please review my firefox policy?

Peter Pun peter.pun at gmail.com
Fri Sep 15 00:20:07 UTC 2006 

Hi Everyone,

I created this firefox policy; it is probably allowing too many unecessary
things. If anyone could comment on it, I'd appreciate it.
The matter is, someone was able to break out to unconfined and disable a 000
ACL on /bin/su. This is a surf machine, with no listening daemons, postfix
is blocked by firewall and unconfigured, not even cups is running. So I
think the hole must be through firefox.

------------------------------------------------------------

policy_module(foxpol,1.0.5)

########################################
#
# Declarations
#
require {
          type fonts_t;
      type inotifyfs_t;
          type proc_net_t;
      type proc_t;
      type urandom_device_t;
      type user_home_dir_t;
      type user_home_t;
      type xdm_t;
      type sysctl_kernel_t;
      type sysctl_net_t;
      type sysctl_t;
      type home_root_t;
      type fs_t;
      type autofs_t;
         type unconfined_execmem_t;
        };

type foxpol_t;
type foxpol_exec_t;
domain_type(foxpol_t)
init_daemon_domain(foxpol_t, foxpol_exec_t)

# log files
type foxpol_var_log_t;
logging_log_file(foxpol_var_log_t)

# download dir, which firefox has write access to
type foxpol_down_t;

# private_t dir - a labled dir which fox cannot read, made because
#             - fox has read access to home dir
type private_t;

########################################
#
# foxpol local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow
rules.

# Some common macros (you might be able to remove some)
files_read_etc_files(foxpol_t)
libs_use_ld_so(foxpol_t)
libs_use_shared_libs(foxpol_t)
miscfiles_read_localization(foxpol_t)
## internal communication is often done using fifo and unix sockets.
allow foxpol_t self:fifo_file { read write };
allow foxpol_t self:unix_stream_socket create_stream_socket_perms;

# log files
allow foxpol_t foxpol_var_log_t:file create_file_perms;
allow foxpol_t foxpol_var_log_t:sock_file create_file_perms;
allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(foxpol_t)
corenet_tcp_sendrecv_all_if(foxpol_t)
corenet_tcp_sendrecv_all_nodes(foxpol_t)
corenet_tcp_sendrecv_all_ports(foxpol_t)
corenet_non_ipsec_sendrecv(foxpol_t)
corenet_tcp_connect_http_port(foxpol_t)
#corenet_tcp_connect_all_ports(foxpol_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(foxpol_t)
#corenet_tcp_bind_all_nodes(foxpol_t)
allow foxpol_t self:tcp_socket { listen accept };

# Init script handling
init_use_fds(foxpol_t)
init_use_script_ptys(foxpol_t)
domain_use_interactive_fds(foxpol_t)

# ok copy files to download dir
allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read
relabelto remove_name search write rmdir };
allow unconfined_t foxpol_down_t:file { execute create getattr setattr read
write append rename link unlink ioctl lock };

# ok unconfined processes to open files in download dir
allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr read
write link unlink rename search add_name remove_name reparent rmdir lock
ioctl } ;
allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr read
write append rename link unlink ioctl lock };

# ok fox to write to download dir
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write
remove_name };
allow foxpol_t foxpol_down_t:file { create setattr getattr read write rename
unlink append };

# ok unconfined process to open files in private dir
allow unconfined_execmem_t private_t:dir { create getattr setattr read write
link unlink rename search add_name remove_name reparent rmdir lock ioctl };
allow unconfined_execmem_t private_t:file { create getattr setattr read
write append rename link unlink ioctl lock };
allow unconfined_t private_t:dir { create getattr setattr read write link
unlink rename search add_name remove_name reparent relabelfrom relabelto
rmdir lock ioctl };
allow unconfined_t private_t:file {  relabelto create getattr setattr read
write append rename link unlink ioctl lock };
allow private_t fs_t:filesystem associate;

# ok fox to create new stuff in .mozilla
allow foxpol_t foxpol_var_log_t:dir create;



#
# audit2allow says it wants all the stuff below,  it also wanted exec rights
to bin_t which I removed
#
allow foxpol_down_t fs_t:filesystem associate;
allow foxpol_t autofs_t:dir getattr;
allow foxpol_t fonts_t:dir { getattr read search };
allow foxpol_t fonts_t:file { getattr read };
allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write
};
allow foxpol_t foxpol_down_t:file { create getattr write };
allow foxpol_t self:fifo_file getattr;
allow foxpol_t self:netlink_route_socket { bind create getattr nlmsg_read
read write };
allow foxpol_t self:process { getsched setsched signal };
allow foxpol_t self:shm { create destroy read unix_read unix_write write };
allow foxpol_t self:unix_dgram_socket create;
allow foxpol_t foxpol_var_log_t:lnk_file { create unlink };
allow foxpol_t home_root_t:dir { getattr read search };
allow foxpol_t inotifyfs_t:dir { getattr read };
allow foxpol_t proc_net_t:dir { read search };
allow foxpol_t proc_net_t:file { getattr read };
allow foxpol_t proc_t:file { getattr read };
allow foxpol_t sysctl_kernel_t:dir search;
allow foxpol_t sysctl_kernel_t:file read;
allow foxpol_t sysctl_net_t:dir search;
allow foxpol_t sysctl_t:dir search;
allow foxpol_t tmp_t:dir { add_name getattr read remove_name search setattr
write };
allow foxpol_t tmp_t:file { create getattr lock read unlink write };
allow foxpol_t tmp_t:sock_file { create unlink write };
allow foxpol_t tmpfs_t:file { read write };
# allow foxpol_t unconfined_t:unix_stream_socket connectto;
allow foxpol_t urandom_device_t:chr_file { getattr ioctl read };
allow foxpol_t user_home_dir_t:dir { getattr read search };
allow foxpol_t user_home_t:dir { getattr read search };
allow foxpol_t user_home_t:file { getattr read };
allow foxpol_t usr_t:file { getattr read };
allow foxpol_t usr_t:lnk_file read;
allow foxpol_t xdm_t:unix_stream_socket connectto;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060914/ae3de5db/attachment.htm>

More information about the fedora-selinux-list mailing list