Bug (?) in cvs selinux policy

Bug (?) in cvs selinux policy

[Erich Schubert]

Hi,
while merging the current policy CVS in my local policy, I noticed this:
---
tail -1 domains/program/unused/dhcpc.te
allow dhcpc_t locale_t:file write;
---

Why? If this is some locale caching or so, it probably should be
use_locale(dhcpc_t) or something like that. But this single write here
is really odd...

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       The best things in life are free: Friendship and Love.        //\
  Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald   V_/_
          sein Gleichgewicht verlieren. --- Michael Levine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug (?) in cvs selinux policy

[Daniel J Walsh]

Erich Schubert wrote:
> Hi,
> while merging the current policy CVS in my local policy, I noticed this:
> ---
> tail -1 domains/program/unused/dhcpc.te
> allow dhcpc_t locale_t:file write;
> ---
>
> Why? If this is some locale caching or so, it probably should be
> use_locale(dhcpc_t) or something like that. But this single write here
> is really odd...
>
> best regards,
> Erich Schubert
>   
I think this allows it to cp the locale file into the chroot environment.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug (?) in cvs selinux policy

[Antoine Martin]

On Tue, 2005-11-29 at 12:05 -0500, Daniel J Walsh wrote:
> Erich Schubert wrote:
> > Hi,
> > while merging the current policy CVS in my local policy, I noticed this:
> > ---
> > tail -1 domains/program/unused/dhcpc.te
> > allow dhcpc_t locale_t:file write;
> > ---
> >
> > Why? If this is some locale caching or so, it probably should be
> > use_locale(dhcpc_t) or something like that. But this single write here
> > is really odd...
> >
> > best regards,
> > Erich Schubert
> >   
> I think this allows it to cp the locale file into the chroot environment.
> 
Surely this should be done at setup time? Not by dhcpd itself.
My dhcp policy does not have it (dhcpd 3.0.1-r1) and is fine without it.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug (?) in cvs selinux policy

[Erich Schubert]

Hello,
> I think this allows it to cp the locale file into the chroot environment.

For example with postfix, running stuff in a chroot is "deprecated" with
SELinux, since the security implicatons of setting up the chroot are
higher than not running a chroot but only SELinux. ;-)
Also, the setup should probably done by the init script, not by the
daemon.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       To be trusted is a greater complement than to be loved.       //\
  Wer nicht zuweilen zuviel empfindet, der empfindet immer zuwenig.  V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug (?) in cvs selinux policy

[Antoine Martin]

On Wed, 2005-11-30 at 00:11 +0100, Erich Schubert wrote:
> Hello,
> > I think this allows it to cp the locale file into the chroot environment.
> 
> For example with postfix, running stuff in a chroot is "deprecated" with
> SELinux, since the security implicatons of setting up the chroot are
> higher than not running a chroot but only SELinux. ;-)
I personally like to have the option of using both, for peace of mind.
I am not good enough to run my systems in full enforcing mode constantly
(there are still some maintenance tasks that I do which are much easier
to handle by switching to permissive mode) and so I like to have the
ability to cumulate the security measures.

Antoine

> Also, the setup should probably done by the init script, not by the
> daemon.
> 
> best regards,
> Erich Schubert


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug (?) in cvs selinux policy

[Erich Schubert]

Hi,
> I personally like to have the option of using both, for peace of mind.
> I am not good enough to run my systems in full enforcing mode constantly
> (there are still some maintenance tasks that I do which are much easier
> to handle by switching to permissive mode) and so I like to have the
> ability to cumulate the security measures.

This should then be handled by a central "setup_chroot" utility with
it's own domain and the ability to copy over files (with proper security
checking, of course)
It would be helpful for most applications anyway to have a central tool
for that, instead of each app writing it's own in its initscript.

The other issue remains, that the chroot most likely is setup by your
initscript, i.e. with initrc_t permissions, not dhcpc_t.
Btw, I never heard of dhcpC (= client) running chroot. Seems kind of
hard, since most likely you'll want it to update your real resolv.conf,
maybe reload your mail server etc.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
  Nothing prevents happiness like the memory of happiness. --- A. Gide //\
 Mancher findet sein Herz nicht eher, als bis er seinen Kopf verliert. V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.