New policy for DCC
Russell Coker
russell at coker.com.au
Thu Apr 21 14:54:18 UTC 2005
On Tuesday 22 March 2005 12:23, David Hampton <hampton-rh at rainbolthampton.net>
wrote:
> This is a new strict policy for the DCC spam filter. It is based on the
> selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires
> the definition of dcc reserved ports that were in the net_contexts diff
> I sent last Wednesday. Please let me know if there are any problems
> with or changes needed to this policy.
Firstly daemons should not be started with su. For correct handling of
terminal file handles you should use /sbin/runuser to change the UID, it also
requires less policy which makes things easier.
Why do you use init_service_domain() and domain_auto_trans(initrc_t,
dcc_script_exec_t, dcc_script_t)?
Surely the daemon is to be started either from inittab or from an /etc/init.d
script but not both.
Putting a unix domain socket in /etc is wrong. Among other things it will
probably break things for anyone who wants to run with a read-only root file
system.
Types used under the /var/run directory generally should have the pidfile
attribute so that they can be cleaned up by boot scripts if necessary.
There is a type dccm_sock_t defined which is not in the .fc file.
Allowing access to sshd_t:fd is not what you want, you want to use privfd:fd
to allow the administrator to use a console login. Also you want to use
admin_tty_type:chr_file instead of sysadm_devpts_t:chr_file for the same
reason.
I have attached some patches, but I think that more will need to be done.
For starters I don't think that there is a good cause for seven domains.
Postfix has the current record with 13 domains and I believe that Postfix has
too many, one of the reasons why I asked Tresys to add a feature to apol to
compare the access granted to domains was to determine which domains of
Postfix are not needed.
Without even knowing what DCC does I feel confident in guessing that it's not
nearly half as complex as Postfix and doesn't need so many domains.
Excessive domains makes the policy difficult to analyse. For starters
dccifd_t and dccm_t can be merged.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fc.diff
Type: text/x-diff
Size: 1530 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050422/80e44296/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: te.diff
Type: text/x-diff
Size: 4759 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050422/80e44296/attachment-0001.bin>
More information about the fedora-selinux-list
mailing list