SELinux issues

Thomas Bleher thomas.bleher at jmh.mhn.de
Wed Apr 21 22:57:42 UTC 2004 

* Colin Walters <walters at redhat.com> [2004-04-19 21:26]:
> On Mon, 2004-04-19 at 14:21, jacob wrote:
> >  * fam & nautilus are the ones spewing out the most avc messages in 
> >    dmesg.
> 
> fam is known to be incompatible with SELinux.  I'm working on a patch to
> disable it if SELinux is enabled.  What nautilus AVC messages are you
> seeing?  the /initrd one is a known issue, also on my queue of stuff to
> fix.

Not sure what you mean by "incompatible". Writing policy for fam is not
difficult, in fact I have written some policy for fam some time ago
(diff against CVS attached). It is however impossible to prevent some
information leakage when using fam. The attached policy is very liberal
regarding this, allowing any userdomain to monitor any file. For a more
secure setup fam should only be able to monitor user_home_t and
user_tmp_t. 
A full solution requires modifications to fam: it should check the
security context of the caller (like it does already with uid and gid)
and only monitor the files if they can be accessed by the caller.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7
Disclaimer: The quote was selected randomly. Really.
-------------- next part --------------
--- /dev/null	1970-01-01 01:00:00.000000000 +0100
+++ policy/domains/program/unused/famd.te	2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,27 @@
+# DESC famd - File Alteration Monitor (FAM) daemon
+#
+# Author: Thomas Bleher <ThomasBleher at gmx.de>
+
+rpc_domain(famd)
+allow famd_t self:unix_stream_socket create_stream_socket_perms;
+allow famd_t self:unix_dgram_socket { connect create write };
+allow famd_t self:fifo_file { read write };
+allow famd_t port_t:{ tcp_socket udp_socket } name_bind;
+
+# why does it need this?
+allow famd_t self:capability { chown setgid setuid };
+
+tmp_domain(famd)
+# read /etc/mtab
+allow famd_t etc_runtime_t:file read;
+
+# monitor all files
+allow famd_t { file_type - shadow_t }:dir { search getattr read };
+allow famd_t { file_type - shadow_t }:{ lnk_file file } getattr;
+allow famd_t { file_type - shadow_t }:lnk_file read;
+dontaudit famd_t { sysfs_t security_t domain proc_t }:dir { search getattr read };
+dontaudit famd_t { self proc_t }:{ file lnk_file } getattr;
+
+allow userdomain famd_tmp_t:sock_file write;
+allow userdomain famd_t:unix_stream_socket connectto;
+
--- policy/domains/program/unused/rpcd.te	2004-04-21 23:43:13.000000000 +0200
+++ policy/domains/program/unused/rpcd.te	2004-04-21 23:43:24.000000000 +0200
@@ -12,15 +12,2 @@
 #
-define(`rpc_domain', `
-daemon_base_domain($1)
-can_network($1_t)
-allow $1_t etc_t:file { getattr read };
-read_locale($1_t)
-allow $1_t self:capability net_bind_service;
-
-allow $1_t var_t:dir { getattr search };
-allow $1_t var_lib_t:dir { search };
-allow $1_t var_lib_nfs_t:dir create_dir_perms;
-allow $1_t var_lib_nfs_t:file create_file_perms;
-')
-
 # rpcd_t is the domain of rpc daemons.
--- /dev/null	1970-01-01 01:00:00.000000000 +0100
+++ policy/file_contexts/program/famd.fc	2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,2 @@
+# famd
+/usr/sbin/famd				--	system_u:object_r:famd_exec_t
--- /dev/null	1970-01-01 01:00:00.000000000 +0100
+++ policy/macros/program/rpcd_macros.te	2004-04-21 23:43:24.000000000 +0200
@@ -0,0 +1,19 @@
+# Macros for RPCD-domains
+#
+# Authors:  Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser  
+#           Russell Coker <russell at coker.com.au>
+#
+
+define(`rpc_domain', `
+daemon_base_domain($1)
+can_network($1_t)
+allow $1_t etc_t:file { getattr read };
+read_locale($1_t)
+allow $1_t self:capability net_bind_service;
+
+allow $1_t var_t:dir { getattr search };
+allow $1_t var_lib_t:dir { search };
+allow $1_t var_lib_nfs_t:dir create_dir_perms;
+allow $1_t var_lib_nfs_t:file create_file_perms;
+')
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040422/1eb613be/attachment.sig>

More information about the fedora-selinux-list mailing list