Christopher J. PeBenito wrote: > On Thu, 2007-03-01 at 12:12 -0500, Daniel J Walsh wrote: > >> Christopher J. PeBenito wrote: >> >>> On Wed, 2007-02-28 at 15:25 -0500, Daniel J Walsh wrote: >>> >>> >>>> This patch an attribute of application_exec_type to any executable >>>> that can be executed by a user. >>>> >>>> >>> The domains also need to be collected (minus the ones that we discussed >>> on IRC, like cvs and rsync) into an attribute. Then we should be able >>> to apply that towards fixing the ssh command line/sockets problem (where >>> the incoming client has done something like "ssh >>> myserver /usr/bin/passwd"). >>> >>> >>> >>>> I have only patched the executables that currently transition to a >>>> domain if run under inetd or init, but do not transition if run by a user. >>>> >>>> >>> The stuff in the apps layer will have to be covered too. They may have >>> policies, but they're still applications. Their domain transitions will >>> still happen. >>> >>> >>> >>>> Also changed corecommand_exec_any to only execute executables that a >>>> user is supposed to run. So if sysadm_t tries to execute a dameon >>>> directly it will get a permission denied. >>>> >>>> >>> This interface has to remain the same. "All executables" actually has >>> to mean all executables for the semantics of the interface to be >>> maintained. If we want sysadm's behavior to be the above, it is the one >>> that needs to change. >>> >>> >>> >> How about something like the attached >> >> I have just converted selinuxutil.te for now. >> > > Comments inline: > > >> +interface(`application_type',` >> + gen_require(` >> + attribute application_type; >> + ') >> + >> + typeattribute $1 application_type; >> + >> + # start with basic domain >> + domain_type($1) >> +') >> > > I don't think this will work. Having the attribute and interface with > the same name will cause problems, since m4 will treat the attribute > references as macro calls with no parameters. This will turn the above > interface into a recursive interface. I suggest the attribute be named > application_domain_type. > > >> +interface(`application_exec_all',` >> + # Need this dontaudit or command completion fires hundreds of avcs >> + corecmd_dontaudit_exec_all_executables($1) >> + corecmd_exec_bin($1) >> + corecmd_exec_sbin($1) >> + corecmd_exec_shell($1) >> + corecmd_exec_ls($1) >> + corecmd_exec_chroot($1) >> + application_exec($1) >> +') >> > > Not sure how I feel on this yet. > > >> +interface(`application_domain',` >> + >> + application_type($1) >> + application_executable_file($2) >> + domain_entry_file($1,$2) >> + role system_r types $1; >> + >> + optional_policy(` >> + ssh_sigchld($1) >> + ssh_rw_stream_sockets($1) >> + ') >> + >> +') >> > > I don't think the role statement belongs at all. I think the ssh part > should be moved to the TE file and use the attribute: > > optional_policy(` > ssh_sigchld(application_domain_type) > ssh_rw_stream_sockets(application_exec_type) > ') > > >> --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-02-19 11:32:53.000000000 -0500 >> +++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te 2007-03-01 12:03:00.000000000 -0500 >> @@ -83,30 +73,34 @@ >> type restorecon_exec_t; >> domain_obj_id_change_exemption(restorecon_t) >> init_system_domain(restorecon_t,restorecon_exec_t) >> -role system_r types restorecon_t; >> +application_type($1) >> > > Is there a particular reason that this didn't use application_domain()? > > >> type run_init_t; >> type run_init_exec_t; >> -domain_type(run_init_t) >> -domain_entry_file(run_init_t,run_init_exec_t) >> +application_domain(run_init_t) >> > > Looks like this is missing a 2nd parameter. > > New diff with your suggested change.