* [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work @ 2014-02-14 6:10 rongqing.li 2014-02-14 6:10 ` [PATCH 1/1] " rongqing.li 2014-04-03 19:05 ` [PATCH 0/1][meta-selinux][V2] " Joe MacDonald 0 siblings, 2 replies; 6+ messages in thread From: rongqing.li @ 2014-02-14 6:10 UTC (permalink / raw) To: yocto From: Roy Li <rongqing.li@windriver.com> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916: refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500) are available in the git repository at: git://git.pokylinux.org/poky-contrib roy/proftpd-1 http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/proftpd-1 Roy Li (1): refpolicy: make proftpd be able to work .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch -- 1.7.10.4 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] refpolicy: make proftpd be able to work 2014-02-14 6:10 [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work rongqing.li @ 2014-02-14 6:10 ` rongqing.li 2014-04-03 19:05 ` [PATCH 0/1][meta-selinux][V2] " Joe MacDonald 1 sibling, 0 replies; 6+ messages in thread From: rongqing.li @ 2014-02-14 6:10 UTC (permalink / raw) To: yocto From: Roy Li <rongqing.li@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch new file mode 100644 index 0000000..49da4b6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch @@ -0,0 +1,39 @@ +From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 +From: Roy Li <rongqing.li@windriver.com> +Date: Mon, 10 Feb 2014 18:10:12 +0800 +Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels + +Proftpd will create file under /var/run, but its mls is in high, and +can not write to lowlevel + +Upstream-Status: Pending + +type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir +type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir +type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) + +root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name + allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; +root@localhost:~# + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + policy/modules/contrib/ftp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te +index 544c512..12a31dd 100644 +--- a/policy/modules/contrib/ftp.te ++++ b/policy/modules/contrib/ftp.te +@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t; + type ftpdctl_tmp_t; + files_tmp_file(ftpdctl_tmp_t) + ++mls_file_write_all_levels(ftpd_t) ++ + type sftpd_t; + domain_type(sftpd_t) + role system_r types sftpd_t; +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index 9e5e426..24c0608 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -54,6 +54,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ + file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ " # Backport from upstream -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work 2014-02-14 6:10 [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work rongqing.li 2014-02-14 6:10 ` [PATCH 1/1] " rongqing.li @ 2014-04-03 19:05 ` Joe MacDonald 1 sibling, 0 replies; 6+ messages in thread From: Joe MacDonald @ 2014-04-03 19:05 UTC (permalink / raw) To: rongqing.li; +Cc: yocto [-- Attachment #1: Type: text/plain, Size: 940 bytes --] Merged, thanks. -J. [[yocto] [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work] On 14.02.14 (Fri 14:10) rongqing.li@windriver.com wrote: > From: Roy Li <rongqing.li@windriver.com> > > The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916: > > refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500) > > are available in the git repository at: > > git://git.pokylinux.org/poky-contrib roy/proftpd-1 > http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/proftpd-1 > > Roy Li (1): > refpolicy: make proftpd be able to work > > .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++++++++++++++++++ > .../refpolicy/refpolicy_2.20130424.inc | 1 + > 2 files changed, 40 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch > -- -Joe MacDonald. :wq [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 205 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 0/1] refpolicy: make proftpd be able to work @ 2014-02-11 5:31 rongqing.li 2014-02-11 5:31 ` [PATCH 1/1] " rongqing.li 0 siblings, 1 reply; 6+ messages in thread From: rongqing.li @ 2014-02-11 5:31 UTC (permalink / raw) To: yocto From: Roy Li <rongqing.li@windriver.com> The following changes since commit 8089f0d19f757ecf65f957d6a196e66c90bd7911: refpolicy: allow portmap to create portmap_t type socket (2014-02-10 15:54:14 +0800) are available in the git repository at: git://git.pokylinux.org/poky-contrib roy/refpolicy-proftpd http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/refpolicy-proftpd Roy Li (1): refpolicy: make proftpd be able to work ...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 1 + 2 files changed, 86 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch -- 1.7.10.4 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] refpolicy: make proftpd be able to work 2014-02-11 5:31 [PATCH 0/1] " rongqing.li @ 2014-02-11 5:31 ` rongqing.li 2014-02-13 8:13 ` Rongqing Li 0 siblings, 1 reply; 6+ messages in thread From: rongqing.li @ 2014-02-11 5:31 UTC (permalink / raw) To: yocto From: Roy Li <rongqing.li@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> --- ...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 1 + 2 files changed, 86 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch new file mode 100644 index 0000000..9521fcf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch @@ -0,0 +1,85 @@ +ftp: make proftpd be able to work + +Upstream-Status: pending + +1. proftpd need not to access and communicate with avahi, so dontaudit them +2. ftpd_t is transited to mls_systemhigh, the running created files under +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + policy/modules/contrib/avahi.if | 40 +++++++++++++++++++++++++++++++++++++++ + policy/modules/contrib/ftp.te | 6 ++++++ + 2 files changed, 46 insertions(+) + +diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if +index aebe7cb..0e7a748 100644 +--- a/policy/modules/contrib/avahi.if ++++ b/policy/modules/contrib/avahi.if +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',` + + ######################################## + ## <summary> ++## Do not audit attempts to rw ++## avahi var directories. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain to not audit. ++## </summary> ++## </param> ++# ++interface(`avahi_dontaudit_rw_var',` ++ gen_require(` ++ type avahi_var_run_t; ++ ') ++ ++ dontaudit $1 avahi_var_run_t:file rw_term_perms; ++') ++ ++ ++######################################## ++## <summary> ++## Do not audit attempts to connectto ++## avahi unix socket. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain to not audit. ++## </summary> ++## </param> ++# ++interface(`avahi_dontaudit_connectto',` ++ gen_require(` ++ type avahi_t; ++ ') ++ ++ dontaudit $1 avahi_t:unix_stream_socket connectto; ++') ++ ++ ++######################################## ++## <summary> + ## All of the rules required to + ## administrate an avahi environment. + ## </summary> +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te +index 544c512..12492d2 100644 +--- a/policy/modules/contrib/ftp.te ++++ b/policy/modules/contrib/ftp.te +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t; + type ftpdctl_tmp_t; + files_tmp_file(ftpdctl_tmp_t) + ++mls_file_write_all_levels(ftpd_t) ++ ++avahi_dontaudit_connectto(ftpd_t) ++ ++avahi_dontaudit_rw_var(ftpd_t) ++ + type sftpd_t; + domain_type(sftpd_t) + role system_r types sftpd_t; +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index 5d55030..422c974 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ file://portmap-allow-portmap-to-create-socket.patch \ + file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \ " # Backport from upstream -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] refpolicy: make proftpd be able to work 2014-02-11 5:31 ` [PATCH 1/1] " rongqing.li @ 2014-02-13 8:13 ` Rongqing Li 2014-02-13 8:40 ` Pascal Ouyang 0 siblings, 1 reply; 6+ messages in thread From: Rongqing Li @ 2014-02-13 8:13 UTC (permalink / raw) To: rongqing.li; +Cc: yocto On 02/11/2014 01:31 PM, rongqing.li@windriver.com wrote: > From: Roy Li <rongqing.li@windriver.com> > > Signed-off-by: Roy Li <rongqing.li@windriver.com> > --- > ...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 ++++++++++++++++++++ > .../refpolicy/refpolicy_2.20130424.inc | 1 + > 2 files changed, 86 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch > > diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch > new file mode 100644 > index 0000000..9521fcf > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch > @@ -0,0 +1,85 @@ > +ftp: make proftpd be able to work > + > +Upstream-Status: pending > + > +1. proftpd need not to access and communicate with avahi, so dontaudit them > +2. ftpd_t is transited to mls_systemhigh, the running created files under > +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels > + > +Signed-off-by: Roy Li <rongqing.li@windriver.com> > +--- > + policy/modules/contrib/avahi.if | 40 +++++++++++++++++++++++++++++++++++++++ > + policy/modules/contrib/ftp.te | 6 ++++++ > + 2 files changed, 46 insertions(+) > + > +diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if > +index aebe7cb..0e7a748 100644 > +--- a/policy/modules/contrib/avahi.if > ++++ b/policy/modules/contrib/avahi.if > +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',` > + > + ######################################## > + ## <summary> > ++## Do not audit attempts to rw > ++## avahi var directories. > ++## </summary> > ++## <param name="domain"> > ++## <summary> > ++## Domain to not audit. > ++## </summary> > ++## </param> > ++# > ++interface(`avahi_dontaudit_rw_var',` > ++ gen_require(` > ++ type avahi_var_run_t; > ++ ') > ++ > ++ dontaudit $1 avahi_var_run_t:file rw_term_perms; > ++') > ++ > ++ > ++######################################## > ++## <summary> > ++## Do not audit attempts to connectto > ++## avahi unix socket. > ++## </summary> > ++## <param name="domain"> > ++## <summary> > ++## Domain to not audit. > ++## </summary> > ++## </param> > ++# > ++interface(`avahi_dontaudit_connectto',` > ++ gen_require(` > ++ type avahi_t; > ++ ') > ++ > ++ dontaudit $1 avahi_t:unix_stream_socket connectto; > ++') > ++ > ++ > ++######################################## > ++## <summary> > + ## All of the rules required to > + ## administrate an avahi environment. > + ## </summary> > +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te > +index 544c512..12492d2 100644 > +--- a/policy/modules/contrib/ftp.te > ++++ b/policy/modules/contrib/ftp.te > +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t; > + type ftpdctl_tmp_t; > + files_tmp_file(ftpdctl_tmp_t) > + > ++mls_file_write_all_levels(ftpd_t) > ++ > ++avahi_dontaudit_connectto(ftpd_t) > ++ > ++avahi_dontaudit_rw_var(ftpd_t) Please drop it, we should not donaudit ftpd_t to connect avahi. we should allow this operation, since ftpd_t call libnss which will create socket and connect these socket. 1846 open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3 1846 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0" ..., 832) = 832 1846 fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0 1846 mmap(NULL, 2105160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f49e1a63000 1846 mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0 1846 mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP _DENYWRITE, 3, 0x1000) = 0x7f49e1c64000 1846 close(3) = 0 1846 socket(PF_LOCAL, SOCK_STREAM, 0) = 3 1846 fcntl(3, F_GETFD) = 0 1846 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 1846 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/avahi-daemon/socket"}, 110) = 0 -Roy > ++ > + type sftpd_t; > + domain_type(sftpd_t) > + role system_r types sftpd_t; > +-- > +1.7.10.4 > + > diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc > index 5d55030..422c974 100644 > --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc > +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc > @@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ > file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ > file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ > file://portmap-allow-portmap-to-create-socket.patch \ > + file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \ > " > > # Backport from upstream > -- Best Reagrds, Roy | RongQing Li ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] refpolicy: make proftpd be able to work 2014-02-13 8:13 ` Rongqing Li @ 2014-02-13 8:40 ` Pascal Ouyang 0 siblings, 0 replies; 6+ messages in thread From: Pascal Ouyang @ 2014-02-13 8:40 UTC (permalink / raw) To: yocto 于 14-2-13 下午4:13, Rongqing Li 写道: > > > On 02/11/2014 01:31 PM, rongqing.li@windriver.com wrote: >> From: Roy Li <rongqing.li@windriver.com> >> >> Signed-off-by: Roy Li <rongqing.li@windriver.com> >> --- >> ...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 >> ++++++++++++++++++++ >> .../refpolicy/refpolicy_2.20130424.inc | 1 + >> 2 files changed, 86 insertions(+) >> create mode 100644 >> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch >> >> >> diff --git >> a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch >> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch >> >> new file mode 100644 >> index 0000000..9521fcf >> --- /dev/null >> +++ >> b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch >> >> @@ -0,0 +1,85 @@ >> +ftp: make proftpd be able to work >> + >> +Upstream-Status: pending >> + >> +1. proftpd need not to access and communicate with avahi, so >> dontaudit them >> +2. ftpd_t is transited to mls_systemhigh, the running created files >> under >> +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels >> + >> +Signed-off-by: Roy Li <rongqing.li@windriver.com> >> +--- >> + policy/modules/contrib/avahi.if | 40 >> +++++++++++++++++++++++++++++++++++++++ >> + policy/modules/contrib/ftp.te | 6 ++++++ >> + 2 files changed, 46 insertions(+) >> + >> +diff --git a/policy/modules/contrib/avahi.if >> b/policy/modules/contrib/avahi.if >> +index aebe7cb..0e7a748 100644 >> +--- a/policy/modules/contrib/avahi.if >> ++++ b/policy/modules/contrib/avahi.if >> +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',` >> + >> + ######################################## >> + ## <summary> >> ++## Do not audit attempts to rw >> ++## avahi var directories. >> ++## </summary> >> ++## <param name="domain"> >> ++## <summary> >> ++## Domain to not audit. >> ++## </summary> >> ++## </param> >> ++# >> ++interface(`avahi_dontaudit_rw_var',` >> ++ gen_require(` >> ++ type avahi_var_run_t; >> ++ ') >> ++ >> ++ dontaudit $1 avahi_var_run_t:file rw_term_perms; >> ++') >> ++ >> ++ >> ++######################################## >> ++## <summary> >> ++## Do not audit attempts to connectto >> ++## avahi unix socket. >> ++## </summary> >> ++## <param name="domain"> >> ++## <summary> >> ++## Domain to not audit. >> ++## </summary> >> ++## </param> >> ++# >> ++interface(`avahi_dontaudit_connectto',` >> ++ gen_require(` >> ++ type avahi_t; >> ++ ') >> ++ >> ++ dontaudit $1 avahi_t:unix_stream_socket connectto; >> ++') >> ++ >> ++ >> ++######################################## >> ++## <summary> >> + ## All of the rules required to >> + ## administrate an avahi environment. >> + ## </summary> >> +diff --git a/policy/modules/contrib/ftp.te >> b/policy/modules/contrib/ftp.te >> +index 544c512..12492d2 100644 >> +--- a/policy/modules/contrib/ftp.te >> ++++ b/policy/modules/contrib/ftp.te >> +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t; >> + type ftpdctl_tmp_t; >> + files_tmp_file(ftpdctl_tmp_t) >> + >> ++mls_file_write_all_levels(ftpd_t) >> ++ >> ++avahi_dontaudit_connectto(ftpd_t) >> ++ >> ++avahi_dontaudit_rw_var(ftpd_t) > > > Please drop it, we should not donaudit ftpd_t to connect avahi. > we should allow this operation, since ftpd_t call libnss which > will create socket and connect these socket. > > > > 1846 open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3 > 1846 read(3, > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0" > ..., 832) = 832 > 1846 fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0 > 1846 mmap(NULL, 2105160, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f49e1a63000 > 1846 mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0 > 1846 mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP > _DENYWRITE, 3, 0x1000) = 0x7f49e1c64000 > 1846 close(3) = 0 > 1846 socket(PF_LOCAL, SOCK_STREAM, 0) = 3 > 1846 fcntl(3, F_GETFD) = 0 > 1846 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > 1846 connect(3, {sa_family=AF_LOCAL, > sun_path="/var/run/avahi-daemon/socket"}, > 110) = 0 > > > > -Roy > >> ++ >> + type sftpd_t; >> + domain_type(sftpd_t) >> + role system_r types sftpd_t; >> +-- >> +1.7.10.4 >> + >> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc >> b/recipes-security/refpolicy/refpolicy_2.20130424.inc >> index 5d55030..422c974 100644 >> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc >> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc >> @@ -53,6 +53,7 @@ SRC_URI += >> "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ >> >> file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ >> >> file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ >> file://portmap-allow-portmap-to-create-socket.patch \ >> + file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \ >> " >> >> # Backport from upstream >> > By auth_use_nsswith(ftpd) ftpd_t already works well with nsswitch now. So, please find the root cause in other places. Thanks. :) -- - Pascal ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-04-03 19:05 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-02-14 6:10 [PATCH 0/1][meta-selinux][V2] refpolicy: make proftpd be able to work rongqing.li 2014-02-14 6:10 ` [PATCH 1/1] " rongqing.li 2014-04-03 19:05 ` [PATCH 0/1][meta-selinux][V2] " Joe MacDonald -- strict thread matches above, loose matches on Subject: below -- 2014-02-11 5:31 [PATCH 0/1] " rongqing.li 2014-02-11 5:31 ` [PATCH 1/1] " rongqing.li 2014-02-13 8:13 ` Rongqing Li 2014-02-13 8:40 ` Pascal Ouyang
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.