Stephen Smalley wrote:
On Thu, 2006-10-19 at 08:34 -0400, Daniel J Walsh wrote:
Klaus Weidner wrote:
On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
So polyinstantiation is broken, it used to work at one point. The
following is the log of what seems to be causing the failure. I'm
looking into this, but it would be nice to have someone more adept at
policy wrangling to jump in and save the day.
The current LSPP ks script sets up policy and contexts to support
polyinstantiation. I've attached the policy, here's the script fragment.
Polyinstantiation parent dirs need to be polyparent_t, and
/etc/security/namespace.init needs to be pam_exec_t or something similar.
(Don't use chcon, define persistent file contexts instead to ensure that
they don't get overwritten on the next autorelabel. And remember how nice
it is that SELinux doesn't do path based security ;-)
-Klaus
ConfigurePolyinstantiation() {
Title " Configure polyinstantiation"
if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
local DIRS=$(
awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF
)
Log "Creating base dirs: $DIRS"
mkdir -m 0 $DIRS
local D
for D in $DIRS; do
semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
s/\/$//;
s/\([.*?]\)/\\\1/;
')
done
restorecon $DIRS
# FIXME: following should be fixed in upstream package?
semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
restorecon /etc/security/namespace.init
Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
else
Log "configuration update declined."
_FAILURE=1
fi
}
------------------------------------------------------------------------
## Customized SELinux policy for LSPP evaluated configuration
policy_module(lspp_policy,1.0)
#############################################################################
### Additional audit
#############################################################################
gen_require(`
attribute domain;
')
# Audit setting of security relevant process attributes
# These settings are OPTIONAL
auditallow domain self:process setcurrent;
auditallow domain self:process setexec;
auditallow domain self:process setfscreate;
This gives every process on the system the ability to do these
commands. Why do you need this?
No - they are just auditallow statements, not allow statements, so they
merely enable auditing when they are allowed - they don't allow anything
new. This is for auditing of all changes to the process
security-relevant attributes.
Sorry, you are right. I guess I am looking at too many lines of policy...
#auditallow domain self:process setsocketcreate; # FIXME
#auditallow domain self:process setipccreate; # FIXME
#############################################################################
### Relabeling printer devices
#############################################################################
gen_require(`
type secadm_t, printer_device_t;
')
allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
I have just added
dev_relabel_all_dev_nodes(secadm_t)
in selinux-policy-2.3.19-4.
Which should cover this.
#############################################################################
### Polyinstantiation support
#############################################################################
gen_require(`
type newrole_t, sshd_t, local_login_t;
type user_t, staff_t;
type tmp_t, user_home_dir_t, staff_home_dir_t;
type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
attribute userdomain;
')
type polyparent_t;
type polymember_t;
files_poly_parent(polyparent_t)
files_poly_member(polymember_t)
There is a new boolean allow_polyinstantiation, which should turn on
some of this support.
If we are missing something, this should get back into the policy package.
## FIXME: these don't work?
#allow userdomain polyparent_t:dir manage_dir_perms;
#allow userdomain polymember_t:dir manage_dir_perms;
#type_member userdomain polyparent_t:dir polymember_t;
#allow user_t polymember_t:dir manage_dir_perms;
#allow staff_t polymember_t:dir manage_dir_perms;
files_poly(tmp_t)
files_poly(user_home_dir_t)
files_poly(staff_home_dir_t)
type_member user_t tmp_t:dir user_tmp_t;
type_member staff_t tmp_t:dir staff_tmp_t;
type_member user_t user_home_dir_t:dir user_home_t;
type_member staff_t staff_home_dir_t:dir staff_home_t;
files_polyinstantiate_all(sshd_t)
files_polyinstantiate_all(local_login_t)
files_polyinstantiate_all(newrole_t)
Only newole_t does not have this priv in current policy, Added for
2.3.19-4.
### additional polyinst workarounds
### (FIXME, should these be fixed in refpolicy?)
gen_require(`
type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
')
# let newrole execute the PAM framework (it didn't d<o that originally)
auth_exec_pam(newrole_t)
# sshd needs to write the faillog / tallylog file
# FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
auth_rw_faillog(sshd_t)
auth_rw_faillog(newrole_t)
auth_rw_faillog(staff_su_t)
auth_rw_faillog(run_init_t)
Latest policy has these rules
# this seems to be missing from refpolicy files_polyinstantiate_all()?
allow sshd_t polyparent_t:dir {read search create remove_name};
allow local_login_t polyparent_t:dir {read search create remove_name};
allow newrole_t polyparent_t:dir {read search create remove_name};
# need to be able to execute /etc/security/namespace.init
# (that file needs to be labeled as bin_t, default label is bad)
allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with
the words "unsubscribe selinux" without quotes as the message.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
