Hi Everyone, I created this firefox policy; it is probably allowing too many unecessary things. If anyone could comment on it, I'd appreciate it. The matter is, someone was able to break out to unconfined and disable a 000 ACL on /bin/su. This is a surf machine, with no listening daemons, postfix is blocked by firewall and unconfigured, not even cups is running. So I think the hole must be through firefox. ------------------------------------------------------------ policy_module(foxpol,1.0.5) ######################################## # # Declarations # require { type fonts_t; type inotifyfs_t; type proc_net_t; type proc_t; type urandom_device_t; type user_home_dir_t; type user_home_t; type xdm_t; type sysctl_kernel_t; type sysctl_net_t; type sysctl_t; type home_root_t; type fs_t; type autofs_t; type unconfined_execmem_t; }; type foxpol_t; type foxpol_exec_t; domain_type(foxpol_t) init_daemon_domain(foxpol_t, foxpol_exec_t) # log files type foxpol_var_log_t; logging_log_file(foxpol_var_log_t) # download dir, which firefox has write access to type foxpol_down_t; # private_t dir - a labled dir which fox cannot read, made because # - fox has read access to home dir type private_t; ######################################## # # foxpol local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Some common macros (you might be able to remove some) files_read_etc_files(foxpol_t) libs_use_ld_so(foxpol_t) libs_use_shared_libs(foxpol_t) miscfiles_read_localization(foxpol_t) ## internal communication is often done using fifo and unix sockets. allow foxpol_t self:fifo_file { read write }; allow foxpol_t self:unix_stream_socket create_stream_socket_perms; # log files allow foxpol_t foxpol_var_log_t:file create_file_perms; allow foxpol_t foxpol_var_log_t:sock_file create_file_perms; allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir }) ## Networking basics (adjust to your needs!) sysnet_dns_name_resolve(foxpol_t) corenet_tcp_sendrecv_all_if(foxpol_t) corenet_tcp_sendrecv_all_nodes(foxpol_t) corenet_tcp_sendrecv_all_ports(foxpol_t) corenet_non_ipsec_sendrecv(foxpol_t) corenet_tcp_connect_http_port(foxpol_t) #corenet_tcp_connect_all_ports(foxpol_t) ## if it is a network daemon, consider these: #corenet_tcp_bind_all_ports(foxpol_t) #corenet_tcp_bind_all_nodes(foxpol_t) allow foxpol_t self:tcp_socket { listen accept }; # Init script handling init_use_fds(foxpol_t) init_use_script_ptys(foxpol_t) domain_use_interactive_fds(foxpol_t) # ok copy files to download dir allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read relabelto remove_name search write rmdir }; allow unconfined_t foxpol_down_t:file { execute create getattr setattr read write append rename link unlink ioctl lock }; # ok unconfined processes to open files in download dir allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } ; allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr read write append rename link unlink ioctl lock }; # ok fox to write to download dir allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write remove_name }; allow foxpol_t foxpol_down_t:file { create setattr getattr read write rename unlink append }; # ok unconfined process to open files in private dir allow unconfined_execmem_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; allow unconfined_execmem_t private_t:file { create getattr setattr read write append rename link unlink ioctl lock }; allow unconfined_t private_t:dir { create getattr setattr read write link unlink rename search add_name remove_name reparent relabelfrom relabelto rmdir lock ioctl }; allow unconfined_t private_t:file { relabelto create getattr setattr read write append rename link unlink ioctl lock }; allow private_t fs_t:filesystem associate; # ok fox to create new stuff in .mozilla allow foxpol_t foxpol_var_log_t:dir create; # # audit2allow says it wants all the stuff below, it also wanted exec rights to bin_t which I removed # allow foxpol_down_t fs_t:filesystem associate; allow foxpol_t autofs_t:dir getattr; allow foxpol_t fonts_t:dir { getattr read search }; allow foxpol_t fonts_t:file { getattr read }; allow foxpol_t foxpol_down_t:dir { add_name create getattr read search write }; allow foxpol_t foxpol_down_t:file { create getattr write }; allow foxpol_t self:fifo_file getattr; allow foxpol_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow foxpol_t self:process { getsched setsched signal }; allow foxpol_t self:shm { create destroy read unix_read unix_write write }; allow foxpol_t self:unix_dgram_socket create; allow foxpol_t foxpol_var_log_t:lnk_file { create unlink }; allow foxpol_t home_root_t:dir { getattr read search }; allow foxpol_t inotifyfs_t:dir { getattr read }; allow foxpol_t proc_net_t:dir { read search }; allow foxpol_t proc_net_t:file { getattr read }; allow foxpol_t proc_t:file { getattr read }; allow foxpol_t sysctl_kernel_t:dir search; allow foxpol_t sysctl_kernel_t:file read; allow foxpol_t sysctl_net_t:dir search; allow foxpol_t sysctl_t:dir search; allow foxpol_t tmp_t:dir { add_name getattr read remove_name search setattr write }; allow foxpol_t tmp_t:file { create getattr lock read unlink write }; allow foxpol_t tmp_t:sock_file { create unlink write }; allow foxpol_t tmpfs_t:file { read write }; # allow foxpol_t unconfined_t:unix_stream_socket connectto; allow foxpol_t urandom_device_t:chr_file { getattr ioctl read }; allow foxpol_t user_home_dir_t:dir { getattr read search }; allow foxpol_t user_home_t:dir { getattr read search }; allow foxpol_t user_home_t:file { getattr read }; allow foxpol_t usr_t:file { getattr read }; allow foxpol_t usr_t:lnk_file read; allow foxpol_t xdm_t:unix_stream_socket connectto;