[redhat-lspp] Re: policy issues in 2.3.18-10 - sshd & polyinstantiation

Stephen Smalley sds at tycho.nsa.gov
Thu Oct 19 12:51:45 UTC 2006 

On Thu, 2006-10-19 at 08:34 -0400, Daniel J Walsh wrote:
> Klaus Weidner wrote:
> > On Tue, Oct 17, 2006 at 04:11:24PM -0500, Michael C Thompson wrote:
> >   
> >> So polyinstantiation is broken, it used to work at one point. The 
> >> following is the log of what seems to be causing the failure. I'm 
> >> looking into this, but it would be nice to have someone more adept at 
> >> policy wrangling to jump in and save the day.
> >>     
> >
> > The current LSPP ks script sets up policy and contexts to support
> > polyinstantiation. I've attached the policy, here's the script fragment.
> > Polyinstantiation parent dirs need to be polyparent_t, and
> > /etc/security/namespace.init needs to be pam_exec_t or something similar.
> >
> > (Don't use chcon, define persistent file contexts instead to ensure that
> > they don't get overwritten on the next autorelabel. And remember how nice
> > it is that SELinux doesn't do path based security ;-)
> >
> > -Klaus
> >
> > ConfigurePolyinstantiation() {
> >
> >     Title " Configure polyinstantiation"
> >
> >     if ShallI "Update polyinstantiation (pam_namespace) configuration"; then
> >         local DIRS=$(
> >                 awk '/^[^#]/ {print $2}' $_BASE/$_NAMESPACE_CONF 
> >         )
> >         Log "Creating base dirs: $DIRS"
> >         mkdir -m 0 $DIRS
> >
> >         local D
> >         for D in $DIRS; do
> >                 semanage fcontext -a -t polyparent_t $( echo "$D" | sed '
> >                         s/\/$//;
> >                         s/\([.*?]\)/\\\1/;
> >                 ')
> >         done
> >         restorecon $DIRS
> >
> >         # FIXME: following should be fixed in upstream package?
> >         semanage fcontext -a -t pam_exec_t /etc/security/namespace.init
> >         restorecon /etc/security/namespace.init
> >
> >         Replace /etc/security/$_NAMESPACE_CONF with $_BASE/$_NAMESPACE_CONF
> >
> >     else
> >         Log "configuration update declined."
> >         _FAILURE=1
> >     fi
> > }
> >
> >   
> > ------------------------------------------------------------------------
> >
> > ## Customized SELinux policy for LSPP evaluated configuration
> >
> > policy_module(lspp_policy,1.0)
> >
> > #############################################################################
> > ### Additional audit
> > #############################################################################
> >
> > gen_require(`
> > 	attribute domain;
> > ')
> >
> > # Audit setting of security relevant process attributes
> > # These settings are OPTIONAL
> > auditallow domain self:process setcurrent;
> > auditallow domain self:process setexec;
> > auditallow domain self:process setfscreate;
> >   
> This gives every process on the system the ability to do these 
> commands.  Why do you need this?

No - they are just auditallow statements, not allow statements, so they
merely enable auditing when they are allowed - they don't allow anything
new.  This is for auditing of all changes to the process
security-relevant attributes.

> > #auditallow domain self:process setsocketcreate; # FIXME
> > #auditallow domain self:process setipccreate; # FIXME
> >
> > #############################################################################
> > ### Relabeling printer devices
> > #############################################################################
> >
> > gen_require(`
> > 	type secadm_t, printer_device_t;
> > ')
> >
> > allow secadm_t printer_device_t:chr_file {getattr relabelfrom relabelto};
> >
> >   
> I have just added
>         dev_relabel_all_dev_nodes(secadm_t)
> in selinux-policy-2.3.19-4.
> 
> Which should cover this.
> 
> > #############################################################################
> > ### Polyinstantiation support
> > #############################################################################
> >
> > gen_require(`
> >         type newrole_t, sshd_t, local_login_t;
> > 	type user_t, staff_t;
> > 	type tmp_t, user_home_dir_t, staff_home_dir_t;
> > 	type user_tmp_t, staff_tmp_t, user_home_t, staff_home_t;
> > 	attribute userdomain;
> > ')
> >
> > type polyparent_t;
> > type polymember_t;
> > files_poly_parent(polyparent_t)
> > files_poly_member(polymember_t)
> >
> >   
> There is a new boolean allow_polyinstantiation, which should turn on 
> some of this support.
> If we are missing something, this should get back into the policy package.
> > ## FIXME: these don't work?
> > #allow userdomain polyparent_t:dir manage_dir_perms;
> > #allow userdomain polymember_t:dir manage_dir_perms;
> > #type_member userdomain polyparent_t:dir polymember_t;
> > #allow user_t polymember_t:dir manage_dir_perms;
> > #allow staff_t polymember_t:dir manage_dir_perms;
> >
> > files_poly(tmp_t)
> > files_poly(user_home_dir_t)
> > files_poly(staff_home_dir_t)
> >
> > type_member user_t tmp_t:dir user_tmp_t;
> > type_member staff_t tmp_t:dir staff_tmp_t;
> >
> > type_member user_t user_home_dir_t:dir user_home_t;
> > type_member staff_t staff_home_dir_t:dir staff_home_t;
> >
> > files_polyinstantiate_all(sshd_t)
> > files_polyinstantiate_all(local_login_t)
> > files_polyinstantiate_all(newrole_t)
> >   
> Only newole_t does not have this priv in current policy,   Added for 
> 2.3.19-4.
> > ### additional polyinst workarounds
> > ### (FIXME, should these be fixed in refpolicy?)
> >
> > gen_require(`
> > 	type bin_t, sshd_t, newrole_t, staff_su_t, run_init_t;
> > ')
> >
> > # let newrole execute the PAM framework (it didn't d<o that originally)
> > auth_exec_pam(newrole_t)
> >
> > # sshd needs to write the faillog / tallylog file
> > # FIXME, needs: semanage fcontext -a -t faillog_t /var/log/tallylog
> > auth_rw_faillog(sshd_t)
> > auth_rw_faillog(newrole_t)
> > auth_rw_faillog(staff_su_t)
> > auth_rw_faillog(run_init_t)
> >   
> Latest policy has these rules
> > # this seems to be missing from refpolicy files_polyinstantiate_all()?
> > allow sshd_t polyparent_t:dir {read search create remove_name};
> > allow local_login_t polyparent_t:dir {read search create remove_name};
> > allow newrole_t polyparent_t:dir {read search create remove_name};
> >
> > # need to be able to execute /etc/security/namespace.init
> > # (that file needs to be labeled as bin_t, default label is bad)
> > allow sshd_t bin_t:file {read execute execute_no_trans ioctl};
> > allow local_login_t bin_t:file {read execute execute_no_trans ioctl};
> > allow newrole_t bin_t:file {read execute execute_no_trans ioctl};
> >
> >   
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list