++ mod/macros/program/apache_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -18,18 +18,23 @@
 file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
 ', `
 
+ifelse($1, sys, `
 #This type is for webpages
 #
 type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
-ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
 
 # This type is used for .htaccess files
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
 type httpd_$1_script_exec_t, file_type, sysadmfile;
+', `
+# same as above, add $1_domain_file_type attribute
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type;
+')
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail;
@@ -69,13 +74,20 @@
 uncond_can_ypbind(httpd_$1_script_t)
 }
 ')
+
+ifelse($1, `sys', `
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
 type httpd_$1_script_ro_t, file_type, sysadmfile;
 type httpd_$1_script_rw_t, file_type, sysadmfile;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 type httpd_$1_script_ra_t, file_type, sysadmfile;
+', `
+type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type;
+')
+file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
 ifdef(`slocate.te', `
 ifelse($1, `sys', `', `
diff -urN orig/macros/program/crond_macros.te mod/macros/program/crond_macros.te
--- orig/macros/program/crond_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/crond_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -36,7 +36,7 @@
 r_dir_file($1_crond_t, selinux_config_t)
 
 # Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile;
+type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type');
 
 ifdef(`fcron.te', `
 allow crond_t $1_cron_spool_t:file create_file_perms;
diff -urN orig/macros/program/fingerd_macros.te mod/macros/program/fingerd_macros.te
--- orig/macros/program/fingerd_macros.te	2003-08-14 14:37:36.000000000 +0200
+++ mod/macros/program/fingerd_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -10,6 +10,6 @@
 # allow fingerd to create a fingerlog file in the user home dir
 #
 define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile;
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type;
 file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
 ')
diff -urN orig/macros/program/gpg_agent_macros.te mod/macros/program/gpg_agent_macros.te
--- orig/macros/program/gpg_agent_macros.te	2004-09-21 22:24:44.000000000 +0200
+++ mod/macros/program/gpg_agent_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -58,7 +58,7 @@
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
 
 # create /tmp files
-tmp_domain($1_gpg_agent)
+tmp_domain($1_gpg_agent, `, $1_domain_file_type')
 
 # gpg connect
 allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search };
diff -urN orig/macros/program/gpg_macros.te mod/macros/program/gpg_macros.te
--- orig/macros/program/gpg_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/gpg_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -25,7 +25,7 @@
 allow $1_t self:capability { setuid };
 ', `
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
diff -urN orig/macros/program/irc_macros.te mod/macros/program/irc_macros.te
--- orig/macros/program/irc_macros.te	2004-03-23 21:58:10.000000000 +0100
+++ mod/macros/program/irc_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -24,8 +24,8 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
-type $1_irc_exec_t, file_type, sysadmfile;
+type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
diff -urN orig/macros/program/lpr_macros.te mod/macros/program/lpr_macros.te
--- orig/macros/program/lpr_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/lpr_macros.te	2004-10-25 23:28:02.000000000 +0200
@@ -54,11 +54,11 @@
 r_dir_file($1_lpr_t, printconf_t)
 ')
 
-tmp_domain($1_lpr)
+tmp_domain($1_lpr, `, $1_domain_file_type')
 r_dir_file($1_lpr_t, $1_tmp_t)
 
 # Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile;
+type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type;
 # Use this type when creating files in /var/spool/lpd and /var/spool/cups.
 file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
 allow $1_lpr_t var_spool_t:dir { search };
diff -urN orig/macros/program/restorecon_macros.te mod/macros/program/restorecon_macros.te
--- orig/macros/program/restorecon_macros.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/restorecon_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -0,0 +1,34 @@
+# Macro for the user restorecon domain
+#
+# Allow the user to call restorecon and to relabel all his files
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+define(`restorecon_domain', `
+
+type $1_restorecon_t, domain;
+role $1_r types $1_restorecon_t;
+
+domain_auto_trans($1_t, restorecon_exec_t, $1_restorecon_t)
+
+base_file_read_access($1_restorecon_t)
+uses_shlib($1_restorecon_t)
+
+allow $1_restorecon_t $1_devpts_t:chr_file { read write };
+
+allow $1_restorecon_t privfd:fd use;
+
+r_dir_file($1_restorecon_t, selinux_config_t)
+r_dir_file($1_restorecon_t, default_context_t)
+r_dir_file($1_restorecon_t, file_context_t)
+r_dir_file($1_restorecon_t, policy_config_t)
+
+allow $1_restorecon_t proc_t:dir search;
+allow $1_restorecon_t proc_t:file { getattr read };
+dontaudit $1_restorecon_t proc_t:lnk_file { getattr read };
+
+allow $1_restorecon_t { tmp_t $1_domain_file_type }:dir { getattr search };
+allow $1_restorecon_t $1_domain_file_type:{ notdevfile_class_set dir } { getattr relabelfrom relabelto };
+ 
+')
diff -urN orig/macros/program/rssh_macros.te mod/macros/program/rssh_macros.te
--- orig/macros/program/rssh_macros.te	2004-09-23 11:38:30.000000000 +0200
+++ mod/macros/program/rssh_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -19,8 +19,8 @@
 role rssh_$1_r types rssh_$1_t;
 allow system_r rssh_$1_r;
 
-type rssh_$1_rw_t, file_type, sysadmfile;
-type rssh_$1_ro_t, file_type, sysadmfile;
+type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type;
 
 general_domain_access(rssh_$1_t);
 uses_shlib(rssh_$1_t);
diff -urN orig/macros/program/screen_macros.te mod/macros/program/screen_macros.te
--- orig/macros/program/screen_macros.te	2004-10-11 10:03:26.000000000 +0200
+++ mod/macros/program/screen_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -26,12 +26,12 @@
 typealias $1_home_t alias $1_home_screen_t;
 ', `
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
 
-tmp_domain($1_screen)
+tmp_domain($1_screen, `, $1_domain_file_type')
 base_file_read_access($1_screen_t)
 # The user role is authorized for this domain.
 role $1_r types $1_screen_t;
@@ -72,7 +72,7 @@
 # Create fifo
 allow $1_screen_t var_t:dir search;
 file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type;
 file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
 
 allow $1_screen_t self:process { fork signal_perms };
diff -urN orig/macros/program/spamassassin_macros.te mod/macros/program/spamassassin_macros.te
--- orig/macros/program/spamassassin_macros.te	2004-10-14 13:09:56.000000000 +0200
+++ mod/macros/program/spamassassin_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff -urN orig/macros/program/ssh_macros.te mod/macros/program/ssh_macros.te
--- orig/macros/program/ssh_macros.te	2004-10-17 13:07:15.000000000 +0200
+++ mod/macros/program/ssh_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -26,7 +26,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
diff -urN orig/macros/program/tvtime_macros.te mod/macros/program/tvtime_macros.te
--- orig/macros/program/tvtime_macros.te	2004-10-05 20:52:36.000000000 +0200
+++ mod/macros/program/tvtime_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 x_client_domain($1, tvtime)
 
diff -urN orig/macros/program/uml_macros.te mod/macros/program/uml_macros.te
--- orig/macros/program/uml_macros.te	2004-07-12 23:41:25.000000000 +0200
+++ mod/macros/program/uml_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -25,9 +25,9 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile;
-type $1_uml_ro_t, file_type, sysadmfile;
-type $1_uml_rw_t, file_type, sysadmfile;
+type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
diff -urN orig/macros/program/vmware_macros.te mod/macros/program/vmware_macros.te
--- orig/macros/program/vmware_macros.te	2004-09-24 17:42:14.000000000 +0200
+++ mod/macros/program/vmware_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff -urN orig/macros/program/xauth_macros.te mod/macros/program/xauth_macros.te
--- orig/macros/program/xauth_macros.te	2004-06-19 10:31:44.000000000 +0200
+++ mod/macros/program/xauth_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -24,7 +24,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
+type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t $1_home_xauth_t:file { getattr read };
@@ -84,7 +84,7 @@
 allow $1_xauth_t home_root_t:dir search;
 file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file)
 
-tmp_domain($1_xauth)
+tmp_domain($1_xauth, `, $1_domain_file_type')
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 ifdef(`nfs_home_dirs', `
diff -urN orig/macros/program/x_client_macros.te mod/macros/program/x_client_macros.te
--- orig/macros/program/x_client_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/x_client_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -30,9 +30,9 @@
 ', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')
 
 # Transition from the user domain to the derived domain.
diff -urN orig/macros/user_macros.te mod/macros/user_macros.te
--- orig/macros/user_macros.te	2004-10-19 21:15:26.000000000 +0200
+++ mod/macros/user_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -23,16 +23,16 @@
 ')dnl end single_userdomain
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type;
 
-tmp_domain($1, `, user_tmpfile')
+tmp_domain($1, `, user_tmpfile, $1_domain_file_type')
 
 # Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type;
  
 base_user_domain($1)
 
@@ -61,6 +61,7 @@
 # user domains.
 ifdef(`apache.te', `apache_domain($1)')
 ifdef(`slocate.te', `locate_domain($1)')
+ifdef(`restorecon.te', `restorecon_domain($1)')
 
 allow $1_t krb5_conf_t:file { getattr read };
 # allow port_t name binding for UDP because it is not very usable otherwise
@@ -135,6 +136,9 @@
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> One thing to note here is that restorecon becomes more dangerous with
> your changes. Right now restorecon is relatively safe in that you can
> only change file labels to their system default. It would probably be
> acceptable in most environments to give users access to restorecon so
> they could properly set labels for files in their home dir.
>
> With your changes and this scenario, users could do something like
>         restorecon -p /home/foo /home/foo/sbin/unix_chkpwd

If the user is to run restorecon then they must run it in their own domain.  
There is no harm in allowing a user to run restorecon as user_t.  They can 
only relabel files that have their own identity and a certain set of types.

Maybe we should even have a script to run restorecon -R on the user's home 
directory that they can run at any time if SE Linux stops them doing what 
they want?

If user_t can run restorecon as restorecon_t then you will lose even if there 
is no -p option.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

On Wed, 20 Oct 2004 04:36, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> On Tue, Oct 19, 2004 at 09:33:06AM -0400, Daniel J Walsh wrote:
> > Thomas Bleher wrote:
> > Good point, good thing I never put out a patched version.  We need ideas
> > on the best way to do something
> > like this.
>
> um... what happens if a user runs restorecon in a chroot environment
> that they create?

One thing to note is that running programs inside a chroot environment in the 
same domain that they may run under in a non-chroot environment is probably a 
bad idea.

If the user can do something that is path sensitive then they can do it from 
user_t which does not have chroot capability.  If they enter a chroot 
environment then they do it through a program which has appropriate privs and 
then enter a different domain.

If the user can enter arbitary domains in a chroot then you are bound to lose 
somehow.


NB  This has nothing to do with the patches to restorecon, just something to 
note for future reference.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Luke Kenneth Casson Leighton]

On Tue, Oct 19, 2004 at 02:26:44PM -0400, Stephen Smalley wrote:
> On Tue, 2004-10-19 at 14:36, Luke Kenneth Casson Leighton wrote:
> > um... what happens if a user runs restorecon in a chroot environment
> > that they create?
> > 
> > as an ordinary user, can they cp /lib/* and have the context preserved
> > on their copy of libc.so.6?  just trying that now... no, it says setting
> > attribute "security.selinux" for /home/sez/libc6.so.6': permission
> > denied.
> > 
> > is there any concievable way round that?  [i hope not!]
> 
> Unprivileged user domains aren't allowed to transition to restorecon_t
> in the policy.  There is a reason for that...
  
  ... gooood :)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Luke Kenneth Casson Leighton]

On Tue, Oct 19, 2004 at 09:33:06AM -0400, Daniel J Walsh wrote:
> Thomas Bleher wrote:
> Good point, good thing I never put out a patched version.  We need ideas 
> on the best way to do something
> like this.

um... what happens if a user runs restorecon in a chroot environment
that they create?

as an ordinary user, can they cp /lib/* and have the context preserved
on their copy of libc.so.6?  just trying that now... no, it says setting
attribute "security.selinux" for /home/sez/libc6.so.6': permission
denied.

is there any concievable way round that?  [i hope not!]

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Stephen Smalley]

On Tue, 2004-10-19 at 14:36, Luke Kenneth Casson Leighton wrote:
> um... what happens if a user runs restorecon in a chroot environment
> that they create?
> 
> as an ordinary user, can they cp /lib/* and have the context preserved
> on their copy of libc.so.6?  just trying that now... no, it says setting
> attribute "security.selinux" for /home/sez/libc6.so.6': permission
> denied.
> 
> is there any concievable way round that?  [i hope not!]

Unprivileged user domains aren't allowed to transition to restorecon_t
in the policy.  There is a reason for that...
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

Thomas Bleher wrote:

>* Daniel J Walsh <dwalsh@redhat.com> [2004-10-18 22:40]:
>  
>
>>We are beginning to look into how we could support clusters with SELinux. 
>>Usually in clusters you move your configuration off on to some shared 
>>storage.
>>
>>So you might do a cp -a  /var/named /shared/var/named
>>
>>We need some way of relabeling these directories with file context.  My 
>>idea is to add an alternate
>>root qualifier to restorecon
>>    
>>
>
>One thing to note here is that restorecon becomes more dangerous with
>your changes. Right now restorecon is relatively safe in that you can
>only change file labels to their system default. It would probably be
>acceptable in most environments to give users access to restorecon so
>they could properly set labels for files in their home dir.
>
>With your changes and this scenario, users could do something like
>        restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
>and start reading /etc/shadow.
>So I am not sure this is the right way.
>
>Thomas
>
>
>  
>
Good point, good thing I never put out a patched version.  We need ideas 
on the best way to do something
like this.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-10-18 22:40]:
> We are beginning to look into how we could support clusters with SELinux. 
> Usually in clusters you move your configuration off on to some shared 
> storage.
> 
> So you might do a cp -a  /var/named /shared/var/named
> 
> We need some way of relabeling these directories with file context.  My 
> idea is to add an alternate
> root qualifier to restorecon

One thing to note here is that restorecon becomes more dangerous with
your changes. Right now restorecon is relatively safe in that you can
only change file labels to their system default. It would probably be
acceptable in most environments to give users access to restorecon so
they could properly set labels for files in their home dir.

With your changes and this scenario, users could do something like
        restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
and start reading /etc/shadow.
So I am not sure this is the right way.

Thomas


-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2004-10-18 at 15:31, Daniel J Walsh wrote:
>  
>
>>We are beginning to look into how we could support clusters with SELinux. 
>>Usually in clusters you move your configuration off on to some shared 
>>storage.
>>
>>So you might do a cp -a  /var/named /shared/var/named
>>
>>We need some way of relabeling these directories with file context.  My 
>>idea is to add an alternate
>>root qualifier to restorecon
>>
>>So in the above example you would do a
>>
>>restorecon -R -p /shared /shared/var/named
>>
>>I think this would work fairly well for chroot environments also.
>>    
>>
>
>setfiles already has such an option (-r).  setfiles and restorecon
>increasingly resemble one another except in their default behaviors.
>
>Previously, you indicated that you viewed the important difference as
>being that setfiles takes a specified file_contexts while restorecon
>only uses the system one, thereby imposing different trust burdens on
>the caller.  But note that setfiles policy already limits the set of
>types that it can read, and this could possibly be pruned further to
>avoid any types writable by a less trusted caller if there are such
>types.
>
>Merging them into one program and re-visiting whether setfiles can
>leverage matchpathcon(3) might be worthwhile.  At present, it doesn't do
>so because it wants the spec info for use in conflict detection, IIRC.
>
>  
>
I agree.  A couple of things in merging them would be to eliminate the 
need to specify the file_context file.  It should
be figured out directly.  Maybe convert restorecon into a wrapper around 
setfiles. 

One other thing we are talking about is the ability to specify 
additional file_contexts file.
Sort of a local_file_context, so that users could override or add 
certain file context without requiring the sources rpm.
users file should also be treated like this.

We need to drive to the point where selinux-policy-*-sources is treated 
like kernel sources.  IE hardly anyone would ever
install sources file.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Stephen Smalley]

On Mon, 2004-10-18 at 15:31, Daniel J Walsh wrote:
> We are beginning to look into how we could support clusters with SELinux. 
> Usually in clusters you move your configuration off on to some shared 
> storage.
> 
> So you might do a cp -a  /var/named /shared/var/named
> 
> We need some way of relabeling these directories with file context.  My 
> idea is to add an alternate
> root qualifier to restorecon
> 
> So in the above example you would do a
> 
> restorecon -R -p /shared /shared/var/named
> 
> I think this would work fairly well for chroot environments also.

setfiles already has such an option (-r).  setfiles and restorecon
increasingly resemble one another except in their default behaviors.

Previously, you indicated that you viewed the important difference as
being that setfiles takes a specified file_contexts while restorecon
only uses the system one, thereby imposing different trust burdens on
the caller.  But note that setfiles policy already limits the set of
types that it can read, and this could possibly be pruned further to
avoid any types writable by a less trusted caller if there are such
types.

Merging them into one program and re-visiting whether setfiles can
leverage matchpathcon(3) might be worthwhile.  At present, it doesn't do
so because it wants the spec info for use in conflict detection, IIRC.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

We are beginning to look into how we could support clusters with SELinux. 
Usually in clusters you move your configuration off on to some shared 
storage.

So you might do a cp -a  /var/named /shared/var/named

We need some way of relabeling these directories with file context.  My 
idea is to add an alternate
root qualifier to restorecon

So in the above example you would do a

restorecon -R -p /shared /shared/var/named

I think this would work fairly well for chroot environments also.

Ideas?


Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.