Re: [yocto] [PATCH 1/1] refpolicy: make proftpd be able to work

Pascal Ouyang Thu, 13 Feb 2014 00:46:02 -0800

于 14-2-13 下午4:13, Rongqing Li 写道:



On 02/11/2014 01:31 PM, rongqing...@windriver.com wrote:

From: Roy Li <rongqing...@windriver.com>

Signed-off-by: Roy Li <rongqing...@windriver.com>
---
  ...y-policy-ftp-make-proftpd-be-able-to-work.patch |   85
++++++++++++++++++++
  .../refpolicy/refpolicy_2.20130424.inc             |    1 +
  2 files changed, 86 insertions(+)
  create mode 100644
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch


diff --git
a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch

new file mode 100644
index 0000000..9521fcf
--- /dev/null
+++
b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch

@@ -0,0 +1,85 @@
+ftp: make proftpd be able to work
+
+Upstream-Status: pending
+
+1. proftpd need not to access and communicate with avahi, so
dontaudit them
+2. ftpd_t is transited to mls_systemhigh, the running created files
under
+/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
+
+Signed-off-by: Roy Li <rongqing...@windriver.com>
+---
+ policy/modules/contrib/avahi.if |   40
+++++++++++++++++++++++++++++++++++++++
+ policy/modules/contrib/ftp.te   |    6 ++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/policy/modules/contrib/avahi.if
b/policy/modules/contrib/avahi.if
+index aebe7cb..0e7a748 100644
+--- a/policy/modules/contrib/avahi.if
++++ b/policy/modules/contrib/avahi.if
+@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ## <summary>
++##    Do not audit attempts to rw
++##    avahi var directories.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain to not audit.
++##    </summary>
++## </param>
++#
++interface(`avahi_dontaudit_rw_var',`
++    gen_require(`
++        type avahi_var_run_t;
++    ')
++
++    dontaudit $1 avahi_var_run_t:file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++##    Do not audit attempts to connectto
++##    avahi unix socket.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain to not audit.
++##    </summary>
++## </param>
++#
++interface(`avahi_dontaudit_connectto',`
++    gen_require(`
++        type avahi_t;
++    ')
++
++    dontaudit $1 avahi_t:unix_stream_socket connectto;
++')
++
++
++########################################
++## <summary>
+ ##    All of the rules required to
+ ##    administrate an avahi environment.
+ ## </summary>
+diff --git a/policy/modules/contrib/ftp.te
b/policy/modules/contrib/ftp.te
+index 544c512..12492d2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
++avahi_dontaudit_connectto(ftpd_t)
++
++avahi_dontaudit_rw_var(ftpd_t)



Please drop it, we should not donaudit ftpd_t to connect avahi.
we should allow this operation, since ftpd_t call libnss which
will create socket and connect these socket.



1846  open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
1846  read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
..., 832) = 832
1846  fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
1846  mmap(NULL, 2105160, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x7f49e1a63000
1846  mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
1846  mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP
_DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
1846  close(3)                          = 0
1846  socket(PF_LOCAL, SOCK_STREAM, 0)  = 3
1846  fcntl(3, F_GETFD)                 = 0
1846  fcntl(3, F_SETFD, FD_CLOEXEC)     = 0
1846  connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/avahi-daemon/socket"},
110) = 0



-Roy

++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc
b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 5d55030..422c974 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -53,6 +53,7 @@ SRC_URI +=
"file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \

file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \

file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
              file://portmap-allow-portmap-to-create-socket.patch \
+            file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
             "

  # Backport from upstream


By auth_use_nsswith(ftpd)

ftpd_t already works well with nsswitch now. So, please find the rootcause in other places.


Thanks. :)

--
- Pascal
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [PATCH 1/1] refpolicy: make proftpd be able to work

Reply via email to