From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id iAOKObIi022687 for ; Wed, 24 Nov 2004 15:24:40 -0500 (EST) Received: from mx1.redhat.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id iAOKOcCA008895 for ; Wed, 24 Nov 2004 20:24:40 GMT Message-ID: <41A4EDFA.3060407@redhat.com> Date: Wed, 24 Nov 2004 15:24:26 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: jwcart2@epoch.ncsc.mil CC: Russell Coker , Thomas Bleher , SELinux Subject: Re: can_network patch. References: <41741A2C.8040408@redhat.com> <200410260138.19426.russell@coker.com.au> <20041025213122.GA2535@jmh.mhn.de> <200410270036.14935.russell@coker.com.au> <1099690788.16488.52.camel@moss-lions.epoch.ncsc.mil> <4192A029.5050909@redhat.com> <1100722524.22035.18.camel@moss-lions.epoch.ncsc.mil> <419CB2A8.7020504@redhat.com> <1101235934.7273.24.camel@moss-lions.epoch.ncsc.mil> <41A4B54F.3070709@redhat.com> <1101325733.12859.37.camel@moss-lions.epoch.ncsc.mil> In-Reply-To: <1101325733.12859.37.camel@moss-lions.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov James Carter wrote: >Merged with some changes. > >After talking with Steve, I removed can_network_server_udp and >can_network_client_udp, and just used can_network_udp. There is no >security gained for udp in not allowing the connect if they already can >send and receive. > > Ok, this might be a candidate for a boolean >Also removed, for now, the mozilla_macros.te chunk that allowed mozilla >to execute userhelper and the rules giving mozilla more execute >permissions. > >I missed the userhelper stuff yesterday. Letting mozilla run userhelper >has some serious security implications. > >Isn't it possible to give the JRE the execute permisisons without giving >it to $1_mozilla_t? > > > Yes, although it will probably need alot of the same privs as mozilla, and be quite complicated. >On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote: > > >> * This patch includes the ugliness to get sun's jre plugin to work >> in Mozilla. (otherwize mozilla crashes). >> * Removed distro_gentoo checks around proc_net since we want these also. >> * Futzed around with userhelper so that mozilla can run it. >> * Cleaned up stunnel.te so it should be usable for gentoo and other >> distributions. >> * Some cleanup of apache to allow starting of apache with ssl keys >> * Includes modification to global_macros to extract out >> network_macros.te >> >> >>network_macros.te includes >> >>can_network - with all the current functionaility >> >>I added >> >>can_network_server (Has listen and accept, both udp and tcp) >>can_network_server_udp >>can_network_server_tcp >> >>can_network_client (Has connect, both udp and tcp) >>can_network_client_tcp >>can_network_client_udp >> >>can_network_udp - Same as can_network but only for udp >>can_network_tcp - Same as can_network but only for tcp >> >> >>______________________________________________________________________ >> >> > > > >>diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te >>--- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 >>+++ policy-1.19.5/macros/network_macros.te 2004-11-24 10:57:51.328334858 -0500 >>@@ -0,0 +1,189 @@ >>+################################# >>+# >>+# can_network(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`base_can_network',` >>+# >>+# Allow the domain to create and use $2 sockets. >>+# Other kinds of sockets must be separately authorized for use. >>+allow $1 self:$2_socket connected_socket_perms; >>+ >>+# >>+# Allow the domain to send or receive using any network interface. >>+# netif_type is a type attribute for all network interface types. >>+# >>+allow $1 netif_type:netif { $2_send rawip_send }; >>+allow $1 netif_type:netif { $2_recv rawip_recv }; >>+ >>+# >>+# Allow the domain to send to or receive from any node. >>+# node_type is a type attribute for all node types. >>+# >>+allow $1 node_type:node { $2_send rawip_send }; >>+allow $1 node_type:node { $2_recv rawip_recv }; >>+ >>+# >>+# Allow the domain to send to or receive from any port. >>+# port_type is a type attribute for all port types. >>+# >>+ifelse($3, `', ` >>+allow $1 port_type:$2_socket { send_msg recv_msg }; >>+', ` >>+allow $1 $3:$2_socket { send_msg recv_msg }; >>+') >>+ >>+# XXX Allow binding to any node type. Remove once >>+# individual rules have been added to all domains that >>+# bind sockets. >>+allow $1 node_type:$2_socket node_bind; >>+# >>+# Allow access to network files including /etc/resolv.conf >>+# >>+allow $1 net_conf_t:file r_file_perms; >>+')dnl end can_network definition >>+ >>+################################# >>+# >>+# can_network_server_tcp(domain) >>+# >>+# Permissions for accessing a tcp network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_server_tcp',` >>+base_can_network($1, tcp, `$2') >>+allow $1 self:tcp_socket { listen accept }; >>+') >>+ >>+################################# >>+# >>+# can_network_server_udp(domain) >>+# >>+# Permissions for accessing a udp network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_server_udp',` >>+base_can_network($1, udp, `$2') >>+') >>+ >>+################################# >>+# >>+# can_network_client_tcp(domain) >>+# >>+# Permissions for accessing a tcp network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_client_tcp',` >>+base_can_network($1, tcp, `$2') >>+allow $1 self:tcp_socket { connect }; >>+') >>+ >>+################################# >>+# >>+# can_network_client_udp(domain) >>+# >>+# Permissions for accessing a udp network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_client_udp',` >>+base_can_network($1, udp, `$2') >>+allow $1 self:udp_socket { connect }; >>+') >>+ >>+################################# >>+# >>+# can_network_tcp(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_tcp',` >>+ >>+can_network_server_tcp($1, `$2') >>+can_network_client_tcp($1, `$2') >>+ >>+') >>+ >>+################################# >>+# >>+# can_network_udp(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_udp',` >>+ >>+can_network_client_udp($1, `$2') >>+can_network_server_udp($1, `$2') >>+ >>+') >>+ >>+################################# >>+# >>+# can_network_server(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_server',` >>+ >>+can_network_server_tcp($1, `$2') >>+can_network_server_udp($1, `$2') >>+ >>+')dnl end can_network_server definition >>+ >>+ >>+################################# >>+# >>+# can_network_client(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network_client',` >>+ >>+can_network_client_tcp($1, `$2') >>+can_network_client_udp($1, `$2') >>+ >>+')dnl end can_network_client definition >>+ >>+################################# >>+# >>+# can_network(domain) >>+# >>+# Permissions for accessing the network. >>+# See types/network.te for the network types. >>+# See net_contexts for security contexts for network entities. >>+# >>+define(`can_network',` >>+ >>+can_network_tcp($1, `$2') >>+can_network_udp($1, `$2') >>+ >>+# >>+# Allow the domain to send NFS client requests via the socket >>+# created by mount. >>+# >>+allow $1 mount_t:udp_socket rw_socket_perms; >>+ >>+')dnl end can_network definition >>+ >>+define(`can_resolve',` >>+can_network_client_udp($1, `dns_port_t') >>+') >>+ >>+define(`can_ldap',` >>+can_network_client_tcp($1, `ldap_port_t') >>+') >>+ >> >> > > > > > >>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te >>--- nsapolicy/macros/program/mozilla_macros.te 2004-11-24 07:00:51.000000000 -0500 >>+++ policy-1.19.5/macros/program/mozilla_macros.te 2004-11-24 10:57:51.332334406 -0500 >>@@ -29,7 +29,8 @@ >> >> allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read }; >> allow $1_mozilla_t var_lib_t:file { getattr read }; >>-allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read }; >>+allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append }; >>+ >> allow $1_mozilla_t self:socket create_socket_perms; >> allow $1_mozilla_t self:file { getattr read }; >> >>@@ -117,8 +118,20 @@ >> dontaudit $1_mozilla_t file_type:dir getattr; >> allow $1_mozilla_t self:sem create_sem_perms; >> >>+ifdef(`userhelper.te', ` >>+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) >>+') >> dontaudit $1_mozilla_t selinux_config_t:dir search; >> >>+# >>+# Rules needed to run java apps >>+# >>+allow $1_mozilla_t ld_so_cache_t:file execute; >>+allow $1_mozilla_t locale_t:file execute; >>+dontaudit $1_mozilla_t *:{ chr_file file } execute; >>+dontaudit $1_t ld_so_cache_t:file execute; >>+dontaudit $1_t locale_t:file execute; >>+ >> ifdef(`xdm.te', ` >> allow $1_mozilla_t xdm_t:fifo_file { write read }; >> allow $1_mozilla_t xdm_tmp_t:dir search; >> >> > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.