Added application_exec_type patch

Added application_exec_type patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

This patch  an attribute  of application_exec_type to any executable 
that can be executed by a user. 

I have only patched the executables that currently transition to a 
domain if run under inetd or init, but do not transition if run by a user.

Also changed corecommand_exec_any to only execute executables that a 
user is supposed to run.  So if sysadm_t tries to execute a dameon 
directly it will get a permission denied.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 10100 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.5.6/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te	2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/acct.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,7 @@
 type acct_t;
 type acct_exec_t;
 init_system_domain(acct_t,acct_exec_t)
+application_executable_file(acct_exec_t)
 
 type acct_data_t;
 logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.5.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/consoletype.te	2007-02-28 12:03:02.000000000 -0500
@@ -16,6 +21,7 @@
 ifdef(`targeted_policy',`',`
 	init_system_domain(consoletype_t,consoletype_exec_t)
 ')
+application_executable_file(consoletype_exec_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.5.6/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te	2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/dmesg.te	2007-02-28 12:03:02.000000000 -0500
@@ -10,6 +10,7 @@
 	type dmesg_t;
 	type dmesg_exec_t;
 	init_system_domain(dmesg_t,dmesg_exec_t)
+	application_executable_file(dmesg_exec_t)
 	role system_r types dmesg_t;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.5.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/netutils.te	2007-02-28 12:03:02.000000000 -0500
@@ -22,6 +22,7 @@
 type traceroute_t;
 type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
+application_executable_file(traceroute_exec_t)
 role system_r types traceroute_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.5.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/rpm.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,8 @@
 type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
+application_executable_file(rpm_exec_t)
+
 domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-2.5.6/policy/modules/admin/sudo.te
--- nsaserefpolicy/policy/modules/admin/sudo.te	2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/admin/sudo.te	2007-02-28 12:03:02.000000000 -0500
@@ -7,5 +7,6 @@
 
 type sudo_exec_t;
 files_type(sudo_exec_t)
+application_executable_file(sudo_exec_t)
 
 # Remaining policy in per user domain template.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.5.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/kernel/corecommands.if	2007-02-28 12:03:02.000000000 -0500
@@ -928,7 +928,15 @@
 		type bin_t, sbin_t;
 	')
 
-	can_exec($1,exec_type)
+	# Need this dontaudit or command completion fires hundreds of avcs
+ 	dontaudit $1 exec_type:file execute;
+ 	corecmd_exec_bin($1)
+ 	corecmd_exec_sbin($1)
+ 	corecmd_exec_shell($1)
+ 	corecmd_exec_ls($1)
+ 	corecmd_exec_chroot($1)
+ 	application_exec($1)
+ 
 	list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
 	read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.5.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/services/cvs.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,7 @@
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+application_executable_file(cvs_exec_t)
 role system_r types cvs_t;
 
 type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.5.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/services/mta.te	2007-02-28 12:03:02.000000000 -0500
@@ -27,6 +27,7 @@
 
 type sendmail_exec_t;
 files_type(sendmail_exec_t)
+application_executable_file(sendmail_exec_t)
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
@@ -91,6 +92,7 @@
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
+	apache_search_bugzilla_dirs(system_mail_t)
 
 	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.5.6/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/services/rsync.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,7 @@
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
 type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.5.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/services/spamassassin.te	2007-02-28 12:03:02.000000000 -0500
@@ -8,7 +8,7 @@
 
 # spamassassin client executable
 type spamc_exec_t;
-corecmd_executable_file(spamc_exec_t)
+application_executable_file(spamc_exec_t)
 
 type spamd_t;
 type spamd_exec_t;
@@ -24,7 +28,7 @@
 files_pid_file(spamd_var_run_t)
 
 type spamassassin_exec_t;
-corecmd_executable_file(spamassassin_exec_t)
+application_executable_file(spamassassin_exec_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.5.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/services/ssh.te	2007-02-28 12:03:02.000000000 -0500
@@ -10,11 +10,11 @@
 
 # Type for the ssh-agent executable.
 type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
 
 # ssh client executable.
 type ssh_exec_t;
-corecmd_executable_file(ssh_exec_t)
+application_executable_file(ssh_exec_t)
 
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.5.6/policy/modules/system/application.fc
--- nsaserefpolicy/policy/modules/system/application.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/system/application.fc	2007-02-28 14:53:19.000000000 -0500
@@ -0,0 +1 @@
+# No application file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-2.5.6/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/system/application.if	2007-02-28 12:06:13.000000000 -0500
@@ -0,0 +1,41 @@
+## <summary>Policy for application domains</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`application_executable_file',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	typeattribute $1 application_exec_type;
+
+	corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_exec',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	can_exec($1, application_exec_type)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-2.5.6/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/system/application.te	2007-02-28 12:04:47.000000000 -0500
@@ -0,0 +1,6 @@
+
+policy_module(application,1.0.0)
+
+# Executables to be run by user
+attribute application_exec_type;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.5.6/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/system/fstools.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,7 @@
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
+application_executable_file(fsadm_exec_t)
 role system_r types fsadm_t;
 
 type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.5.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.6/policy/modules/system/mount.te	2007-02-28 12:03:02.000000000 -0500
@@ -9,6 +9,7 @@
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
 role system_r types mount_t;
 
 type mount_loopback_t; # customizable

Re: Added application_exec_type patch

[Christopher J. PeBenito]

On Wed, 2007-02-28 at 15:25 -0500, Daniel J Walsh wrote:
> This patch  an attribute  of application_exec_type to any executable 
> that can be executed by a user. 

The domains also need to be collected (minus the ones that we discussed
on IRC, like cvs and rsync) into an attribute.  Then we should be able
to apply that towards fixing the ssh command line/sockets problem (where
the incoming client has done something like "ssh
myserver /usr/bin/passwd").

> I have only patched the executables that currently transition to a 
> domain if run under inetd or init, but do not transition if run by a user.

The stuff in the apps layer will have to be covered too.  They may have
policies, but they're still applications.  Their domain transitions will
still happen.

> Also changed corecommand_exec_any to only execute executables that a 
> user is supposed to run.  So if sysadm_t tries to execute a dameon 
> directly it will get a permission denied.

This interface has to remain the same.  "All executables" actually has
to mean all executables for the semantics of the interface to be
maintained.  If we want sysadm's behavior to be the above, it is the one
that needs to change.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added application_exec_type patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]

Christopher J. PeBenito wrote:
> On Wed, 2007-02-28 at 15:25 -0500, Daniel J Walsh wrote:
>   
>> This patch  an attribute  of application_exec_type to any executable 
>> that can be executed by a user. 
>>     
>
> The domains also need to be collected (minus the ones that we discussed
> on IRC, like cvs and rsync) into an attribute.  Then we should be able
> to apply that towards fixing the ssh command line/sockets problem (where
> the incoming client has done something like "ssh
> myserver /usr/bin/passwd").
>
>   
>> I have only patched the executables that currently transition to a 
>> domain if run under inetd or init, but do not transition if run by a user.
>>     
>
> The stuff in the apps layer will have to be covered too.  They may have
> policies, but they're still applications.  Their domain transitions will
> still happen.
>
>   
>> Also changed corecommand_exec_any to only execute executables that a 
>> user is supposed to run.  So if sysadm_t tries to execute a dameon 
>> directly it will get a permission denied.
>>     
>
> This interface has to remain the same.  "All executables" actually has
> to mean all executables for the semantics of the interface to be
> maintained.  If we want sysadm's behavior to be the above, it is the one
> that needs to change.
>
>   
How about something like the attached

I have just converted selinuxutil.te for now.

[-- Attachment #2: newapp.diff --]
[-- Type: text/x-patch, Size: 6131 bytes --]

--- nsaserefpolicy/policy/modules/system/application.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.fc	2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1 @@
+# No application file contexts.
--- nsaserefpolicy/policy/modules/system/application.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.if	2007-03-01 12:02:52.000000000 -0500
@@ -0,0 +1,113 @@
+## <summary>Policy for application domains</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable as an application domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a domain type.
+##	</summary>
+## </param>
+#
+interface(`application_type',`
+	gen_require(`
+		attribute application_type;
+	')
+
+	typeattribute $1 application_type;
+
+	# start with basic domain
+	domain_type($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`application_executable_file',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	typeattribute $1 application_exec_type;
+
+	corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_exec',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	can_exec($1, application_exec_type)
+')
+
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+       # Need this dontaudit or command completion fires hundreds of avcs
+       corecmd_dontaudit_exec_all_executables($1)
+       corecmd_exec_bin($1)
+       corecmd_exec_sbin($1)
+       corecmd_exec_shell($1)
+       corecmd_exec_ls($1)
+       corecmd_exec_chroot($1)
+       application_exec($1)
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by users
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`application_domain',`
+
+	application_type($1)
+	application_executable_file($2)
+	domain_entry_file($1,$2)
+	role system_r types $1;
+
+	optional_policy(`
+		ssh_sigchld($1)
+		ssh_rw_stream_sockets($1)
+	')
+
+')
--- nsaserefpolicy/policy/modules/system/application.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.te	2007-03-01 11:57:33.000000000 -0500
@@ -0,0 +1,9 @@
+
+policy_module(application,1.0.0)
+
+# Attribute of user applications
+attribute application_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te	2007-03-01 12:03:00.000000000 -0500
@@ -26,11 +24,8 @@
 files_type(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
-domain_type(checkpolicy_t)
-role system_r types checkpolicy_t;
-
 type checkpolicy_exec_t;
-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
+application_domain(checkpolicy_t, checkpolicy_exec_t)
 
 #
 # default_context_t is the type applied to
@@ -47,20 +42,15 @@
 files_type(file_context_t)
 
 type load_policy_t;
-domain_type(load_policy_t)
-role system_r types load_policy_t;
-
 type load_policy_exec_t;
-domain_entry_file(load_policy_t,load_policy_exec_t)
+application_domain(load_policy_t,load_policy_exec_t)
 
 type newrole_t;
+type newrole_exec_t;
+application_domain(newrole_t,newrole_exec_t)
+domain_interactive_fd(newrole_t)
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
-domain_type(newrole_t)
-domain_interactive_fd(newrole_t)
-
-type newrole_exec_t;
-domain_entry_file(newrole_t,newrole_exec_t)
 
 #
 # policy_config_t is the type of /etc/security/selinux/*
@@ -83,30 +73,34 @@
 type restorecon_exec_t;
 domain_obj_id_change_exemption(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
-role system_r types restorecon_t;
+application_type($1)
 
 type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
 
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 
 type run_init_t;
 type run_init_exec_t;
-domain_type(run_init_t)
-domain_entry_file(run_init_t,run_init_exec_t)
+application_domain(run_init_t)
 domain_system_change_exemption(run_init_t)
 
 type semanage_t;
-domain_type(semanage_t)
+type semanage_exec_t;
+application_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 
-type semanage_exec_t;
-domain_entry_file(semanage_t, semanage_exec_t)
-role system_r types semanage_t;
+type semanage_gui_t;
+type semanage_gui_exec_t;
+application_domain(semanage_gui_t, semanage_gui_exec_t)
+domain_interactive_fd(semanage_gui_t)
+
+ifdef(`targeted_policy',`
+init_system_domain(semanage_t, semanage_exec_t)
+')
 
 type semanage_store_t;
 files_type(semanage_store_t)
@@ -121,12 +115,9 @@
 files_type(semanage_trans_lock_t)
 
 type setfiles_t, can_relabelto_binary_policy;
-domain_obj_id_change_exemption(setfiles_t)
-domain_type(setfiles_t)
-role system_r types setfiles_t;
-
 type setfiles_exec_t;
-domain_entry_file(setfiles_t,setfiles_exec_t)
+application_domain(setfiles_t,setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_t)
 
 ifdef(`distro_redhat',`
 	init_system_domain(setfiles_t,setfiles_exec_t)

Re: Added application_exec_type patch

[Christopher J. PeBenito]

On Thu, 2007-03-01 at 12:12 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2007-02-28 at 15:25 -0500, Daniel J Walsh wrote:
> >   
> >> This patch  an attribute  of application_exec_type to any executable 
> >> that can be executed by a user. 
> >>     
> >
> > The domains also need to be collected (minus the ones that we discussed
> > on IRC, like cvs and rsync) into an attribute.  Then we should be able
> > to apply that towards fixing the ssh command line/sockets problem (where
> > the incoming client has done something like "ssh
> > myserver /usr/bin/passwd").
> >
> >   
> >> I have only patched the executables that currently transition to a 
> >> domain if run under inetd or init, but do not transition if run by a user.
> >>     
> >
> > The stuff in the apps layer will have to be covered too.  They may have
> > policies, but they're still applications.  Their domain transitions will
> > still happen.
> >
> >   
> >> Also changed corecommand_exec_any to only execute executables that a 
> >> user is supposed to run.  So if sysadm_t tries to execute a dameon 
> >> directly it will get a permission denied.
> >>     
> >
> > This interface has to remain the same.  "All executables" actually has
> > to mean all executables for the semantics of the interface to be
> > maintained.  If we want sysadm's behavior to be the above, it is the one
> > that needs to change.
> >
> >   
> How about something like the attached
> 
> I have just converted selinuxutil.te for now.

Comments inline:

> +interface(`application_type',`
> +       gen_require(`
> +               attribute application_type;
> +       ')
> +
> +       typeattribute $1 application_type;
> +
> +       # start with basic domain
> +       domain_type($1)
> +')

I don't think this will work.  Having the attribute and interface with
the same name will cause problems, since m4 will treat the attribute
references as macro calls with no parameters.  This will turn the above
interface into a recursive interface.  I suggest the attribute be named
application_domain_type.

> +interface(`application_exec_all',`
> +       # Need this dontaudit or command completion fires hundreds of avcs
> +       corecmd_dontaudit_exec_all_executables($1)
> +       corecmd_exec_bin($1)
> +       corecmd_exec_sbin($1)
> +       corecmd_exec_shell($1)
> +       corecmd_exec_ls($1)
> +       corecmd_exec_chroot($1)
> +       application_exec($1)
> +')

Not sure how I feel on this yet.

> +interface(`application_domain',`
> +
> +       application_type($1)
> +       application_executable_file($2)
> +       domain_entry_file($1,$2)
> +       role system_r types $1;
> +
> +       optional_policy(`
> +               ssh_sigchld($1)
> +               ssh_rw_stream_sockets($1)
> +       ')
> +
> +')

I don't think the role statement belongs at all.  I think the ssh part
should be moved to the TE file and use the attribute:

optional_policy(`
	ssh_sigchld(application_domain_type)
	ssh_rw_stream_sockets(application_exec_type)
')

> --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te      2007-03-01 12:03:00.000000000 -0500
> @@ -83,30 +73,34 @@
>  type restorecon_exec_t;
>  domain_obj_id_change_exemption(restorecon_t)
>  init_system_domain(restorecon_t,restorecon_exec_t)
> -role system_r types restorecon_t;
> +application_type($1)

Is there a particular reason that this didn't use application_domain()?
 
>  type run_init_t;
>  type run_init_exec_t;
> -domain_type(run_init_t)
> -domain_entry_file(run_init_t,run_init_exec_t)
> +application_domain(run_init_t)

Looks like this is missing a 2nd parameter.
 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added application_exec_type patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 4047 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-03-01 at 12:12 -0500, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Wed, 2007-02-28 at 15:25 -0500, Daniel J Walsh wrote:
>>>   
>>>       
>>>> This patch  an attribute  of application_exec_type to any executable 
>>>> that can be executed by a user. 
>>>>     
>>>>         
>>> The domains also need to be collected (minus the ones that we discussed
>>> on IRC, like cvs and rsync) into an attribute.  Then we should be able
>>> to apply that towards fixing the ssh command line/sockets problem (where
>>> the incoming client has done something like "ssh
>>> myserver /usr/bin/passwd").
>>>
>>>   
>>>       
>>>> I have only patched the executables that currently transition to a 
>>>> domain if run under inetd or init, but do not transition if run by a user.
>>>>     
>>>>         
>>> The stuff in the apps layer will have to be covered too.  They may have
>>> policies, but they're still applications.  Their domain transitions will
>>> still happen.
>>>
>>>   
>>>       
>>>> Also changed corecommand_exec_any to only execute executables that a 
>>>> user is supposed to run.  So if sysadm_t tries to execute a dameon 
>>>> directly it will get a permission denied.
>>>>     
>>>>         
>>> This interface has to remain the same.  "All executables" actually has
>>> to mean all executables for the semantics of the interface to be
>>> maintained.  If we want sysadm's behavior to be the above, it is the one
>>> that needs to change.
>>>
>>>   
>>>       
>> How about something like the attached
>>
>> I have just converted selinuxutil.te for now.
>>     
>
> Comments inline:
>
>   
>> +interface(`application_type',`
>> +       gen_require(`
>> +               attribute application_type;
>> +       ')
>> +
>> +       typeattribute $1 application_type;
>> +
>> +       # start with basic domain
>> +       domain_type($1)
>> +')
>>     
>
> I don't think this will work.  Having the attribute and interface with
> the same name will cause problems, since m4 will treat the attribute
> references as macro calls with no parameters.  This will turn the above
> interface into a recursive interface.  I suggest the attribute be named
> application_domain_type.
>
>   
>> +interface(`application_exec_all',`
>> +       # Need this dontaudit or command completion fires hundreds of avcs
>> +       corecmd_dontaudit_exec_all_executables($1)
>> +       corecmd_exec_bin($1)
>> +       corecmd_exec_sbin($1)
>> +       corecmd_exec_shell($1)
>> +       corecmd_exec_ls($1)
>> +       corecmd_exec_chroot($1)
>> +       application_exec($1)
>> +')
>>     
>
> Not sure how I feel on this yet.
>
>   
>> +interface(`application_domain',`
>> +
>> +       application_type($1)
>> +       application_executable_file($2)
>> +       domain_entry_file($1,$2)
>> +       role system_r types $1;
>> +
>> +       optional_policy(`
>> +               ssh_sigchld($1)
>> +               ssh_rw_stream_sockets($1)
>> +       ')
>> +
>> +')
>>     
>
> I don't think the role statement belongs at all.  I think the ssh part
> should be moved to the TE file and use the attribute:
>
> optional_policy(`
> 	ssh_sigchld(application_domain_type)
> 	ssh_rw_stream_sockets(application_exec_type)
> ')
>
>   
>> --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-02-19 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te      2007-03-01 12:03:00.000000000 -0500
>> @@ -83,30 +73,34 @@
>>  type restorecon_exec_t;
>>  domain_obj_id_change_exemption(restorecon_t)
>>  init_system_domain(restorecon_t,restorecon_exec_t)
>> -role system_r types restorecon_t;
>> +application_type($1)
>>     
>
> Is there a particular reason that this didn't use application_domain()?
>  
>   
>>  type run_init_t;
>>  type run_init_exec_t;
>> -domain_type(run_init_t)
>> -domain_entry_file(run_init_t,run_init_exec_t)
>> +application_domain(run_init_t)
>>     
>
> Looks like this is missing a 2nd parameter.
>  
>   

New diff with your suggested change.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6446 bytes --]

--- nsaserefpolicy/policy/modules/system/application.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.fc	2007-03-01 18:10:08.000000000 -0500
@@ -0,0 +1 @@
+# No application file contexts.
--- nsaserefpolicy/policy/modules/system/application.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.if	2007-03-02 11:44:19.000000000 -0500
@@ -0,0 +1,106 @@
+## <summary>Policy for application domains</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable as an application domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a domain type.
+##	</summary>
+## </param>
+#
+interface(`application_type',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	typeattribute $1 application_domain_type;
+
+	# start with basic domain
+	domain_type($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`application_executable_file',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	typeattribute $1 application_exec_type;
+
+	corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_exec',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	can_exec($1, application_exec_type)
+')
+
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+       # Need this dontaudit or command completion fires hundreds of avcs
+       corecmd_dontaudit_exec_all_executables($1)
+       corecmd_exec_bin($1)
+       corecmd_exec_sbin($1)
+       corecmd_exec_shell($1)
+       corecmd_exec_ls($1)
+       corecmd_exec_chroot($1)
+       application_exec($1)
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by users
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`application_domain',`
+
+	application_type($1)
+	application_executable_file($2)
+	domain_entry_file($1,$2)
+')
--- nsaserefpolicy/policy/modules/system/application.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.te	2007-03-02 11:39:09.000000000 -0500
@@ -0,0 +1,14 @@
+
+policy_module(application,1.0.0)
+
+# Attribute of user applications
+attribute application_domain_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
+optional_policy(`
+	ssh_sigchld(application_doman_type)
+	ssh_rw_stream_sockets(application_domain_type)
+')
+
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te	2007-03-02 11:45:02.000000000 -0500
@@ -26,11 +24,9 @@
 files_type(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
-domain_type(checkpolicy_t)
-role system_r types checkpolicy_t;
-
 type checkpolicy_exec_t;
-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
+application_domain(checkpolicy_t, checkpolicy_exec_t)
+role system_r types checkpolicy_t;
 
 #
 # default_context_t is the type applied to
@@ -47,21 +43,18 @@
 files_type(file_context_t)
 
 type load_policy_t;
-domain_type(load_policy_t)
-role system_r types load_policy_t;
-
 type load_policy_exec_t;
-domain_entry_file(load_policy_t,load_policy_exec_t)
+application_domain(load_policy_t,load_policy_exec_t)
+role system_r types load_policy_t;
 
 type newrole_t;
+type newrole_exec_t;
+application_domain(newrole_t,newrole_exec_t)
+role system_r types newrole_t;
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
-domain_type(newrole_t)
 domain_interactive_fd(newrole_t)
 
-type newrole_exec_t;
-domain_entry_file(newrole_t,newrole_exec_t)
-
 #
 # policy_config_t is the type of /etc/security/selinux/*
 # the security server policy configuration.
@@ -83,31 +76,39 @@
 type restorecon_exec_t;
 domain_obj_id_change_exemption(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
+application_domain(restorecon_t,restorecon_exec_t)
 role system_r types restorecon_t;
 
 type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
 
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 
 type run_init_t;
 type run_init_exec_t;
-domain_type(run_init_t)
-domain_entry_file(run_init_t,run_init_exec_t)
+application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
+role system_r types run_init_t;
 
 type semanage_t;
-domain_type(semanage_t)
-domain_interactive_fd(semanage_t)
-
 type semanage_exec_t;
-domain_entry_file(semanage_t, semanage_exec_t)
+application_domain(semanage_t, semanage_exec_t)
+domain_interactive_fd(semanage_t)
 role system_r types semanage_t;
 
+type semanage_gui_t;
+type semanage_gui_exec_t;
+application_domain(semanage_gui_t, semanage_gui_exec_t)
+domain_interactive_fd(semanage_gui_t)
+role system_r types semanage_gui_t;
+
+ifdef(`targeted_policy',`
+init_system_domain(semanage_t, semanage_exec_t)
+')
+
 type semanage_store_t;
 files_type(semanage_store_t)
 
@@ -121,12 +122,10 @@
 files_type(semanage_trans_lock_t)
 
 type setfiles_t, can_relabelto_binary_policy;
-domain_obj_id_change_exemption(setfiles_t)
-domain_type(setfiles_t)
-role system_r types setfiles_t;
-
 type setfiles_exec_t;
-domain_entry_file(setfiles_t,setfiles_exec_t)
+application_domain(setfiles_t,setfiles_exec_t)
+role system_r types setfiles_t;
+domain_obj_id_change_exemption(setfiles_t)
 
 ifdef(`distro_redhat',`
 	init_system_domain(setfiles_t,setfiles_exec_t)
 

Re: Added application_exec_type patch

[Christopher J. PeBenito]

I think this is fine, it can move forward as is.

On Fri, 2007-03-02 at 11:48 -0500, Daniel J Walsh wrote:
> --- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500
> +++ serefpolicy-2.5.7/policy/modules/system/application.fc      2007-03-01 18:10:08.000000000 -0500
> @@ -0,0 +1 @@
> +# No application file contexts.
> --- nsaserefpolicy/policy/modules/system/application.if 1969-12-31 19:00:00.000000000 -0500
> +++ serefpolicy-2.5.7/policy/modules/system/application.if      2007-03-02 11:44:19.000000000 -0500
> @@ -0,0 +1,106 @@
> +## <summary>Policy for application domains</summary>
> +
> +########################################
> +## <summary>
> +##     Make the specified type usable as an application domain.
> +## </summary>
> +## <param name="type">
> +##     <summary>
> +##     Type to be used as a domain type.
> +##     </summary>
> +## </param>
> +#
> +interface(`application_type',`
> +       gen_require(`
> +               attribute application_domain_type;
> +       ')
> +
> +       typeattribute $1 application_domain_type;
> +
> +       # start with basic domain
> +       domain_type($1)
> +')
> +
> +########################################
> +## <summary>
> +##     Make the specified type usable for files
> +##     that are exectuables, such as binary programs.
> +##     This does not include shared libraries.
> +## </summary>
> +## <param name="type">
> +##     <summary>
> +##     Type to be used for files.
> +##     </summary>
> +## </param>
> +#
> +interface(`application_executable_file',`
> +       gen_require(`
> +               attribute application_exec_type;
> +       ')
> +
> +       typeattribute $1 application_exec_type;
> +
> +       corecmd_executable_file($1)
> +')
> +
> +########################################
> +## <summary>
> +## Execute application executables in the caller domain.
> +## </summary>
> +## <param name="type">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`application_exec',`
> +       gen_require(`
> +               attribute application_exec_type;
> +       ')
> +
> +       can_exec($1, application_exec_type)
> +')
> +
> +########################################
> +## <summary>
> +##     Execute all executable files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`application_exec_all',`
> +       # Need this dontaudit or command completion fires hundreds of avcs
> +       corecmd_dontaudit_exec_all_executables($1)
> +       corecmd_exec_bin($1)
> +       corecmd_exec_sbin($1)
> +       corecmd_exec_shell($1)
> +       corecmd_exec_ls($1)
> +       corecmd_exec_chroot($1)
> +       application_exec($1)
> +')
> +
> +########################################
> +## <summary>
> +##     Create a domain which can be started by users
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Type to be used as a domain.
> +##     </summary>
> +## </param>
> +## <param name="entry_point">
> +##     <summary>
> +##     Type of the program to be used as an entry point to this domain.
> +##     </summary>
> +## </param>
> +#
> +interface(`application_domain',`
> +
> +       application_type($1)
> +       application_executable_file($2)
> +       domain_entry_file($1,$2)
> +')
> --- nsaserefpolicy/policy/modules/system/application.te 1969-12-31 19:00:00.000000000 -0500
> +++ serefpolicy-2.5.7/policy/modules/system/application.te      2007-03-02 11:39:09.000000000 -0500
> @@ -0,0 +1,14 @@
> +
> +policy_module(application,1.0.0)
> +
> +# Attribute of user applications
> +attribute application_domain_type;
> +
> +# Executables to be run by user
> +attribute application_exec_type;
> +
> +optional_policy(`
> +       ssh_sigchld(application_doman_type)
> +       ssh_rw_stream_sockets(application_domain_type)
> +')
> +
> --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te      2007-03-02 11:45:02.000000000 -0500
> @@ -26,11 +24,9 @@
>  files_type(selinux_config_t)
>  
>  type checkpolicy_t, can_write_binary_policy;
> -domain_type(checkpolicy_t)
> -role system_r types checkpolicy_t;
> -
>  type checkpolicy_exec_t;
> -domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
> +application_domain(checkpolicy_t, checkpolicy_exec_t)
> +role system_r types checkpolicy_t;
>  
>  #
>  # default_context_t is the type applied to
> @@ -47,21 +43,18 @@
>  files_type(file_context_t)
>  
>  type load_policy_t;
> -domain_type(load_policy_t)
> -role system_r types load_policy_t;
> -
>  type load_policy_exec_t;
> -domain_entry_file(load_policy_t,load_policy_exec_t)
> +application_domain(load_policy_t,load_policy_exec_t)
> +role system_r types load_policy_t;
>  
>  type newrole_t;
> +type newrole_exec_t;
> +application_domain(newrole_t,newrole_exec_t)
> +role system_r types newrole_t;
>  domain_role_change_exemption(newrole_t)
>  domain_obj_id_change_exemption(newrole_t)
> -domain_type(newrole_t)
>  domain_interactive_fd(newrole_t)
>  
> -type newrole_exec_t;
> -domain_entry_file(newrole_t,newrole_exec_t)
> -
>  #
>  # policy_config_t is the type of /etc/security/selinux/*
>  # the security server policy configuration.
> @@ -83,31 +76,39 @@
>  type restorecon_exec_t;
>  domain_obj_id_change_exemption(restorecon_t)
>  init_system_domain(restorecon_t,restorecon_exec_t)
> +application_domain(restorecon_t,restorecon_exec_t)
>  role system_r types restorecon_t;
>  
>  type restorecond_t;
>  type restorecond_exec_t;
>  init_daemon_domain(restorecond_t,restorecond_exec_t)
>  domain_obj_id_change_exemption(restorecond_t)
> -role system_r types restorecond_t;
>  
>  type restorecond_var_run_t;
>  files_pid_file(restorecond_var_run_t)
>  
>  type run_init_t;
>  type run_init_exec_t;
> -domain_type(run_init_t)
> -domain_entry_file(run_init_t,run_init_exec_t)
> +application_domain(run_init_t, run_init_exec_t)
>  domain_system_change_exemption(run_init_t)
> +role system_r types run_init_t;
>  
>  type semanage_t;
> -domain_type(semanage_t)
> -domain_interactive_fd(semanage_t)
> -
>  type semanage_exec_t;
> -domain_entry_file(semanage_t, semanage_exec_t)
> +application_domain(semanage_t, semanage_exec_t)
> +domain_interactive_fd(semanage_t)
>  role system_r types semanage_t;
>  
> +type semanage_gui_t;
> +type semanage_gui_exec_t;
> +application_domain(semanage_gui_t, semanage_gui_exec_t)
> +domain_interactive_fd(semanage_gui_t)
> +role system_r types semanage_gui_t;
> +
> +ifdef(`targeted_policy',`
> +init_system_domain(semanage_t, semanage_exec_t)
> +')
> +
>  type semanage_store_t;
>  files_type(semanage_store_t)
>  
> @@ -121,12 +122,10 @@
>  files_type(semanage_trans_lock_t)
>  
>  type setfiles_t, can_relabelto_binary_policy;
> -domain_obj_id_change_exemption(setfiles_t)
> -domain_type(setfiles_t)
> -role system_r types setfiles_t;
> -
>  type setfiles_exec_t;
> -domain_entry_file(setfiles_t,setfiles_exec_t)
> +application_domain(setfiles_t,setfiles_exec_t)
> +role system_r types setfiles_t;
> +domain_obj_id_change_exemption(setfiles_t)
>  
>  ifdef(`distro_redhat',`
>         init_system_domain(setfiles_t,setfiles_exec_t)
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.